SEC charges 4 companies for downplaying SolarWinds attacks

The U.S. Securities and Exchange Commission charged four technology companies with making misleading cybersecurity disclosures related to the massive SolarWinds supply chain attack in 2020.

The SEC announced on Tuesday charges against Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited. All four companies were charged with making materially misleading disclosures regarding cybersecurity risks and intrusions, and Unisys was also charged with violating disclosure controls and procedures.

The charges resulted from an SEC investigation into companies that were potentially compromised by the SolarWinds supply chain attack in 2020. A Russian nation-state threat group, commonly known as APT29 or Midnight Blizzard, injected malicious code in software updates for SolarWinds' Orion IT management platform. The malicious updates were issued to thousands of customers and were used by threat actors to breach dozens of victim organizations, including U.S. government agencies.

The SEC accused Unisys, Avaya, Check Point and Mimecast of downplaying knowledge in public discourse that the threat group "likely behind the SolarWinds Orion hack had accessed their systems without authorization." The SEC also charged Unisys, an IT consulting firm headquartered in Blue Bell, Pa., with hiding two SolarWinds-related intrusions that resulted in stolen data.

Avaya, which provides unified communication software, was charged with minimizing how many company email messages the SolarWinds threat actors accessed. The SEC stated the threat actors accessed at least 145 files from Avaya's cloud sharing file environment.

Additionally, the SEC said Mimecast, an email security vendor, did not disclose the type of code that was exfiltrated "and the quantity of encrypted credentials the threat actor accessed." According to the SEC, cybersecurity vendor Check Point knew about a network intrusion by the SolarWinds hackers but publicly described the incident and the associated risks in "generic terms."

The SEC said the four companies agreed to pay civil penalties to settle the changes. Unisys will pay a $4 million penalty and Avaya a $1 million penalty. Check Point will pay $995,000, and Mimecast will pay $990,000.

TechTarget Editorial contacted Avaya regarding the SEC charges. The company sent the following statement.

We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020 and that the agency recognized Avaya's voluntary cooperation and that we took certain steps to enhance the company's cybersecurity controls. Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers as well as in our internal operations.

TechTarget Editorial also contacted Mimecast regarding the charges, and the company provided the following statement.

Mimecast has resolved a matter with the Securities and Exchange Commission (SEC) involving statements about a security incident that Mimecast became aware of in January 2021. In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected. We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers.

TechTarget Editorial contacted Check Point for comment on the charges. The security vendor said it addressed the SEC's announcement in a 6-K from December.

As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world.

TechTarget Editorial contacted Unisys for comment. The company referred to an 8-K form Unisys filed Tuesday morning.

"Unisys Corporation (the "Company") has reached a non-scienter-based administrative proceeding settlement, on a neither admit nor deny basis, with the U.S. Securities and Exchange Commission ("SEC") in connection with the SEC investigation the Company previously disclosed in its quarterly and annual filings with the SEC. Non-scienter-based securities violations are made without any knowledge, intent or recklessness," Unisys wrote in the 8-K. " The Company concluded that it is in the best interests of the Company and its stockholders to constructively resolve this matter with the SEC."

Tuesday's announcement comes one year after the SEC accused SolarWinds and its CISO Timothy Brown of misleading investors regarding the company's cybersecurity practices, known risks and vulnerabilities leading up the massive supply chain attack. However, earlier this year, U.S. District Judge Paul Engelmayer dismissed many of the charges alleged in the SEC's lawsuit.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.