Enforcement for Cybersecurity Risk Disclosure Shortfalls

On October 22, 2024, the SEC announced settled enforcement actions against four companies focused on disclosures about cybersecurity risks and actual cybersecurity intrusions.  The four companies were Avaya Holdings Corp., Check Point Software Technologies Ltd, Mimecast Limited, and Unisys Corp.  All four of the cases have their roots in the SolarWind’s Orion software cybersecurity hack.

According to the SEC all four of the companies downplayed the impact of cybersecurity events.  In the SEC’s Press Release Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, stated, “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”  This is a recurring issue in cybersecurity cases and SEC comments.  In another of the cases the company described a breach as having involved access to a limited number of email messages when in fact the company knew that 145 files, some of which involved sensitive company information, had been breached.  The Unisys Corp. case also focused on deficient disclosure controls and procedures.

You can read more details about each case and find links to each Order in the SEC’s Press Release.

All the companies entered into cease-and-desist orders and paid fines ranging from $990,000 to $4 million.

As always, your thoughts and comments are welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *