The SEC Fines Four SolarWinds Breach Victims

On October 22, 2024, the Securities and Exchange Commission (SEC) announced it had charged four current and former public companies -- Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited -- with making materially misleading disclosures about cybersecurity risks and intrusions. The civil penalties ranged from $990,000 to $4 million, with Unisys fined the most. 

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a press release statement, “…while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.” 

Kurt Sanger, counsel at Buchanan Ingersoll and Rooney’s Cybersecurity & Data Privacy practice, says his law firm expects state and foreign governments to continue being assertive regarding companies’ claims about their cybersecurity, artificial intelligence, and other developing technologies.  

“New technologies generally have three characteristics that make them difficult to communicate about: They are complex and poorly understood, they offer great promise, and they pose unknown and potentially significant risks,” says Sanger in an email interview. “Some may believe the inherent complexities and lack of understanding give them cover to omit certain facts. Some may believe so strongly in their technologies that they describe them based on aspirations rather than reality and probability. When organizations make questionable statements based on the information available to them at the time, they leave themselves open to government, customer, and shareholder scrutiny." 

Related:What 'Material' Might Mean, and Other SEC Rule Mysteries

Is This the Tip of the Iceberg? 

Mike Piazza, partner at CM Law and former regional trial counsel for the SEC, says the dissent by Commissioners Hester Peirce and Mark Udeya is worth noting because they disagree about what is “material.” 

“The SEC is supposed to adhere to a materiality standard, and yet it’s hard to discern what the guiding principles are in determining what’s material to disclose from those four decisions,” says Piazza in an email interview. “As a result of the election, control of the Commission will change. Thus, the guidance from the dissenting Commissioners about how to determine materiality for the purposes of disclosure in these circumstances likely will become the guiding principles upon which companies should focus going forward.” 

Related:What You Can Do About Software Supply Chain Security

Mike Piazza, CM Law

There’s also the question of whether intent or negligence makes a difference. According to Ken Herzinger, partner and global co-chair of the Investigations and White Collar Defense practice at the Paul Hastings law firm, SEC rule 10b-5 covers standard fraud, though the SEC can bring negligence charges under The Securities Act of 1933. 

“Since June of 2021, the SEC has been sending letters to hundreds of public companies that were purportedly affected by the SolarWinds incident,” says Herzinger. “Then, in August of 2021, the SEC began sending another wave of letters. They offered amnesty to those companies that would disclose whether they were a victim of the SolarWinds breach or not, and any issues they suffered from that breach. The SEC did not offer amnesty for any insider trading, regulation FD or disclosure and procedure violations.” 

More fundamentally, the SEC wants to understand every breach public companies have experienced since October 2019 without limitation to materiality. 

“Some companies responded. Some did not. My assessment is that these four cases likely came out of that sweep,” says Herzinger. “I think there are more victims of the victims that the SEC is investigating behind the scenes.” 

Aaron Charfoos, partner and co-chair of the Data Privacy and Cybersecurity group at Paul Hastings, says he anticipates more such litigation because the SEC is pushing on several fronts. 

Related:How to Prep for AI Regulation and AI Risk in 2025

“We’re not only seeing the enforcement side, but the corporate convergence and the affirmative disclosure side, a real focus on bringing forward these kinds of vulnerabilities, making it clear what’s happening,” says Charfoos. 

Timing also matters. 

“If you have a cyber breach, it needs to be treated as a top priority. [I] know this is difficult because I’ve been involved in these situations, and sometimes it’s really hard to wrap your arms around the scope of the breach,” says Piazza. “But you have these artificial timelines the SEC has been built in now, so you need to get an initial 8K out with whatever information you deem material, and then supplement that as the investigation goes along. You need to be prepared to do a quick investigation, then hopefully remedy the situation quickly and follow that up with a supplemental filing with the SEC so your investors are fully aware of what’s going on.” 

How to Avoid the Same Fate

Companies should ensure the cyber and data security information they share within their organizations is consistent with what they share with government agencies, shareholders and the public, according to Buchanan Ingersoll & Rooney’s Sanger. This applies to their security posture prior to a breach, as well as their responses afterward. 

“Consistent messaging is difficult to manage given that dozens, hundreds or thousands could be responsible for an organization’s cybersecurity. Investigators will always be able to find a dissenting or more pessimistic outlook among the voices involved,” says Sanger. “If there is a credible argument that circumstances are or were worse than what the organization shares publicly, leadership should openly acknowledge it and take steps to justify the official perspective.” 

