Four high-profile tech companies reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for misleading investors about their exposure to the 2020 SolarWinds hack.
Communications tech outfit Avaya, Israeli cybersecurity shop Check Point, and email security biz Mimecast have agreed to fork over $1 million, $995,000, and $990,000, respectively for "making materially misleading disclosures regarding cybersecurity risks and intrusions," the SEC said today.
A fourth company, IT services firm Unisys, was also accused and settled with the SEC; Unisys also faced charges of disclosure control and procedures violations, bringing its penalty to $4 million.
"It is incumbent upon [companies] to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of SEC enforcement.
With the exception of Mimecast, which didn't realize it had been caught up in the incident until 2021, the other companies knew that the Russian threat actor who slipped a backdoor into SolarWinds' Orion network monitoring software managed to compromise their networks in 2020, the same year as the attack. Despite that knowledge, "each negligently minimized its cybersecurity incident in its public disclosures," the SEC said.
Avaya allegedly (none of the companies admitted or denied the allegations in their settlements) told shareholders that the compromise only led to a few emails being stolen while knowing that "at least 145 files in its cloud file sharing environment" had been accessed as well, while Mimecast appears to have failed to disclose the nature of what code was stolen or the number of encrypted credentials purloined from the firm.
Check Point supposedly knew what happened but only described the matter "in generic terms." Meanwhile, Unisys "described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC alleged.
The companies respond
"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya's voluntary cooperation and that we took certain steps to enhance the company's cybersecurity controls," an Avaya spokesperson told The Register, striking a conciliatory tone. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."
- Critical hardcoded SolarWinds credential now exploited in the wild
- SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity
- Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin
- SolarWinds reaches $26m settlement with shareholders, expects SEC action
Check Point wasn't as willing to admit it needed to do better.
"As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed," the security firm told us. "Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."
While the SEC's order [PDF] (orders for the other three companies are also available from SEC) on Check Point doesn't indicate that customer data was stolen, it does claim that two of the company's servers were compromised, leading to two corporate accounts being accessed, "unauthorized activity on affected computers and their networks," notice from a third-party vendor of access in the Check Point environment and other signs of compromise.
The SEC said that Check Point sent it reports that were "virtually unchanged from the same disclosures in prior Check Point public filings" despite knowledge of the SolarWinds compromise, hence the fine that has nothing to do with consumer information being stolen.
Unisys directed us to a new SEC filing it made today that states it decided to pay the fine in the best interests of the company and shareholders, but declined to make an additional statement.
Mimecast told us that, while it's no longer a publicly-traded company and doesn't think it did anything wrong, it still cooperated fully with the SEC and "took the opportunity to enhance our resilience," a spokesperson said.
The SEC declined to comment beyond its press release.
In the meantime, let this be a reminder to any publicly-held company considering underreporting that cybersecurity incident: Someone might come looking to audit your report, even years later, so don't leave anything out. ®