SEC fines 4 companies in SolarWinds case

The US Securities and Exchange Commission (SEC) has charged four public companies (Unisys Corp, Avaya Holdings Corp, Check Point Software Technologies Ltd and Mimecast Limited), which have agreed to pay almost $7 million as a result of an investigation, which found that these companies had made materially misleading disclosures about cybersecurity risks and intrusions they had suffered. This meant leaving their investors without sufficient information about the true extent of the incidents. In addition, the SEC has fined Unisys for violations of disclosure controls and procedures.

According to the SEC's orders, Unisys, Avaya and Check Point in 2020, and Mimecast in 2021, knew that the attackers, who had likely compromised SolarWinds' Orion software in 2020, had also accessed their systems without authorisation, but each negligently downplayed their cybersecurity incident in their public statements.

Finally, the SEC's orders conclude that each company violated certain provisions of the Securities Act of 1933, Securities Exchange Act of 1934 and related rules. Without admitting or denying the judgment, each company has agreed to cease and desist from future violations of the above provisions and to pay the appropriate penalties. In addition, they have cooperated during the investigation by volunteering analyses or reports that have helped expedite the process and by taking voluntary steps to improve their cybersecurity controls.