October 22, 2024 at 02:39PM
The SEC charged Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast for misleading investors about cybersecurity breaches from the 2020 SolarWinds hack. The companies agreed to pay civil penalties totaling approximately $6 million, with fines based on downplayed disclosures regarding their incidents and data access during the breach.
### Meeting Takeaways:
1. **SEC Charges Against Companies**: The Securities and Exchange Commission (SEC) has charged four companies—Unisys Corp, Avaya Holdings, Check Point Software, and Mimecast—for allegedly misleading investors regarding the impact of their cybersecurity breaches during the 2020 SolarWinds Orion hack.
2. **Details of the Charges**:
– All four companies made materially misleading disclosures about cybersecurity risks and incidents.
– Unisys was specifically charged with violations related to disclosure controls and procedures.
3. **Settlements and Penalties**:
– The companies have agreed to pay civil penalties to settle the charges:
– Unisys: $4 million
– Avaya: $1 million
– Check Point: $995,000
– Mimecast: $990,000
4. **Breach Details**:
– Each company downplayed the severity of the breaches:
– **Unisys**: Minimally described cybersecurity risks despite two intrusions involving significant data exfiltration.
– **Avaya**: Misrepresented the scope of the breach, claiming limited access when a larger number of files were affected.
– **Check Point**: Used vague terms to downplay the breach impact.
– **Mimecast**: Failed to disclose detailed information about stolen code and accessed credentials.
5. **Background on the SolarWinds Attack**:
– The SolarWinds supply chain attack, attributed to the Russian state-sponsored group APT29, occurred in 2019 and involved a Trojan in the Orion platform.
– Affected updates were pushed to fewer than 18,000 victims, with specific targets chosen for deeper exploitation.
6. **Broader Impact**: Multiple high-profile organizations and U.S. government agencies confirmed breaches linked to the SolarWinds hack, underscoring the significant threat posed by such cyber incidents.