On October 22, 2024, the SEC charged two current reporting companies, Unisys Corp. and Check Point Software Technologies, and two former public companies, Mimecast Limited and Avaya Holdings Corp., with making materially misleading statements about cybersecurity risks and cybersecurity attacks experienced by each company.
According to the SEC’s release, the charges against the four companies stem from an investigation focusing on public companies potentially affected by the compromise of SolarWinds’ Orion software and by other related activity.
The SEC sued SolarWinds last year for allegedly misleading its shareholders about its cyber vulnerabilities and the ability of Russian-linked hackers to penetrate its systems. This was the first time that the SEC has brought civil fraud claims against a public company victimized by a cyberattack. In July 2024, a federal judge dismissed part of the lawsuit, finding some claims to be based on “hindsight and speculation.” See our publication on SEC v. SolarWinds.
The release indicates that Unisys, Check Point, and Avaya each learned in 2020, and Mimecast learned in 2021, that the threat actor suspected of being behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incidents in its SEC filings.
The four companies have each been charged with violating certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” added Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit.
According to the release, each company has agreed to cease and desist from future violations of the charged provisions and to pay the penalties described below. Each company cooperated during the investigation, including by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls.
Order Against Unisys
The SEC’s order against Unisys, a global provider of technical and enterprise information technology services and solutions, finds that the company negligently made materially misleading statements to investors regarding cybersecurity risks and events, and violated disclosure controls and procedure requirements.
The order indicates that Unisys's cybersecurity risk disclosures in its annual reports on Form 10-K for fiscal years ending December 31, 2020, and 2021 were materially misleading and not sufficiently tailored to reflect its specific risks and actual incidents.
Specifically, Unisys inaccurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms, despite knowing that its systems had been compromised and involved unauthorized access and exfiltration of confidential and/or proprietary information. According to the order, the compromises to Unisys’s systems took place over a combined span of at least 16 months starting in January 2020, were persistent, and impacted several parts of the company’s corporate network and non-customer-facing cloud environment.
The order also finds that the materially misleading statements resulted in part from the company’s failure to design sufficient controls and procedures to ensure (1) that information about potentially material cybersecurity incidents was timely recorded, processed, summarized and reported, within the time period specified as appropriate in the SEC’s rules and forms, and (2) that information was accumulated and communicated to the company’s management to allow timely decisions regarding required disclosure. As a result, the company’s decision makers failed to reasonably assess the materiality of the cybersecurity incidents and new risks arising therefrom.
According to the order, prior to December 2022, Unisys’s incident response policies did not reasonably require cybersecurity personnel to report information to Unisys’s disclosure decision makers and contained no criteria for determining which incidents or information should be reported outside the information security organization. As a result, the company’s senior cybersecurity personnel repeatedly failed to timely report various cybersecurity incidents to executive management and the legal department. The order notes that Unisys’s cybersecurity personnel did not report the 2020 and 2021 activity to disclosure decision makers until a year after discovering it, and a subsequent 2022 extortion incident until a month after it occurred.
Unisys agreed to pay a $4 million civil penalty.
Order Against Check Point
The SEC’s order against Check Point, a provider of products and services for information technology security, finds that the company negligently made materially misleading statements to investors regarding its cybersecurity risks in its annual reports on Form 20-F filed with the SEC in April 2021 and 2022.
According to the order, Check Point framed its cybersecurity risks generically and omitted new and material cybersecurity risks arising out of security breaches that occurred over a four-month period from July through October 2020.
Check Point agreed to pay a $995,000 civil penalty.
Order Against Mimecast
The order charging Mimecast, a provider of cloud security and risk management services for email and corporate information, finds that the company negligently made materially misleading misstatements to investors regarding a cybersecurity incident that the company had experienced.
According to the order, the current reports on Form 8-K filed by Mimecast on January 12, 2021, January 26, 2021 and March 16, 2021 disclosing and discussing the compromise included certain quantitative details of the compromise, but negligently omitted a number of material aspects of the compromise, including information regarding the large number of impacted customers (a majority of its customers) and the percentage and significance of code exfiltrated by the threat actor.
