The US Securities and Exchange Commission (SEC) has charged four major tech firms with failing to tell the truth about their exposure to the 2020 SolarWinds hack.
Unisys, Avaya Holdings, Check Point Software, and Mimecast have agreed to pay civil penalties of $4 million, $1 million, $995,000, and $990,000 respectively.
"As today’s enforcement actions reflect, while public companies may become targets of cyber attacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
"Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."
The SolarWinds attack, discovered in late 2020, saw the Russia-linked hacking group APT29, also known as Midnight Blizzard, infect the company’s Orion network monitoring software through a software supply chain attack.
Thousands of organizations worldwide were affected, including the US Department of State, the Department of Homeland Security, the US Treasury, the Department of Energy, and the National Nuclear Security Administration.
According to the SEC, the aforementioned companies learned they'd been hacked in 2021, but minimized the issue in their public disclosures. Unisys, for example, described its risks from cybersecurity events as hypothetical despite knowing that it had fallen victim.
Avaya, meanwhile, admitted that the threat actor had only accessed a 'limited number of [the] Company’s email messages', when it knew that the threat actor had also accessed at least 145 files in its cloud file sharing environment.
While Check Point knew of the intrusion, it described cyber intrusions and risks from them in generic terms and Mimecast minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and how many encrypted credentials were accessed.
"Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit.
"In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures."
Oz Alashe, CEO and founder of CybSafe, said the penalties imposed by the SEC should serve as a warning to organizations seeking to minimize the impact of cyber attacks.
"To foster an empathetic and open dialogue about cybersecurity and the risks businesses face, it's vital for cybersecurity companies to lead by example,” Alashe said.
“Disclosing a cyber incident is never easy, particularly for a cybersecurity organization, but it highlights a key point: even experts can fall victim to cybercrime. No one is immune," he said.
