Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures
Four high-profile tech companies reached an agreement with the Securities and Exchange Commission to pay millions of dollars in penalties for misleading investors about their exposure to the 2020 SolarWinds hack.
Communications tech outfit Avaya, Israeli cybersecurity shop Check Point, and email security biz Mimecast have agreed to fork over $1 million, $995,000, and $990,000, respectively for "making materially misleading disclosures regarding cybersecurity risks and intrusions," the SEC said today.
A fourth company, IT services firm Unisys, was also accused and settled with the SEC; Unisys also faced charges of disclosure control and procedures violations, bringing its penalty to $4 million.
"It is incumbent upon [companies] to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of SEC enforcement.
With the exception of Mimecast, which didn't realize it had been caught up in the incident until 2021, the other companies knew that the Russian threat actor who slipped a backdoor into SolarWinds' Orion network monitoring software managed to compromise their networks in 2020, the same year as the attack. Despite that knowledge, "each negligently minimized its cybersecurity incident in its public disclosures," the SEC said.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/CD73V5ILVVPGDAAXUBSYQTNXDE.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/23951360/STK072_VRG_Illo_N_Barclay_8_netflix.jpg)
