Solarwinds downplayed: penalties for Check Point, Unisys, Avaya, Mimecast

"Downplaying the extent of major IT security breaches is a bad strategy. " This is what Jorge G. Tenreiro from the US Securities and Exchange Commission (SEC) writes to listed companies. The agency has just penalized Unisys, Avaya, Check Point and Mimecast for downplaying the impact of attacks via Solarwind's Orion. Tenreiro is the acting head of the Securities Exchange Commission's Crypto Assets and Cyber Unit (CACU).

Suspected Russian state hackers managed to compromise SolarWinds' Orion platform in 2019 and smuggle a Trojan into official updates. SolarWinds sells network and security products that were used by more than 300,000 customers worldwide at the time. These include many Fortune 500 companies, government agencies such as the US military, the Pentagon and the State Department. By installing the updates, their systems were compromised from March 2020. Fireeye discovered the backdoors at the end of 2020. In February 2021, Microsoft President Brad Smith spoke of the "largest and most sophisticated attack the world has ever seen".

Unisys has to pay the highest fine of four million US dollars because the authority discovered another misconduct there: Internal oversight of legally required notices to shareholders, creditors and potential investors was deficient. According to the SEC, this is partly to blame for the fact that Unisys described its IT security risks as purely hypothetical, even though Solarwinds intruders had gained access to Unisys systems and exfiltrated data not once but twice.

Avaya pays one million dollars. The company, which specializes in unified communications services, admitted that the perpetrators had accessed a "limited number of company emails". Unfortunately, Avaya forgot to mention that the intruders also tampered with at least 145 files in cloud-based file sharing.

"Half-truths forbidden"

Check Point Software Technologies and Mimecast must each pay just under one million dollars. Check Point, an Israeli-American IT security company, was aware of successful intrusions into its systems. Nevertheless, it described intrusions and their risks in general terms instead of speaking plainly. Mimecast did disclose an attack, but made the impact look smaller than it was. The company is based in Jersey and provides email management for Google and Microsoft cloud services. According to the SEC's findings, Mimecast should have disclosed which source codes the perpetrators copied and the extent to which they obtained encrypted access data.

The penalties are based on violations of US capital market law and could have been significantly higher. However, the four IT companies cooperated with the SEC, voluntarily supported the investigation with analyses or presentations and took measures of their own accord to improve their IT security. They also accepted the penalties and injunctions with conditions.

It is not the intrusions that are the reason for the penalty, but their inadequate disclosure. When "publicly traded companies become targets of IT attacks, they must not further victimize their shareholders and other members of the investing public by making misleading disclosures about the IT security incidents that have occurred," emphasizes Sanjay Wadhwa, Acting Chief of the SEC's Enforcement Division. "U.S. securities law prohibits half-truths," adds Tenreiro, "and there is no exception for risk factor disclosures."

The SEC's case numbers are 3-22272 (Unisys), 3-22269 (Avaya), 3-22270 (Check Point) and 3-22271 (Mimecast).

• SEC decision on Unisys
• SEC decision on Avaya
• SEC decision on Check Point Software Technologies
• SEC decision on Mimecast

(ds)