SEC Dings SolarWinds Victims for Cybersecurity Disclosures

Last month, the Securities and Exchange Commission settled four enforcement actions against current and former publicly traded companies for making what it deemed “materially misleading” cybersecurity risk disclosures.

The cases could all be traced back to the same cause: The infamous SolarWinds software hack. Believed to have been orchestrated by Russian intelligence agencies, the hack consisted of inserting malware into the SolarWinds Orion software, a platform for managing networks and information technology systems that has been used by tens of thousands of companies, government agencies and nonprofit organizations around the world. The hackers apparently evaded detection for more than a year before anyone caught on to the security breach in 2020.

The SEC objected to how SolarWinds handled its own public disclosures related to the breach, tagging the company and the vice president of its information security group with an enforcement action in 2023. However, a federal judge in 2024 tossed out some of the key allegations against SolarWinds, which included charges of making misleading disclosures about its cybersecurity programs and maintaining faulty internal controls.

The SEC then turned its attention to some of the companies affected by the hack – but for different reasons. In the cases of Avaya Holdings Corp. and Mimecast Limited, the agency said both omitted important information about the incident. According to the SEC, Avaya failed to disclose “the likely attribution of the activity to a nation-state threat actor, the long-term unmonitored presence of the threat actor in Avaya’s systems, the access to at least 145 shared files some of which contained confidential and/or proprietary information, and the fact that the mailbox the threat actor accessed belonged to one of Avaya’s cybersecurity personnel.” Meanwhile, Mimecast left out details in its disclosures about the scope and impact of the hack, the agency contended.

On the other hand, the SEC took exception to the quality of the disclosures made by Check Point Software Technologies Ltd. and Unisys Corp. regarding the risk factor of cybersecurity threats. Specifically, the commission said the disclosures were too “generic.” And in a sign of just how nitpicky the SEC is getting; Check Point’s cybersecurity disclosures were challenged because the company said attempts to hack their systems had not “resulted in any material adverse impact to [its] business or operations.” On the contrary, the SEC said, Check Point’s cybersecurity risks had increased because of the SolarWinds breach.

The enforcement actions drew customary dissents from Republican-appointed commissioners Hester Peirce and Mark Uyeda. They took the SEC to task over what they said they viewed as the agency “playing Monday morning quarterback.” But despite that pushback and the setback in the SolarWinds litigation, the agency seems resolved to continue rigorous enforcement of the rules governing cybersecurity disclosures.

Issuers, consider yourselves warned.

Latest Articles

Judge Again Rejects Musk’s $56 Billion Pay Package from Tesla

We’re going to talk about Elon Musk, but first we’ve got to focus. Forget, for a moment, about other recent stories involving the world’s richest man. Forget about his stated initi...

Read More

Trump Seemingly Poised to Relax Regulation of AI

Remember the anecdote about President Biden getting spooked by a blockbuster film’s depiction of artificial intelligence run amok? The story goes that in November 2023, he issued a...

Read More

Trump’s Win Promises New Playing Field for Crypto

Dogged by its reputation as a financial refuge for off-the-books transactions and shady business, is cryptocurrency finally going legit? The head of the Securities and Exchange Com...

Read More