This week, the Securities and Exchange Commission (SEC) charged four public companies for alleged deceptive cyber disclosures: Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited. The companies agreed to pay civil penalties to settle the SEC’s charges as follows:

  • Unisys, $4 million
  • Avaya, $1 million
  • Check Point, $995,000
  • Mimecast, $990,000

These penalties and settlements come after an SEC investigation into public companies that were potentially affected by the SolarWinds’ Orion software compromise. The SEC alleged that while the companies learned about the unauthorized access to their systems as a result of the

SolarWinds Orion attack, they each negligently minimized the effects of the cybersecurity incident in their public disclosures. Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, said, “As [these] enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered. Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

The SEC’s orders found that each company violated some provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules.

A few key takeaways from these settlements:

  • Cybersecurity is still an SEC enforcement priority;
  • Disclosure and escalation procedures are vital;
  • The SEC will be aggressive on its charges for negligence-based fraud charges related to cyber attacks; and
  • Be prepared -have an incident response procedure and disclosure policy.
Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.