SEC Fines Avaya, Check Point, Others for Underplaying SolarWinds Hack

Four major technology companies have agreed to pay millions of dollars as recompense for misleading investors through their disclosures regarding the 2020 SolarWinds hack.

The communication platform Avaya, Israel-based cybersecurity provider Check Point and email security software developer Mimecast each reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for "making materially misleading disclosures regarding cybersecurity risks and intrusions" related to the SolarWinds hack, the agency said in a press release on Tuesday. Each company will pay approximately $1 million each in fees to the Commission in response.

The IT services firm Unisys also settled with the SEC over the misleading disclosures, but received additional fines related to disclosure control and procedures violations. This will bring the company's fine to $4 million total.

SEC's Sanjay Wadhwa

"It is incumbent upon [companies] to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of SEC enforcement.

Avaya, Check Point and Unisys were all aware that a Russian threat actor had installed a backdoor into SolarWinds' Orion network monitoring software and had compromised their networks in 2020, the SEC claims. Despite that knowledge, "each negligently minimized its cybersecurity incident in its public disclosures," the SEC said. Mimecast was not aware they had been affected by this hack until 2021, the SEC said.

Related:Massive SolarWinds Hack Leads to Class-Action Lawsuit

The attempts at minimization included Avaya allegedly telling shareholders that a few emails had been stolen when "at least 145 files in its cloud file sharing environment" had been accessed as well. Check Point, in contrast, was found to be aware of the intrusion but described the risks from them in generic and nondescript terms. Mimecast failed to disclose the nature of the code that the threat actor had exfiltrated and the exact amount of credentials that the actor accessed.

SEC's Jorge Teneiro

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge Tenreiro, acting chief of the crypto assets and cyber unit at the SEC. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.  The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

Related:FCC Orders T-Mobile to Spend $15.7 Million on Cybersecurity

Companies Comment on Solarwind Hack Fines

The affected companies confirmed their cooperation, although not all of them presented them as being at fault.

"As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed," the security firm told The Register. "Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world." 

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya's voluntary cooperation and that we took certain steps to enhance the company's cybersecurity controls," an Avaya spokesperson told The Register, striking a conciliatory tone. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Unisys stated in a recent SEC filing that it decided to pay the fine due to it being in the best interest of the company and shareholders.

Mimecast noted that while it is no longer a publicly traded company and does not believe it has done any wrong, it still cooperated with the SEC and "took the opportunity to enhance our resilience," a spokesperson noted.

The SolarWinds hack has continued to impact companies since the initial event. A June report from a former staff member alleges that a flaw in Microsoft's cybersecurity practice led to the threat actor installing the backdoor.