October 25, 2024 at 05:09PM
The SEC has charged four companies for inadequate disclosures related to the 2020 SolarWinds breach. Unisys faced the largest penalty of $4 million. The SEC aims to deter vague breach disclosures and stresses the importance of precise communication to avoid future legal ramifications, urging closer collaboration between CISOs and legal teams.
### Meeting Takeaways
1. **SEC Charges Related to 2020 SolarWinds Breach**:
– The SEC has charged four companies for misleading disclosures following the 2020 SolarWinds cyber breach.
2. **Fines Imposed**:
– **Unisys** received the heaviest fine at **$4 million** for negligent disclosure practices and controls violations, failing to accurately report incidents involving significant data exfiltration.
– **Avaya Holdings Corp.** agreed to pay **$1 million**, admitting to partial knowledge of compromised data but underreporting the extent of the breach in its initial statements.
– **Check Point** was fined **$995,000** for vague disclosures regarding the impact of the SolarWinds incident, despite finding no evidence that sensitive customer data was accessed.
– **Mimecast** faced a **$990,000** penalty for not properly disclosing the nature and quantity of compromised data but contended that they had acted transparently during the incident.
3. **Statements from Companies**:
– Companies have expressed a desire to move on from these issues, with Avaya highlighting improvements in its cybersecurity controls.
– Check Point reiterated its commitment to customer security and cooperating with the SEC.
– Mimecast, while no longer under SEC jurisdiction, emphasized compliance and improving its resilience post-incident.
4. **Intent of SEC Enforcement**:
– The SEC aims to deter companies from providing vague and misleading information following a breach, underlining the need for precise disclosures.
– Jorge G. Tenreiro of the SEC emphasized that downplaying a breach is ineffective and that companies must avoid framing known risks hypothetically.
5. **Implications for Companies**:
– Increased scrutiny on cybersecurity disclosures necessitates that companies provide detailed and accurate information during and after incidents.
– Cybersecurity leaders (CISOs) must collaborate closely with legal teams to ensure compliance with evolving regulatory expectations and to prepare for potential litigation from breaches.
6. **Advice from Experts**:
– Companies should refrain from relying on generalizations in disclosures; clear and detailed reporting is now a regulatory expectation.
– Firms must be proactive in considering post-incident legal consequences, incorporating comprehensive risk assessments in their cybersecurity strategies.
### Action Items
– Review and enhance cybersecurity disclosure protocols.
– Engage legal teams when formulating responses to cyber incidents.
– Conduct training for relevant staff on the importance of precise communication regarding cybersecurity risks and incidents.