Risk & Repeat: SEC cracks down on cybersecurity disclosures

The U.S. Securities and Exchange Commission's charges against Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Ltd. raise concerns about the state of transparency in cybersecurity.

These charges, announced Oct. 22, resulted from an investigation by the SEC into organizations potentially compromised by the infamous supply chain attack against software vendor SolarWinds. Unisys, Avaya, Check Point and Mimecast agreed to settle with the SEC and were fined an approximate total of $7 million for making "materially misleading" statements to investors, according to the SEC.

Unisys took the lion's share of the fines -- $4 million -- in part for downplaying two SolarWinds-related intrusions that resulted in stolen data. A list of charges against the four companies is available on the SEC website.

The settlements announced last week signal another example of troubling cybersecurity disclosure practices. Sanjay Wadhwa, acting director of the SEC's Division of Enforcement, said in the settlement announcement that companies should not "further victimize" their shareholders and investors with misleading disclosures about security incidents.

Although some companies like Microsoft are making strides to improve the quality of information that reaches the public, the SEC's charges indicate that there's still plenty of work to be done in this area.

TechTarget editors Rob Wright and Alex Culafi discuss recent SEC charges and cybersecurity disclosure practices on this episode of the Risk & Repeat podcast.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.