"As today's enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered," Sanjay Wadhwa, acting director of the SEC's Division of Enforcement, said in a statement. "Here, the SEC's orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents."
According to the SEC, by December 2020 Avaya already knew that at least one cloud server holding customer data and another server for their lab network had been breached by the hackers working for the Russian government. Later that month, a third-party service provider alerted the company that its cloud email and file-sharing systems had also been breached, likely by the same group and through means other than Orion. A follow-up investigation identified more than 145 shared files accessed by the actor, along with evidence that the group monitored the emails of the company's cybersecurity incident responders.
As part of the agreement, the companies have agreed to pay fines without acknowledging wrongdoing. Unisys will pay $4 million, Avaya $1 million, Check Point $995,000 and Mimecast $990,000.
Collection
[
|
...
]