SEC Fines Companies Millions Over Misleading SolarWinds Breach Disclosures

November 13, 2024

SEC Fines Companies Millions Over Misleading SolarWinds Breach Disclosures

The SEC has fined four companies—Avaya, Check Point, Mimecast, and Unisys—for misleading disclosures related to the 2020 SolarWinds breach. Becky Bracken, reporting in Dark Reading, says the fines reflect the SEC’s view that each company downplayed the severity of the breach, offering incomplete or vague reports on the extent of compromised data.

The SEC aims to deter companies from minimizing or inaccurately reporting cybersecurity risks in future incidents and requires firms to communicate transparently and accurately after data breaches.

Unisys received the largest penalty, $4 million, for providing hypothetical disclosures despite confirmed breaches and data exfiltration. Avaya agreed to pay $1 million for not reporting that 145 files in its cloud environment had been compromised, instead reporting only minimal email access.

Check Point was fined $995,000 for ambiguously addressing the breach’s impact in its annual report. Mimecast received the lightest penalty, $990,000, for not disclosing details about exfiltrated code and accessed credentials.

Each company expressed a desire to move on from the incident, with statements affirming improvements in cybersecurity controls and willingness to cooperate with the SEC.

This enforcement action underscores the critical importance of accurate disclosure. Regulators are increasingly expecting precision in cyber incident disclosures, which could impact future cybersecurity and legal strategies.

For law firms, these penalties highlight the SEC’s stringent expectations for cyber incident disclosures. Companies must reassess their disclosure strategies and prepare for the potential post-incident regulatory scrutiny.

Legal teams must work closely with CISOs to ensure transparency and compliance in initial breach reports. Preparing accurate and detailed disclosures may mitigate future litigation risks and regulatory penalties. Collaboration between cybersecurity teams and legal departments is essential in today’s regulatory landscape.

Critical intelligence for general counsel

Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top