Four companies settle SEC allegations over SolarWinds cyberattack disclosures, agree to pay nearly $7 million

Four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Ltd.—have agreed to pay a combined total of nearly $7 million to settle allegations by the U.S. Securities and Exchange Commission (SEC) that they downplayed the severity of cyberattacks linked to the massive SolarWinds breach.

 

This development is the latest consequence of the SolarWinds attack, which exposed vulnerabilities in hundreds of organizations, including public companies and government agencies. The SEC alleged that these companies misled the public about the impact of the breaches that occurred during 2020 and 2021. All four firms settled without admitting or denying the SEC’s allegations.

 

According to the SEC’s findings, Unisys Corp., a tech consulting company, misrepresented the risks associated with the cyberattacks in its 2020 and 2021 financial filings. The company described cybersecurity risks as hypothetical despite knowing that hackers had extracted data and accessed key files and mailboxes of senior IT personnel. The misleading disclosures were attributed to deficient internal controls. Unisys has acknowledged its cooperation with the SEC’s investigation and has taken steps to improve its cybersecurity risk management and disclosure practices.

 

Avaya Holdings Corp., a digital communications services provider, will pay a $1 million settlement. In early 2021, Avaya reported unauthorized access to a “limited number” of email messages. However, the SEC found that at least 145 files were accessed during the breach, information that was not fully disclosed at the time. Avaya expressed satisfaction with the resolution of the probe and reaffirmed its commitment to strengthening its cybersecurity framework.

 

Mimecast Ltd., a cloud security firm, will pay $990,000 as part of its settlement. The company failed to disclose important details about the nature of the code accessed by hackers and the number of encrypted credentials compromised during the attack. Mimecast, which went private in 2022, declined to comment on the settlement.

 

Lastly, Check Point Software Technologies Ltd., an IT security products company, will pay $995,000. While the company’s investigation into the breach found no evidence of customer data, code, or other sensitive information being compromised, it chose to settle with the SEC to avoid further disputes. Check Point emphasized its ongoing commitment to supporting customers in defending against cyberattacks.

 

The SolarWinds breach, first disclosed in December 2020, was one of the most significant cyberattacks in recent history, affecting hundreds of organizations worldwide. The SEC’s action against these companies serves as a reminder of the importance of transparent and accurate cybersecurity disclosures in protecting public trust.