On Oct. 22, 2024, the Securities and Exchange Commission (SEC) announced settled charges against four current and former public companies, Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast, for allegedly making materially misleading statements in their public disclosures regarding cybersecurity intrusions and risks following the SolarWinds Corporation software hack.[1] This wave of enforcement actions signals the SEC’s continued focus on the content and completeness of public disclosures following cyber incidents. In a press release, the SEC summarized its position that the settling issuers each “negligently minimized its [SolarWinds] cybersecurity incident,” which served to “further victimize their shareholders or other members of the investing public” and left “investors in the dark about the true scope of the incidents.”[2]
The SEC brought charges under Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, Section 13(a) of the Securities Exchange Act of 1934 and Exchange Act Rule 12b-20 against all four companies; Exchange Act Rule 13a-1 against Unisys and Check Point regarding annual reports; Exchange Act Rule 13a-11 against Mimecast relating to its Form 8-K disclosures; and Exchange Act Rule 13a-13 against Avaya relating to its quarterly report. The SEC also charged Unisys with failing to have in place controls and procedures to ensure disclosure of material cyber events, in violation of Exchange Act Rule 13a-15(a).
Unisys
Unisys settled with the SEC for $4 million over allegations that the company’s 2020 and 2021 annual reports on Form 10-K were materially misleading because the company described cyber risks as hypothetical possibilities that “could” result in loss, unauthorized disclosure or misuse of information.[3] The SEC asserted that at the time of the disclosures, Unisys knew it had experienced SolarWinds-related cyber intrusions, which involved unauthorized access to cloud-based accounts and mailboxes and exfiltration of gigabytes of data. In the SEC’s view, Unisys negligently misled its investors by discussing hypothetical risks when, in fact, those risks had been realized.
Additionally, the SEC found that Unisys had deficient disclosure controls and procedures in place, including lacking a process to ensure that cybersecurity personnel timely escalated material incidents to senior management and disclosure decision-makers.[4]
Avaya Holdings
Avaya paid a $1 million penalty to settle allegations that the company made negligent misrepresentations in its 2021 quarterly report on Form 10-Q. The firm disclosed an investigation into activity it “believed resulted in unauthorized access to [the company’s] email system,” with “evidence of access to a limited number of [the company’s] email messages.” The company also stated that there was “no current evidence of unauthorized access to [the company’s] internal systems,” despite access to a cloud environment operated by a vendor. The SEC found that Avaya improperly omitted material information that was known to it at the time of the filing including “the likely attribution of the activity to a nation-state threat actor, the long-term unmonitored presence of the threat actor in Avaya’s systems, the access to at least 145 shared files some of which contained confidential and/or proprietary information, and the fact that the mailbox the threat actor accessed belonged to one of Avaya’s cybersecurity personnel.” [5]
Check Point Software Technologies
Check Point paid $995,000 to settle SEC allegations that its 2020 and 2021 annual reports on Forms 20-F (for foreign issuers) were materially misleading. Specifically, the company failed to update its cyber risk disclosures from prior years despite experiencing material changes to its cybersecurity risks and actual incidents resulting from the SolarWinds hack. The disclosures stated that the company “regularly face[s] attempts” and “[f]rom time to time … encounter[s] intrusions,” but that “[t]o date, none have resulted in material adverse impact.” The SEC found that Check Point’s disclosures were materially misleading because the company had known of prolonged intrusions, increased cyber risks and its inability to fully scope the incidents’ impact. Further, the SEC found Check Point’s disclosures were too generic and not adequately tailored to the company’s cyber risks and actual incidents.[6]
Mimecast
Mimecast settled with the SEC for $990,000 for negligent misrepresentations in three Form 8-Ks filed in January and March 2021. The company disclosed unauthorized exfiltration of an authorization certificate that impacted “a low single digit number” of its customers; access and potential exfiltration of account credentials; and access and exfiltration of source code, which Mimecast stated was “incomplete” and involved a “limited number” of code repositories. The SEC found that Mimecast improperly minimized the cyberattack in these disclosures by failing to also disclose that the hacker exfiltrated a majority of the source code for three important functions and the number of customers impacted generally, which was in the thousands.[7] The SEC found that Mimecast’s public disclosures improperly downplayed the severity of the incident by quantifying certain aspects while omitting material information about its scope and impact.[8]
SEC Dissenting Opinion
Notably, two SEC commissioners, Hester M. Peirce and Mark T. Uyeda, dissented, accusing the SEC of “playing Monday morning quarterback,” engaging in a “hindsight review,” while citing “immaterial, undisclosed details to support its charges.”[9]
In addition to disagreeing with the outcome because they believed the SEC ignored the “reasonable investor standard” for materiality, Peirce and Uyeda expressed a general concern that these actions could shape future disclosures. Specifically, Item 1.05(a) of Form 8-K requires companies to disclose “the material aspects of the nature, scope, and timing” of a material cybersecurity incident.[10] The dissent asserted that contrary to the adopting release for Item 1.05, which emphasized disclosure of the “impacts” of cyber events rather than details “regarding the incident itself,” these settlements encourage companies to file disclosures of immaterial incident details, such as the identity of the threat actor, to avoid SEC scrutiny.
Implications
Prior to these four orders, there have been few enforcement actions that shed light on what the SEC considers an inadequate disclosure or what it considers material in the context of cyber incidents.[11] Collectively, these orders offer helpful guidance and a reminder that the SEC continues to actively pursue enforcement for what it considers inadequate cyber disclosures.
