Misleading Disclosures About Cyberattacks Can Cost You Millions!

The Securities and Exchange Commission has charged four prominent companies—Unisys Corp., Avaya Holdings, Check Point Software Technologies, and Mimecast Limited—for making misleading disclosures about cybersecurity breaches (specifically, the SolarWinds cyberattack of 2020). The charges allege that these firms downplayed or obscured the full extent of cyber threats, potentially putting investors in the dark. Additionally, Unisys faces separate charges for violating disclosure controls and procedures, signaling the SEC’s growing crackdown on corporate transparency in the face of cyber risks.

The SEC has made it clear that companies must be transparent and timely in disclosing cyberattacks that could significantly impact their financial health, operations, or reputation. Failure to do so not only misleads investors but also risks undermining trust in the markets. In an age where cyber threats are ever-evolving and increasingly sophisticated, the SEC’s focus on robust disclosures is crucial to ensure investors can make informed decisions, and companies are held accountable for adequately addressing the risks they face. Inadequate or delayed reporting, as seen in high-profile cases like SolarWinds, can lead to severe penalties, highlighting the critical need for companies to be proactive, clear, and accurate when communicating the full scope of a cyber incident.

Understanding the SolarWinds Misleading Disclosures

The SEC has accused four companies—Check Point, Unisys, Avaya, and Mimecast—of making misleading statements about the SolarWinds data breach that affected their systems in December 2020. While the companies did not specifically respond to the SEC’s claims, it is likely that each company was aware that its systems had been breached by a state-sponsored hacker. After investigating, they found that the hacker had access to business-critical information.

The SEC charged all four companies with negligent fraud for two main reasons. First, Check Point and Unisys were accused of making risk disclosures that were too vague and similar to their pre-breach statements, even though they knew they had been impacted by the SolarWinds attack. The SEC argued that this was misleading because the companies had specific knowledge of the breach. Second, Avaya and Mimecast did acknowledge the breach but failed to include important details that the SEC believes investors would have needed to know. All four companies are in the tech sector, with large private and government clients, so the SEC stressed that their reputations—and ability to retain customers—were at stake. They were asked to pay civil penalties ranging from $995,000 to $4 million.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warnings of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The Importance of the SEC’s Cyber Disclosure Rule

The SEC’s disclosure rule requires companies to provide relevant and factual information about cyber risks, breaches, and how they manage their overall security posture. Some of the primary areas of SEC oversight include:

Transparency: To protect investors, the SEC mandates that public companies disclose all cybersecurity risks and breaches that could affect their operations or financial stability, keeping shareholders informed of potential threats.
Guidelines: The SEC provides guidance to help companies strengthen their cybersecurity practices. This includes best practices for cyber risk analytics, incident response, appropriate remediation, and governance to maintain a strong security posture.
Compliance: The SEC enforces regulations like the Safeguards Rule under the Gramm-Leach-Bliley Act, which mandates companies to implement strong cybersecurity measures to protect their digital environment and confidential data.
Enforcement: The SEC has the authority to impose fines and penalties on organizations that fail to comply with its cybersecurity and reporting rules, ensuring that companies remain accountable for their information security practices.

Key Aspects of the Disclosure Rule

The SEC’s cybersecurity incident disclosure rule introduces two key requirements for public companies. First, companies must disclose any material cybersecurity incidents—such as data breaches, system intrusions, ransomware attacks, or email compromises—on Form 8-K within four business days of determining that the incident is material. This ensures that investors are quickly informed of any threats that could significantly affect the company’s operations or financial standing. The rule also mandates that companies provide an annual report on their cybersecurity risk management, strategies, and governance practices, giving stakeholders a clear picture of how firms are preparing for and responding to cyber threats.

When determining whether an incident is material, company executives and boards of directors must assess factors such as potential harm to the company’s reputation, relationships with customers and vendors, financial impact, and the risk of litigation or regulatory actions. The SEC recognizes that companies may not be able to assess materiality immediately, which is why the disclosure deadline is set to four business days after the company determines the incident’s material impact, not after it occurs or is discovered. This rule aims to improve transparency, ensuring that investors are kept informed about cybersecurity risks that could affect their investments.

Strengthening Cloud and SaaS Security to Avoid Breaches and Fines

Maintaining a strong cloud and SaaS security posture is crucial for companies to avoid potential fines and reputational damage in the event of a breach. With the SEC’s increasing focus on cybersecurity disclosures, companies must prioritize robust security measures to prevent incidents that could lead to material breaches. By implementing proactive security strategies, regularly assessing risks, and ensuring compliance with industry best practices, organizations can reduce the likelihood of a breach and minimize the impact of any cyber threats. A well-maintained security posture not only helps safeguard sensitive data but also demonstrates to investors, customers, and regulators that the company is committed to transparency and accountability, ultimately protecting both its bottom line and its reputation.

Speak to a security expert at CheckRed to know how we can help you!