[ad_1]
Securities and Exchange Commission (SEC) Announced on Tuesday It charged and imposed sanctions on four companies for making misleading disclosures related to the 2019 SolarWinds data breach.
The four companies charged are cybersecurity firm Check Point, which will pay a civil fine of $995,000, and Mimecast, which will pay $990,000; And the technology companies Unisys, which will pay $4 million, and Avaya, which will pay $1 million.
All of these companies were victims of the SolarWinds hack, which affected many other companies and government agencies that used SolarWinds software. According to the SEC, each company committed different violations that “negligently” downplayed the significance of the violations and minimized the harm caused by them.
“While public companies may become targets of cyberattacks, they should not harm their shareholders or other members of the investing public by making misleading disclosures about cybersecurity incidents,” said Sanjay Wadhwa, acting director of the SEC’s Division of Securities and Exchange Commission. that you encountered.” Enforcement Division. “Here, the SEC orders found that these companies made misleading disclosures about the incidents in question, leaving investors in the dark about the true scope of the incidents.”
According to the SEC, each company committed different violations. Avaya said the hackers accessed a “limited number” of corporate emails, but did not mention that the hackers also accessed “at least 145 files in its cloud file sharing environment.” Despite its knowledge of the breach, Check Point described the “intrusions and cyber risks” in “general terms.” Mimecast “mitigated the attack by not disclosing” the code and amount of encrypted company credentials stolen by the hackers. Unisys described its “risk from cybersecurity events as hypothetical” despite having suffered two SolarWinds-related breaches.
The SEC said all of the companies cooperated with its investigations and agreed to pay fines and “cease and desist from future violations of the provisions charged,” while not “admitting or denying” the SEC’s findings.
Avaya spokeswoman Julianne Embry told TechCrunch that the SEC “recognized Avaya’s voluntary cooperation and that we have taken certain steps to strengthen the company’s cybersecurity controls.”
“Check Point investigated the SolarWinds incident and found no evidence that any customer data, code, or other sensitive information was accessed,” Check Point spokesperson Jill Messing told TechCrunch. “However, Check Point decided to cooperate and settle the dispute with the SEC.” The stock market was in its interest.
Mimecast spokesperson Timothy Hamilton told TechCrunch that the company “made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,” in response to the SolarWinds hack.
“We believed we complied with our disclosure obligations based on the regulatory requirements at the time,” Hamilton said.
When TechCrunch reached out to Unisys spokesperson, Jimmy Bade, for comment, he declined to comment and referred to company information 8-K filing Published on Tuesday. In the document, Unisys said it reached a settlement with the Securities and Exchange Commission that resolves the regulator’s investigation into the company.
In the past few years, the SEC has imposed a series of new obligations on publicly traded companies when it comes to disclosing data breaches and their impacts on the company, its customers, and its users.
[ad_2]