SEC Imposes Nearly $7.99M Penalties on Unisys, Avaya, Check Point, and Mimecast for Misleading Cybersecurity Disclosures

Unisys Corp. Among Firms Penalized for Cybersecurity Reporting Failures

SEC logo surrounded by digital icons representing cybersecurity and transparency, highlighting SEC penalties for cybersecurity reporting failures.

The Securities and Exchange Commission (SEC) has taken decisive action against four prominent companies—Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited—for making materially misleading disclosures about their cybersecurity risks and intrusions. This enforcement highlights the SEC’s commitment to ensuring transparency and accuracy in cybersecurity reporting.


Overview of SEC Charges

On October 22, 2024, the SEC announced charges against the aforementioned companies for failing to provide accurate and comprehensive information regarding cybersecurity incidents. These violations are particularly concerning as they relate to the compromise of SolarWinds’ Orion software, a significant cybersecurity breach that affected numerous organizations worldwide.


Penalties Imposed

To settle the charges, each company has agreed to pay the following civil penalties:

  • Unisys Corp.: $4 million
  • Avaya Holdings Corp.: $1 million
  • Check Point Software Technologies Ltd.: $995,000
  • Mimecast Limited: $990,000

Additionally, Unisys Corp. faces charges related to disclosure controls and procedures violations, underscoring the severity of their reporting failures.


Details of the Misleading Disclosures

Silhouette of a person against a blue-lit wall, representing SEC investigation into misleading disclosures by major corporations.

The SEC’s investigation revealed that:

  • Unisys Corp. minimized the impact of two SolarWinds-related intrusions, inaccurately portraying the risks as hypothetical despite substantial data exfiltration.
  • Avaya Holdings Corp. understated the extent of unauthorized access, initially reporting only a limited number of email messages compromised, while over 145 files in their cloud environment were affected.
  • Check Point Software Technologies Ltd. provided generic descriptions of cyber intrusions without detailing the specific threats faced.
  • Mimecast Limited failed to disclose the nature and volume of the code exfiltrated and the number of encrypted credentials accessed by the threat actor.

These actions violated several provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, leading to the imposed penalties.


Implications for Cybersecurity Reporting

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, emphasized the importance of accurate cybersecurity disclosures. “Public companies must provide truthful information about cybersecurity incidents to avoid misleading investors and the public,” Wadhwa stated.

Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, added, “Downplaying the extent of a material cybersecurity breach is a bad strategy. Federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”


Strengthening Cybersecurity Controls

As part of the settlement, each company has committed to enhancing their cybersecurity controls and improving their disclosure practices. This includes:

  • Unisys Corp.: Addressing deficient disclosure controls and procedures.
  • Avaya Holdings Corp.: Providing more detailed and accurate reports of cybersecurity incidents.
  • Check Point Software Technologies Ltd.: Offering specific information about cyber threats and breaches.
  • Mimecast Limited: Transparently disclosing the nature and scope of cyber intrusions.


Conclusion

The SEC’s actions against Unisys, Avaya, Check Point, and Mimecast underscore the critical need for transparency in cybersecurity reporting. Investors and the public rely on accurate disclosures to make informed decisions, and misleading information can have severe repercussions. Companies must prioritize robust cybersecurity measures and honest reporting to maintain trust and comply with regulatory standards.

For more detailed information, visit the SEC's official press release on this matter.


About TRaViS

TRaViS is dedicated to providing the latest insights and updates on cybersecurity, regulatory compliance, and technology trends. Stay informed with our comprehensive coverage and expert analysis to navigate the evolving digital landscape.

Backlinks:

Contact Us Today!


Submit
in News
A Critical Vulnerability in the WordPress Affiliate Plugin and How TRaViS Can Help