Public companies facing cyberattacks must be honest in their disclosures, or the consequences could hit harder than the breach itself. That message rang loud and clear as the U.S. Securities and Exchange Commission (SEC) imposed fines on four companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited—for making materially misleading cyber disclosures and public statements about the cybersecurity incidents they faced due to the 2020 SolarWinds supply chain hack.
The SEC’s investigation found that these companies misrepresented the extent of breaches related to the infamous SolarWinds Orion software hack, a massive cyber espionage campaign that impacted numerous organizations, including federal agencies. Each firm either minimized the attack’s severity or failed to disclose critical information, leaving investors in the dark about the actual scope of the intrusion, the SEC found.
Unisys Corp. was hit the hardest, facing a $4 million penalty for both misleading disclosures and failure to maintain proper controls over its public statements. Meanwhile, Avaya, Check Point, and Mimecast were each fined nearly $1 million for similar violations.
Also read: SolarWinds’ CISO Faces SEC Fraud Charges Over Cybersecurity Deception
The Dangers of Downplaying Cybersecurity Breaches
The SEC’s orders reveal that Unisys, Avaya, and Check Point were aware as early as 2020 that a sophisticated threat actor had accessed their systems through SolarWinds. Mimecast learned in 2021 that it had been compromised as well. However, each of these companies made public statements suggesting that their cyber risks were “hypothetical” or limited in scope, despite knowing the opposite to be true.
For instance, Unisys downplayed the risk in its public filings even though it knew of two separate breaches involving gigabytes of stolen data. Avaya minimized the incident by claiming that only a few email messages were accessed, when in reality, 145 files from its cloud file-sharing system had also been compromised. Similarly, Check Point chose to speak about cyber risks in generic terms rather than addressing the breach’s true impact.
SEC Warns Against ‘Half-Truths’
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” warned Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit. The SEC’s findings revealed that these companies either framed their cybersecurity risk factors hypothetically or discussed them in generic terms, even after knowing the risks had already materialized.
The SEC noted that federal securities laws prohibit “half-truths,” particularly in risk-factor disclosures, and made clear that misleading statements about cybersecurity breaches would not be tolerated.
The Impact of the SEC’s Action
The SEC’s enforcement action should act as a critical wake-up call for companies across industries, particularly in the cybersecurity and tech sectors. The need for clear, honest communication about cyber risks cannot be overstated, especially as incidents involving nation-state actors and sophisticated malware campaigns continue to rise.
Companies will likely want to have robust internal processes for incident reporting, ensuring that C-suites and boards of directors are fully informed of cyber risks. Companies that fall short of this standard not only risk regulatory action but also lose credibility with investors and customers.
Also read: Federal Judge Dismisses Major Claims in SEC’s Lawsuit Against SolarWinds
The Role of Disclosure Controls
One of the key issues raised by the SEC’s investigation was the failure of disclosure controls at Unisys. The SEC found that Unisys did not have adequate systems in place to ensure that its public statements accurately reflected the reality of its cyber incidents.
The case shows a growing expectation for organizations to build strong disclosure frameworks that tie cybersecurity incidents directly to their financial filings. Cybersecurity cannot be treated as a separate issue from corporate governance and compliance anymore. Failure to align these areas can result in substantial penalties and lasting reputational damage.
Cooperation Does Not Prevent Penalties
While all four companies cooperated with the SEC’s investigation and took steps to enhance their cybersecurity controls, this did not exempt them from financial penalties. According to the SEC, each company’s cooperation helped expedite the investigation, but this did not mitigate the fact that they had provided misleading disclosures to the public.
The enforcement action makes it clear that even companies that voluntarily disclose information or cooperate fully with investigations can still face penalties if they fail to uphold transparency.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
The Future of Cybersecurity Disclosures
Moving forward, the SEC’s actions suggest that there will be increased regulatory focus on how companies disclose cyber risks and breaches. The SolarWinds hack, along with other high-profile incidents, has shown just how devastating cyberattacks can be—not just in terms of technical damage, but also in terms of regulatory and legal fallout.
Public companies, particularly those in critical sectors like technology and financial services, should expect heightened scrutiny over how they communicate their cybersecurity posture. The pressure will likely increase as global cyber threats grow more sophisticated and investors demand more transparency.