SEC Alleges 4 Companies Downplayed Cybersecurity Incident in Public Disclosures

The Securities and Exchange Commission (SEC) has charged four current and former public companies with making misleading cyber disclosures.

The agency alleged that Avaya Holdings, Check Point Software Technologies, Mimecast and Unisys minimized a cybersecurity incident in their public disclosures after learning that a threat actor had accessed their systems without authorization, the SEC said in a Tuesday (Oct. 22) press release.

The SEC alleged that Avaya said the threat actor had accessed a “limited number” of email messages, that Check Point described the risks of cyber intrusions in generic terms, that Mimecast failed to disclose the extent of the attack, and that Unisys described the risks from cybersecurity events as hypothetical, according to the release.

In each case, the charges resulted from an investigation of public companies that may have been impacted by the compromise of SolarWinds’ Orion software, per the release.

“The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit at the SEC, said in the release.

Without admitting or denying the SEC’s findings, each company agreed to cease and desist from future violations of the charged provisions and to pay a civil penalty, according to the release. Avaya will pay $1 million; Check Point, $995,000; Mimecast, $990,000; and Unisys, $4 million.

Reached by PYMNTS, Avaya said in an emailed statement that it continues to focus on strengthening its cybersecurity program.

“We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls,” the statement said.

Check Point said in a statement emailed to PYMNTS that its investigation of the SolarWinds incident did not find evidence that any customer data, code or other sensitive information was accessed.

“Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world,” the statement said.

Mimecast said in a statement emailed to PYMNTS that it made disclosures and engaged with its customers and partners in 2021 and believed that it complied with its disclosure obligations at that time.

“As we responded to the incident, Mimecast took the opportunity to enhance our resilience,” the statement said. “While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers.”

Unisys said in a Form 8K filed Tuesday with the SEC that the SEC recognized its cooperation in its investigation and the remediation steps the company has taken.

“The Company concluded that it is in the best interests of the Company and its stockholders to constructively resolve this matter with the SEC,” the filing said.