Four companies have settled charges by the Securities and Exchange Commission (SEC) that they made “materially misleading disclosures” after being breached in 2020 by the SolarWinds’ Orion software hack (US public companies have been required to disclose material cyber events since last year, see this.) But two of five SEC commissioners dissented on the charges, calling the SEC a “Monday morning quarterback” for its actions and potentially portending pushback on the disclosure regulations should Donald Trump become president and follow through with promises to reduce business regulations.
The SEC claimed “Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” The Commission asserted that required public disclosures made by the companies were generic and included “half truths.” This was a significant cyber disclosure issue.
The companies agreed to pay civil penalties to settle the SEC’s charges: Unisys will pay a $4 million civil penalty (Unisys had also been charged with disclosure controls and procedures violations); Avaya a $1 million civil penalty; Check Point a $995,000 civil penalty and Mimecast a $990,000 civil penalty. SC Media has a good round up of the company’s reactions here.
Not all SEC commissioners agreed the companies were untruthful and had failed to disclose “material” information. The dissent came from Commissioners Hester Peirce (appointed by then-President Trump) and Mark Uyeda (appointed by President Biden.) “Cybersecurity incidents are one of a myriad of issues that most companies face. The Commission needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one. Yes, the Commission must protect investors by ensuring that companies disclose material incidents, but donning a Monday morning quarterback’s jersey to insist that immaterial information be disclosed — as the Commission did in today’s four proceedings — does not protect investors. It does the opposite,” they said in a statement, which also includes a useful table comparing the cyber disclosures Check Point had made with what the SEC argued it should have.
More useful details on the case can also be found in this Unisys legal document.
Other News: Change Healthcare ransomware attack exposes personal health information of over 100 million.