Notably the Form 8-K requirements for disclosing material cybersecurity incidents, which were adopted as part of the 2023 Cybersecurity Rule, were not adopted until 2023 and, therefore, did not apply at the time Mimecast filed its three Form 8-Ks.
Mimecast agreed to pay a $990,000 civil penalty.
Order Against Avaya
The SEC’s order against Avaya, a global provider of digital communications products and services, finds that it negligently made materially misleading statements regarding a significant cybersecurity incident compromising Avaya’s cloud email and shared files, some of which contained confidential and/or proprietary company information, as early as January 2020 with activity through at least December 2020. Avaya had stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” despite knowing that the hacker had also accessed at least 145 files in its cloud file sharing environment.
According to the order, the quarterly report on Form 10-Q filed by Avaya in February 2021 minimized the compromise and omitted material facts known to Avaya personnel regarding the scope and potential impact of the incident.
Avaya agreed to pay a $1 million civil penalty.
The Dissent
It is notable that in a joint dissenting statement, SEC Commissioners Pierce and Uyeda strongly objected to the four enforcement actions, criticizing the Commission for engaging in “a hindsight review to second-guess the disclosure and cit[ing] immaterial, undisclosed details to support its charges.”
The dissenters note that when adopting the 2023 Cybersecurity Rule, the Commission stated that disclosure of cybersecurity incidents should “focus … primarily on the impacts of … [the] … incident, rather than on … details of the incident itself.” Yet, in the cases of Avaya and Mimecast, the dissenters argue, the Commission found the companies at fault for not disclosing details regarding the incident itself (as opposed to impacts of the incident). They also challenge the determination that the details omitted (including details regarding the identity of the threat actor, the duration of the intrusion, and the extent—in terms of numbers and percentages—of the intrusion) would be considered “material” by a reasonable investor.
The dissenters warn that “[t]o avoid being second-guessed by the Commission, companies may fill their Item 1.05 disclosures with immaterial details about an incident, or worse, provide disclosure under the item about immaterial incidents … [which could] divert investor attention and result in mispricing of securities.”
With respect to the charges against Check Point and Unisys, the dissenters caution that “[w]hether risk factors need to be updated because certain hypothetical risks have materialized is not always a straightforward matter… [and] aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission.”
As the four orders demonstrate, the SEC is aggressively focused on cybersecurity and protecting investors from misleading information. However, the charges laid out in the four orders may leave companies and their counsel questioning their original interpretations as to the level of detail that must be provided in connection with cybersecurity incidents, as argued in the joint dissenting statement.
In light of the recent enforcement actions and comments from the SEC’s Enforcement Division, companies should avoid a rush to disclose and ensure that they are taking the time necessary to thoroughly analyze the scope and impacts of any cybersecurity incident, and, if the incident is determined to be material, prepare accurate (both quantitatively and qualitatively), thorough and transparent disclosures.
It is important for companies to remember that Item 1.05 of Form 8-K gives companies four days from the determination of the incident’s materiality (as opposed to the time of discovery) to make the required disclosures. Because the materiality of a cybersecurity incident is often not immediately apparent at the time of discovery, this accommodation is intended to give companies a reasonable amount of time to investigate the incident and undertake an informed materiality analysis, provided the determination is not unreasonably delayed.
Companies should also take the time necessary to think through and prepare the required disclosures with the assistance of experienced counsel, including potential hindsight emphasis on quantitative factors over qualitative factors in consideration of materiality. Companies should continue to monitor the impacts of any cybersecurity incident and ensure that they are updating their SEC filings accordingly if material developments become known.
In addition, companies should ensure that they have sufficient disclosure controls and procedures in place to respond to cybersecurity incidents, including adequate escalation procedures (see our publication on the SEC-adopted cybersecurity disclosure rules).
Companies should also take these compliance measures into consideration: