In a significant enforcement action by the U.S. Securities and Exchange Commission (SEC), several IT firms have been fined for allegedly minimizing the severity of security breaches linked to SolarWinds Orion. This move comes as the SEC aims to deter companies from misleading shareholders about cybersecurity incidents. The penalties were announced amidst ongoing concerns about the broader implications of the SolarWinds hack, an event that unfolded two years ago.

The Breach and Its Fallout

In 2019, state-sponsored hackers from Russia compromised the Orion platform of SolarWinds, a company known for its network and security products. The breach involved the insertion of a Trojan in legitimate software updates, affecting prominent clients, including many Fortune 500 companies, the U.S. military, the Pentagon, and other government agencies. Systems were compromised as early as March 2020, and the breach was only discovered by Fireeye in December 2020. Microsoft President Brad Smith described it as "the largest and most sophisticated" cyberattack ever.

Penalties for Inadequate Disclosures

The SEC has taken action against Unisys, Avaya, Check Point Software Technologies, and Mimecast, penalizing them for insufficient disclosure about the breaches’ impact. Unisys faces the steepest fine of $4 million for inadequate internal oversight of mandatory communications to shareholders and mischaracterizing its security risks as merely hypothetical.

Avaya has been fined $1 million for failing to disclose the full extent of the data access during the breach, admitting only to compromised emails while omitting the unauthorized access to 145 files in its cloud-based file system. Check Point and Mimecast, both fined nearly $1 million each, presented incomplete narratives about the breaches. Mimecast, for instance, underreported on stolen sourcecodes and encrypted credentials.

SEC's Strict Stance on Transparency

The SEC emphasized that misleading the public about cybersecurity incidents is unacceptable, with the acting head of SEC's enforcement division, Sanjay Wadhwa, stating that publicly traded companies must not mislead investors by providing partial truths. Jorge G. Tenreiro, acting head of the Crypto Assets and Cyber Unit, warned against sanitizing disclosures about IT security risks.

While the imposed fines could have been more severe, all four companies cooperated with the SEC, offering voluntary analyses and presentations, and agreed to enhance their cybersecurity measures. They accepted the penalties and ordered sanctions, which include additional conditions aimed at preventing future violations.

Find more details in the original article from Heise Online.