SEC Imposes Nearly $7 Million in Penalties on Tech Companies for Misleading Cybersecurity Disclosures

The U.S. Securities and Exchange Commission (SEC) has taken a decisive stance on cybersecurity disclosure violations, announcing a $6.985 million enforcement action against four technology companies for what it described as "materially misleading" disclosures about cyber incidents. The penalties target companies affected by the infamous SolarWinds Orion software compromise, highlighting the regulator's growing scrutiny of how firms communicate their cyber risks to investors. The civil penalties are as follows:

• Unisys Corporation: $4 million
• Avaya Holdings Corp.: $1 million
• Check Point Software Technologies Ltd.: $995,000
• Mimecast Limited: $990,000

This enforcement marks one of the SEC’s most significant crackdowns to date on cybersecurity disclosure violations, with Unisys facing additional charges for failing to maintain adequate disclosure controls and procedures.

A Pattern of Misleading Disclosures

The SEC's investigation uncovered a troubling pattern of companies downplaying or obscuring the real impact of cybersecurity breaches. Unisys, which received the largest fine, framed cybersecurity threats as merely hypothetical, despite confirmed intrusions and the exfiltration of gigabytes of sensitive data. The company’s disclosure controls were found to be woefully insufficient, leading to multiple violations of federal securities laws.

Avaya Holdings Corp. also misrepresented the scope of its breach, characterizing the compromise as limited to email access while failing to disclose that 145 files in its cloud storage were also affected. This selective disclosure misled investors by omitting critical information about the true scope of the risk.

Check Point Software Technologies, in turn, used vague and generic language to describe specific security breaches, effectively concealing its involvement in the SolarWinds compromise. This evasive wording hindered investors from fully understanding the company’s exposure to cybersecurity threats.

Mimecast similarly downplayed the severity of its breach, withholding key information about compromised source code and encrypted credentials. The SEC noted that, given the sensitivity of the compromised data, this incomplete disclosure was particularly egregious.

SEC Warns Against "Half-Truths"

"This enforcement action sends a clear message to public companies about their disclosure obligations," said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. "In today’s digital landscape, cyberattacks may be inevitable, but companies have a fundamental duty to provide accurate, timely information to their shareholders and the investing public."

Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, emphasized that corporate disclosures must reflect materialized risks rather than theoretical ones: "The federal securities laws prohibit half-truths. When risk factors downplay known incidents, they fail to meet the law's requirements."

Beyond the monetary penalties, all four companies have agreed to a host of compliance measures aimed at strengthening cybersecurity transparency. Each firm must immediately cease violating federal securities laws and implement enhanced disclosure controls. Additionally, they are required to bolster their cybersecurity monitoring and reporting procedures to ensure more accurate and timely disclosures in the future.

As part of their remedial efforts, the companies will develop improved incident response protocols and introduce more rigorous risk assessment frameworks. These steps are designed to prevent future disclosure violations and enhance overall corporate governance surrounding cybersecurity incidents.

While none of the companies admitted to or denied the SEC's findings, their cooperation in the investigation and efforts to strengthen internal controls were noted as mitigating factors. The SEC acknowledged that each firm voluntarily provided detailed analyses and presentations that expedited the resolution of the investigation.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.