With the exception of Mimecast, which didn't realize it had been caught up in the incident until 2021, the other companies knew that the Russian threat actor who slipped a backdoor into SolarWinds' Orion network monitoring software managed to compromise their networks in 2020, the same year as the attack. Despite that knowledge, "each negligently minimized its cybersecurity incident in its public disclosures," the SEC said.
"It is incumbent upon [companies] to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," said Sanjay Wadhwa, acting director of SEC enforcement.
Avaya allegedly told shareholders that the compromise only led to a few emails being stolen while knowing that "at least 145 files in its cloud file sharing environment" had been accessed as well, while Mimecast appears to have failed to disclose the nature of what code was stolen or the number of encrypted credentials purloined from the firm.
Check Point supposedly knew what happened but only described the matter "in generic terms." Meanwhile, Unisys faced charges of disclosure control and procedural violations, bringing its penalty to $4 million.
[
Collection
]
[
|
...
]