top of page
Search
Flexi Group

Unisys, Three Other Companies Fined $7M for Downplaying Impact of SolarWinds Hack

Four current or former public companies will collectively pay nearly $7 million in fines to settle allegations by the U.S. Securities and Exchange Commission (SEC) that they downplayed or failed to fully disclose the damage caused by the 2020 SolarWinds Orion cyberattack.


Unisys, Three Other Companies Fined $7M for Downplaying Impact of SolarWinds Hack

The SEC’s charges target the companies for misleading investors about the extent of the breach and for falsely maintaining that their cybersecurity defenses were sufficient, despite knowing otherwise.


Unisys Corp. will pay the largest portion, $4 million, while Israel-based Check Point Software Technologies will pay $995,000. The SEC found that both companies had not fully disclosed how much of their corporate data was compromised in the SolarWinds hack and continued to assure investors that their cybersecurity systems were adequate, despite knowing those defenses had been breached.


Avaya Holdings Corp., which filed for bankruptcy in February 2023 and delisted as a public company, will pay $1 million. Mimecast, which was acquired and became privately held in May 2022, will pay $990,000.


SolarWinds itself has been under SEC scrutiny since 2022 for its cybersecurity disclosures and public statements related to the massive 2020 cyberattack, which compromised the systems of several major U.S. companies and government agencies. The attack was widely believed to be the work of Russian agents, and the U.S. sanctioned Russia in 2021 for its role in the hack.


The SEC’s latest enforcement actions highlight how companies mishandled and misrepresented their cybersecurity incidents. In Unisys' case, the company downplayed the breach by describing the risk of unauthorized access to its data in “hypothetical” terms, even though it knew that 33 gigabytes of its data had been accessed. Hackers also gained access to cloud-based shared files and mailboxes. Furthermore, Unisys’ internal disclosure system failed, as IT personnel who were aware of the breach did not inform senior management in a timely manner, preventing decision-makers from accurately assessing the situation.


The SEC order stated, “As a result, decision-makers failed at the time to reasonably assess the materiality of these events and new risks arising therefrom.” The order also criticized Unisys for not having policies that required cybersecurity personnel to report critical incidents to the company’s senior leadership.


A spokesperson for Unisys referred to the company’s filing with the SEC, which noted: “The SEC recognized the Company’s cooperation in its investigation and the remediation steps the company has taken in the years since disclosing a material weakness in November 2022, including enhancing disclosure policies and procedures and augmenting its cybersecurity personnel and tools, both internally and externally, to strengthen its cybersecurity risk management and protections.”


Cyprus Company Formation

Check Point also faced criticism from the SEC for its lack of transparency. Despite conducting an investigation into the hack, the company continued to describe its cybersecurity risks in generic terms in public disclosures. However, a spokesperson for Check Point stated that their investigation “did not find evidence that any customer data, code, or other sensitive information was accessed.” Nevertheless, the company chose to settle with the SEC to focus on its mission of defending customers from cyberattacks, adding, "Check Point decided that cooperating and settling the dispute with the SEC was in its best interest."


Mimecast, which publicly disclosed the SolarWinds breach in early 2021, was found by the SEC to have “negligently omitted a number of material aspects of the compromise,” including the large number of affected customers and the percentage of code exfiltrated by hackers. Although Mimecast made additional disclosures later, the SEC said these still did not fully capture the extent of the intrusion.


A spokesperson for Mimecast said the company had engaged with customers and partners "proactively and transparently, even those who were not affected," and believed it had complied with its disclosure obligations at the time. “As we responded to the incident, Mimecast took the opportunity to enhance our resilience,” the company added.


These fines serve as a warning to companies about the importance of full transparency and accurate disclosures in the event of cybersecurity breaches, particularly those as significant as the SolarWinds hack. 

By fLEXI tEAM

Comments


bottom of page