SEC Dings SolarWinds Victims for Cybersecurity Disclosures

Last month, the Securities and Exchange Commission settled four enforcement actions against current and former publicly traded companies for making what it deemed “materially misleading” cybersecurity risk disclosures.

The cases could all be traced back to the same cause: The infamous SolarWinds software hack. Believed to have been orchestrated by Russian intelligence agencies, the hack consisted of inserting malware into the SolarWinds Orion software, a platform for managing networks and information technology systems that has been used by tens of thousands of companies, government agencies and nonprofit organizations around the world. The hackers apparently evaded detection for more than a year before anyone caught on to the security breach in 2020.

The SEC objected to how SolarWinds handled its own public disclosures related to the breach, tagging the company and the vice president of its information security group with an enforcement action in 2023. However, a federal judge in 2024 tossed out some of the key allegations against SolarWinds, which included charges of making misleading disclosures about its cybersecurity programs and maintaining faulty internal controls.

The SEC then turned its attention to some of the companies affected by the hack – but for different reasons. In the cases of Avaya Holdings Corp. and Mimecast Limited, the agency said both omitted important information about the incident. According to the SEC, Avaya failed to disclose “the likely attribution of the activity to a nation-state threat actor, the long-term unmonitored presence of the threat actor in Avaya’s systems, the access to at least 145 shared files some of which contained confidential and/or proprietary information, and the fact that the mailbox the threat actor accessed belonged to one of Avaya’s cybersecurity personnel.” Meanwhile, Mimecast left out details in its disclosures about the scope and impact of the hack, the agency contended.

On the other hand, the SEC took exception to the quality of the disclosures made by Check Point Software Technologies Ltd. and Unisys Corp. regarding the risk factor of cybersecurity threats. Specifically, the commission said the disclosures were too “generic.” And in a sign of just how nitpicky the SEC is getting; Check Point’s cybersecurity disclosures were challenged because the company said attempts to hack their systems had not “resulted in any material adverse impact to [its] business or operations.” On the contrary, the SEC said, Check Point’s cybersecurity risks had increased because of the SolarWinds breach.

The enforcement actions drew customary dissents from Republican-appointed commissioners Hester Peirce and Mark Uyeda. They took the SEC to task over what they said they viewed as the agency “playing Monday morning quarterback.” But despite that pushback and the setback in the SolarWinds litigation, the agency seems resolved to continue rigorous enforcement of the rules governing cybersecurity disclosures.

Issuers, consider yourselves warned.