The Securities and Exchange Commission has filed enforcement actions against four companies alleging that each made misleading disclosures concerning the impact on the company of the cyberattack on SolarWinds Corp.’s Orion software. One of the companies was also charged with failing to maintain adequate disclosure controls and procedures.  In announcing these actions, Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said:  “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”  SEC Charges Four Companies With Misleading Cyber Disclosures (SEC Press Release, October 22, 2024).

These actions arise from the 2020 cyberattack on SolarWinds in which Russian hackers inserted a vulnerability into Orion, SolarWinds’s IT monitoring and management software product. The four companies charged were Orion users.  (For a description of the SEC’s case against SolarWinds, see A Shift in the Winds: Court Rejects SEC’s Use of Internal Control Authority to Police Cybersecurity, August 2024 Update.)  The gist of the SEC’s charges is that, after learning that the threat actor behind the SolarWinds/Orion hack had accessed their systems, each of the four companies either made materially inaccurate disclosures that minimized the impact on the company or failed to update risk disclosures that were no longer accurate in light of the unauthorized access.

Avaya Holdings Corp. 

The SEC’s order against Avaya finds that the company stated in a 2021 quarterly report on Form 10-Q that its investigation resulting from the SolarWinds/Orion breach had uncovered “evidence of access to a limited number of Company email messages” but that there was “no current evidence of unauthorized access to our other internal systems.”  The order finds that this statement was misleading because, among other things, it omitted to attribute the breach to a nation-state threat actor; omitted to disclose “the long-term unmonitored presence of the threat actor in Avaya’s systems,” and failed to mention that the breach included “access to at least 145 shared files some of which contained confidential and/or proprietary information.” 

Without admitting or denying the Commission’s findings, Avaya consented to an order that it cease and desist from future disclosure violations and pay a civil money penalty of $1 million.

Check Point Software Technologies Ltd. 

The SEC’s order against Check Point finds that the company’s 2021 and 2022 annual reports on Form 20-F included only generic cyber risk disclosure, despite the company’s awareness, beginning in December 2020, of unauthorized activity in its network resulting from the SolarWinds/Orion breach. For example, its 2021 and 2022 Form 20-Fs stated that the company “regularly face[s] attempts by others to gain unauthorized access through the Internet or to introduce malicious software to our information technology (IT) systems” and that “From time to time we encounter intrusions or attempts at gaining unauthorized access to our products and network. To date, none have resulted in any material adverse impact to our business or operations.” 

The order finds that Check Point’s risk disclosure was misleading because, among other things, it omitted disclosure of “how the company’s cybersecurity risk had increased due to the SolarWinds Compromise-related activity in its network” and was generic and not tailored to Check Point’s particular risks “because the relevant disclosures were identical to the 2020 cybersecurity risk factor disclosure, and therefore failed to reflect the changes in Check Point’s cybersecurity risks between 2020 and 2021 *  as a result of its investigation of the SolarWinds Compromise-related activity.”

Without admitting or denying the Commission’s findings, Check Point consented to an order that it cease and desist from future disclosure violations and pay a civil money penalty of $995,000.

Mimecast Limited

The SEC’s order against Mimecast finds that three reports on Form 8-K that the company filed in 2021 concerning its investigation into the impact of the SolarWinds/Orion breach “negligently created a materially misleading picture of the [SolarWinds] Compromise, providing quantification regarding certain aspects of the Compromise but not disclosing additional material information on the scope and impact of the incident.”

For example, the March 16, 2021 Form 8-K stated: “The investigation revealed that the threat actor accessed and downloaded a limited number of our source code repositories, as the threat actor is reported to have done with other victims of the SolarWinds Orion supply chain attack. We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service. We found no evidence that the threat actor made any modifications to our source code nor do we believe that there was any impact on our products.”  The order finds that this disclosure was misleading because the Form 8-K “omitted that the threat actor had exfiltrated 58% of its exgestion source code, 50% of its M365 authentication source code, and 76% of its M365 interoperability source code, representing the majority of the source code for those three areas.”

Without admitting or denying the Commission’s findings, Mimecast consented to an order that it cease and desist from future disclosure violations and pay a civil money penalty of $990,000.

Unisys Corporation

The SEC’s order against Unisys finds that the company filed annual reports on Form 10-K for 2021 and 2022 that described its risks from cybersecurity events as hypothetical, despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.  For example, the 2021 and 2022 Form 10-Ks stated that the cyberattacks “could” result in the loss or the unauthorized disclosure of information and that “[i]f our systems are accessed without our authorization” the company could experience data loss and suffer damage. These disclosures were unchanged from the 2019 Form 10-K.  However, beginning in December 2020, Unisys had information indicating that the SolarWinds threat actor had compromised its network in several respects.  As a result, Unisys’s cyber risk disclosure “inaccurately described the existence of successful intrusions and the risk of unauthorized access to data and information in hypothetical terms.”

The order also finds that Unisys failed to design controls and procedures to ensure that information about potentially material cybersecurity incidents was recorded, processed, summarized, and communicated to management to allow timely decisions regarding required disclosures.  The order describes instances in which Unisys’s cybersecurity personnel became aware of cybersecurity incidents, but, since “Unisys’s policies did not include adequate escalation procedures in the event of a cybersecurity incident,” they did not report these incidents to senior management.

