October 25, 2024 at 06:34AM
The SEC has charged four companies—Avaya, Check Point, Mimecast, and Unisys—for misleading disclosures about the 2020 SolarWinds cyberattack, violating federal securities laws. Fines include $4 million for Unisys and $1 million for Avaya. The companies downplayed the breach’s extent, leaving investors uninformed about risks.
### Meeting Takeaways – October 25, 2024
**Topic:** Regulatory Compliance / Data Breach
**Key Points:**
1. **SEC Charges:**
– The U.S. Securities and Exchange Commission (SEC) has charged four public companies (Avaya, Check Point, Mimecast, and Unisys) for providing misleading disclosures about the SolarWinds cyber attack that occurred in 2020.
– The charges relate to violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
2. **Fines Imposed:**
– Avaya: $1 million
– Check Point: $995,000
– Mimecast: $990,000
– Unisys: $4 million (also charged with disclosure controls and procedures violations)
3. **Nature of the Misconduct:**
– All four companies were aware of unauthorized access by Russian threat actors but downplayed the severity in their public communications.
– **Unisys** described risks as “hypothetical” despite knowing data exfiltration occurred.
– **Avaya** minimized the breach, stating only a “limited number” of email messages were accessed, while also losing access to at least 145 files.
– **Check Point** and **Mimecast** broadly described risks and failed to adequately disclose the specifics of the code and the number of encrypted credentials accessed.
4. **Regulatory Stance:**
– SEC officials emphasized that companies must provide clear and accurate information regarding cybersecurity incidents to protect investors.
– Misleading disclosures that leave investors uninformed about true risks constitute violations of federal securities laws.
5. **Implications for Public Companies:**
– Companies are reminded of their responsibility to provide truthful disclosures and avoid any half-truths in risk assessments regarding cybersecurity threats.
**Next Steps:**
– Ensure awareness of regulatory compliance regarding cybersecurity disclosures moving forward.
– Review and strengthen internal communication protocols related to cybersecurity incidents to prevent potential misrepresentations.
**Follow-Up:**
– Consider developing training for relevant staff on compliance and proper disclosure practices regarding cybersecurity threats.
**For More Information:**
– For updates on regulatory compliance and data breach news, follow our channels on Twitter and LinkedIn.