As in other contexts, if a company makes a disclosure on a specific topic, the SEC may look closely at the surrounding facts known at the time to assess the reasonableness and sufficiency of the disclosure. Once a company discloses an issue, the SEC may scrutinize omitted information — such as the importance of impacted systems to the company’s business, the amount of time during which a threat actor had unauthorized access, limitations in assessing impacts due to gaps in recordkeeping or logs, or the number of affected customers — to determine whether the information disclosed was misleading without additional context.
Companies should also be mindful of the SEC’s continuing attention on disclosure controls and procedures, particularly in the cyber context. SEC enforcement has repeatedly focused on the failure or absence of processes to ensure information flows from internal cyber professionals to senior management and those charged with making public disclosures to investors. The SEC has pursued multiple enforcement actions based on allegations that companies lacked adequate processes to inform front line cyber staff about what cyber incidents to escalate and to whom.
In the orders above, the SEC brought enforcement actions premised on the failure of companies to update their existing risk disclosures following an incident. When an issuer suffers from a cyber incident, the SEC may look closely at whether the company continues to refer to hypothetical risks in its disclosures without providing additional detail about any risks that ceased to be hypothetical.
Takeaways Worth Considering
- Public companies may want to include representatives from their cyber function in discussions about periodic cyber risk disclosures to ensure the disclosure function has the benefit of current information about which risks remain hypothetical and which have been realized.
- The impact of SolarWinds’ partially successful motion to dismiss, which challenged among other things the SEC’s application of internal accounting control provisions to cyber incidents, remains unclear.[12] These orders suggest it has not diminished the SEC’s willingness to pursue cyber incident disclosure and disclosure control cases. But the dissent issued by two commissioners discussed above suggests that the approach pursued in these orders could change should the commission makeup shift.
- While the monetary penalties it imposed on Unisys are higher than recent cyber-related settlements,[13] the SEC cited each of the four company’s cooperation and remedial efforts in reaching the settlements. This implies that penalties would have been higher absent such cooperation and remediation. Consistent with prior SEC public statements encouraging cooperation, the orders noted the companies’ willingness to provide presentations, factual summaries, internal investigative findings and prompt responses to document and information requests.
[1] In September 2019, cyberattacks, believed to be perpetrated by the Russian Foreign Intelligence Service, breached the networks at SolarWinds (a network management software company) and injected code into SolarWinds’ network and suite of products called Orion. See SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response (infographic) (Apr. 22, 2021), https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic. All four companies used SolarWinds’ products.
[2] Press Release, SEC, SEC Charges Four Companies with Misleading Cyber Disclosures (Oct. 22, 2024), https://www.sec.gov/newsroom/press-releases/2024-174.
[3] In the Matter of Unisys Corporation, Securities Act Release No. 11323, Exchange Act Release No. 101401 (Oct. 22, 2024), https://www.sec.gov/files/litigation/admin/2024/33-11323.pdf. Unlike the other three companies, Unisys also agreed to an undertaking to cooperate with the SEC “in any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order.” Id.
[4] Id.
[5] In the Matter of Avaya Holdings Corp., Securities Act Release No. 11320, Exchange Act Release No. 101398 (Oct. 22, 2024), https://www.sec.gov/files/litigation/admin/2024/33-11320.pdf.
[6] In the Matter of Check Point Software Technologies Ltd., Securities Act Release No. 11321, Exchange Act Release No. 101399 (Oct. 22, 2024), https://www.sec.gov/files/litigation/admin/2024/33-11321.pdf.
[7] In the Matter of Mimecast Limited, Securities Act Release No. 11322, Exchange Act Release No. 101400 (Oct. 22, 2024), https://www.sec.gov/files/litigation/admin/2024/33-11322.pdf.
[8] Id.
[9] Statement of Commissioners Hester M. Pierce and Mark T. Uyeda, Statement Regarding Administrative Proceedings Against SolarWinds Customers (Oct. 22, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-solarwinds-102224.
[10] Adopted as the 2023 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, Item 1.05(a) of Form 8-K states that, “If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”
[11] All four SEC orders reference materiality in the context of the companies’ business operations, noting that the impact of the cyber incidents was material because each provides services dependent on safeguarding either company or customer data—e.g., IT services (Unisys and Check Point), digital communications for large enterprises and governments (Avaya), and cloud security (Mimecast).
[12] See Sec. & Exch. Comm’n v. SolarWinds Corp., No. 23 Civ. 9518 (PAE), 2024 WL 3461952 (S.D.N.Y. July 18, 2024).
[13] See, e.g., In the Matter of R.R. Donnelley & Sons Co., Exchange Act Release No. 100365 (June 18, 2024), https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf (imposing a $2.125 million fine); In the Matter of Blackbaud, Inc., Securities Act Release No. 11165, Exchange Act Release No. 97098 (Mar. 9 2023), https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-48.pdf (assessing of a $3 million penalty); In the Matter of Pearson plc, Securities Act Release No. 10963, Exchange Act Release No. 92676 (Aug. 17, 2021), https://www.sec.gov/files/litigation/admin/2021/33-10963.pdf (assessing of a $1 million penalty); In the Matter of First American Financial Corp., Exchange Act Release No. 92176 (June 14, 2021), https://www.sec.gov/files/litigation/admin/2021/34-92176.pdf (assessing of a $487,616 penalty).