Without admitting or denying the Commission’s findings, Unisys consented to an order that it cease and desist from future disclosure violations and from future violations of the requirement to maintain disclosure controls and procedures designed to ensure that information required to be disclosed is reported within the time periods in the Commission’s rules. Unisys also consented to pay a civil money penalty of $4 million.

Statement of Dissenting Commissioners

Commissioners Peirce and Uyeda dissented from the issuance of these orders.  Their statement asserts:

“The common theme across the four proceedings is the Commission playing Monday morning quarterback. Rather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engages in a hindsight review to second-guess the disclosure and cites immaterial, undisclosed details to support its charges.”

* * *

“The Commission needs to start treating companies subject to cyberattacks as victims of a

crime, rather than perpetrators of one. Yes, the Commission must protect investors by ensuring that companies disclose material incidents, but donning a Monday morning quarterback’s jersey to insist that immaterial information be disclosed — as the Commission did in today’s four proceedings — does not protect investors. It does the opposite.”

The dissenters analyze each of the four cases in detail.  They argue that, in Avaya and Mimecast, the Commission is setting an unduly low bar for determining the materiality of information concerning cyber incidents.  For example, in Mimecast, the Commission bases its changes in part on the company’s failure to disclose the percentages of various types of source code that were exfiltrated. “By calling for disclosure of specific percentages and types of source code, the Commission ignores the reasonable investor standard embedded within the materiality concept and the types of information that such investor would consider important in making an investment decision.” They also point out that the materiality analysis in these cases will affect how companies comply with the SEC’s new cyber security disclosure rule. “To avoid being second-guessed by the Commission, companies may fill their Item 1.05 disclosures with immaterial details about an incident, or worse, provide disclosure under the item about immaterial incidents.”

Commissioners Peirce and Uyeda expressed similar concerns concerning the Check Point and Unisys cases, both of which involve risk disclosure. They argue that Unisys undermines the goal of encouraging shorter, more focused risk factor disclosure:

“If the Commission does not exercise restraint, it could find a violation in every company’s risk disclosure because risk factors cover a wide range of topics and are inherently disclosure of hypothetical events. Aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission. Such a result would frustrate the Commission’s goal of preventing a lengthy risk factor section filled with immaterial disclosure.” (footnotes omitted)

Audit Committee Takeaways

1. Material Aspects of a Cyber Incident.

For managements preparing cyber incident disclosures and for audit committees overseeing such disclosures, these cases offer insight into how the Commission applies the concept of materiality in the context of cyber security.  In 2023, the Commission adopted rules governing cyber security incident disclosure.  See SEC Adopts Cybersecurity Disclosure Rules, August-September 2023 Update. Under those rules, Item 1.05 of Form 8-K requires reporting companies to disclose any cybersecurity incident the company decides is material within four days of determining the materiality of the incident.  The disclosure must describe the material aspects of the incident’s nature, scope, timing, and impact or reasonably likely impact.

While the four new cases do not deal directly with Item 1.05, they reflect – as the dissenters point out -- an extremely broad view of the information that the Commission considers to be material regarding cyber security events.  The finding in Mimecast that detail concerning exfiltrated percentages of specific types of source code should have been disclosed is especially striking.  Avaya and Mimecast suggest that, in preparing Item 1.05 disclosure, it is safer to include technical details, rather than to present high-level conclusions about the nature and impact of a cyber event.  

More generally, these cases highlight the risk of disclosure that seems to minimize or downplay the seriousness of a cyber incident.  If the company concludes that an incident is material for purposes of Item 1.05, or otherwise warrants disclosure, it would be prudent not to state that its impact on the company will be limited or not adverse, absent concrete facts that irrefutably support that conclusion.  

2. Escalation of Cyber Incidents to Senior Management.

Unisys is the latest in a series of cases the Commission has brought in which it charged companies with disclosure control violations because they did not have procedures in place to assure that cyber security personnel promptly bring cyber incidents to the attention of senior management with responsibility for disclosure.  See Shoot the Wounded! SEC Charges that Inadequate Cybersecurity is an Internal Accounting Control Violation, July 2024 Update and The SEC is Zeroing in on Disclosure Controls, April 2023 Update. Audit committees may want to discuss with management whether the company’s disclosure controls include clear guidance concerning the circumstances in which cyber security staff should bring alerts or cyber incidents to the attention of those charged with making disclosure decisions.

3. Risk Factor Updating.

Mimecast and Unisys also underscore the relationship between risk factor disclosure and disclosure controls and procedures. See ESG Meets Disclosure Controls in an SEC Enforcement Action, February-March 2023 Update.  The SEC seems to take the position that the occurrence of an event described in a risk factor requires updating or revision of the risk factor.  (This issue is currently before the U.S. Supreme Court in Facebook, Inc. v. Amalgamated Bank.)  Managements and audit committees may want to consider whether the company has disclosure controls and procedures that capture and bring to senior management’s attention any event that could be viewed as within the scope of any of the company’s risk factors. If a risk is significant enough to be included in risk factor disclosure, there should be controls that ensure that information bearing on this risk comes to the attention of disclosure management so that consideration can be given to the need for additional or modified disclosure.