Four companies slapped with SEC penalties for ‘misleading disclosures’ about SolarWinds hack

The SolarWinds cyber incident is still generating headlines, nearly four years later.

Here’s the latest development: The SEC this week announced civil penalties totaling nearly $7 million against “four current and former public companies” for “making materially misleading disclosures regarding cybersecurity risks and intrusions,” and one of them is also in trouble for “disclosure controls and procedures violations” stemming from the 2020 SolarWinds hack, according to a news release.

The companies being charged and the amount in penalties they’ve agreed to pay are Unisys, $4 million; Avaya, $1 million; Check Point, $995,000; and Mimecast, $990,000.

The charges result from an SEC investigation into public companies potentially affected by the SolarWinds hack, the release noted. The four companies knew that cybercriminals had access to their systems, but “negligently minimized” the incident in public disclosures.

Unisys—which faces the heftiest penalty—“described its risks from cybersecurity events as hypothetical” even though it was aware of two instances that involved “exfiltration of gigabytes of data.”

“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” Sanjay Wadhwa, acting director of the SEC’s division of enforcement, said in a statement.

Russian hackers used malware installed in Orion, a SolarWinds software platform, to infiltrate systems, including several federal agencies, according to IT Brew. The SEC filed fraud charges against the company in October 2023. However, a judge dismissed most of the SEC’s lawsuit against SolarWinds this summer, Reuters reported.