The Securities and Exchange Commission (SEC) has charged four public companies (current and former) with misleading disclosures about cyber risks and intrusions. The charged companies are Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited. In order to settle the SEC charges, each company agreed to pay the following civil penalties: 

• $4 million for Unisys 
• $1 million for Avaya
• $995,000 for Check Point 
• $990,000 for Mimecast 

The charges are the result of an investigation of public organizations that may have been impacted by the SolarWinds’ Orion software compromise and related activity. According to the SEC, the four organizations discovered the malicious actor likely responsible for the the SolarWinds Orion hack accessed the companies’ systems. However, each organization minimized the incident in its cybersecurity disclosure. 

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, states, “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”