Corporate cybersecurity breach reporting is still relatively uncharted territory, however. 

“Even business leaders who intend to act with complete transparency can make inadvertent mistakes or communicate poorly, particularly because the language used to discuss cybersecurity is still developing and differs between communities,” says Sanger. “It’s noteworthy that the SEC framed each penalized company as having, ‘negligently minimized its cybersecurity incident in its public disclosures.’ The Commission’s carefully crafted characterization is a warning that companies must not only avoid intentional misrepresentations, but they must also use due care when making public statements to avoid accusations that were unclear or withheld information. Additionally, they must use due diligence to discover available information about their systems. Willful blindness is unlikely to offer a defense.” 

While material incidents have needed to be reported historically, the more technical details of the cybersecurity program didn’t need to be disclosed. 

“With the new public company rules coming out of the SEC, we are seeing greater emphasis on governance and the process to determine disclosure,” says Charfoos. “We’ve said companies should draft incident response plans that have objective standards for the classification of an incident, objectively defined groups of people who will deal with different levels of severity incidents and they’re told in the objectively defined time period. That should go all the way up to the board.” 

There are challenges, however, because compliance is a business cost rather than a revenue generator. That means in tough times compliance may suffer budget-wise if the C-suite and the board have not prioritized it. 

Who Should Review Disclosures? 

Herzinger says there are SEC cases going back to Yahoo in 2018 that demonstrate a lack of coordination, information sharing and escalation between those working on the privacy side and those handling SEC disclosures. 

Ken Herzinger, Paul Hastings law firm

“In our view, a lot of different people on both sides of the house should be involved -- making sure that the people who are drafting and making public statements and [on] earning calls are fully apprised and updated on exactly what’s happening,” says Herzinger. “Making sure information is flowing from your CISO and information security team to the disclosure team and then escalating that to the legal department; the executive management team; the risk, disclosure and audit committees; and ultimately the board.” 

Sanger says that ultimately, the CEO must own any statement to the SEC, but they should be armed by staff to defend it. 

“Drafting and reviewing should be done by the executives who understand the technical aspects of a breach, [such as] the chief information officer and chief information security officer, the general counsel who understands the regulations involved and whether they apply to the circumstance, and communications professionals who can craft messages for each of the concerned audiences,” says Sanger. “Most importantly, the chief operating officer needs to understand and explain the business operations impacts of a breach and how they will affect revenue-generating activities, the workforce, the capacity to conduct normal activities and when business as usual can be expected to return." 

Charfoos warns that companies should make sure the information included in 8Ks, 10Ks and 10Qs doesn’t reveal that there’s a mismatch between what the technical team and the disclosure council know. 

“You can’t claim something is a coordination between the disclosure council, the InfoSec team and legal to make sure you aren’t leaving anything out or saying something in the wrong way,” says Charfoos. 

An important thing to note is that the SEC is not just looking at SEC filings. In one prosecuted case, a company was charged with false and misleading statements based on the security statement housed on the company’s website. 

“Many companies don’t spend the same amount of time reviewing and scrubbing that statement as they would their SEC filings, [because] they don’t necessarily view it the same way,” says Paul Hasting’s Herzinger. “I think the SEC regulators and the plaintiffs’ bar are starting to look at virtually any public statement that a public company makes about its cybersecurity program and second-guessing whether those statements are accurate.” 

CIOs and CISOs should be trained on federal securities laws, the disclosure roles, and have a better working relationship with inside and outside SEC disclosure counsel so they can familiarize themselves with red flags. 

“Ultimately, it’s in everyone’s best interest for CISOs and the SEC reporting staff to document those critical decisions you make real-time, so if at a later point in time, someone questions why you didn’t disclose a breach, you have a record of the reasoning, such as why the breach was not material,” says Herzinger. “Because if you need to defend that decision a year down the road, you want to make sure you have all the information, the data points you considered at the time, nailed down in writing somewhere so you don’t have to go back a recreate the wheel.” 

Bottom Line 

Corporate “disclosures” are not limited to SEC filings for public companies. What organizations claim on their website or otherwise should be consistent and truthful. Otherwise, intentional misinformation and even negligent statements can serve as the basis for SEC investigations, fines and reputational damage.