On Tuesday, the SEC announced settled charges against four companies for “making materially misleading disclosures regarding cybersecurity risks and intrusions. The charges against the companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd and Mimecast Limited, all resulted from an investigation of companies “potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.” (See this PubCo post and this PubCo post.) According to law.com, the SEC “began issuing sweep letters to potential SolarWinds hack victims back in 2021.” The SEC charged that each of these companies learned that the “threat actor” that was probably the cause of the SolarWinds hack had “accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.” In two instances, the companies were alleged to have framed their disclosures as hypothetical or generic risks. Unisys was also charged with a disclosure controls violation. According to Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, “[a]s today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered….Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.” Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, cautioned that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy….In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.” The companies were each charged with violations of the Securities Act, the Exchange Act and related rules, and agreed to pay civil penalties ranging from $990,000 (Mimecast) to $4 million (Unisys). Commissioners Hester Peirce and Mark Uyeda dissented, contending that the SEC “needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one.”
The Orders are discussed briefly below:
Unisys. The SEC alleged that Unisys, a “provider of technical and enterprise IT services and solutions to large commercial enterprises and public sector entities,” negligently made misleading disclosures regarding cybersecurity risks and events and violated requirements for disclosure controls and procedures.
According to the SEC, in December 2020, Unisys identified an infected version of the SolarWinds software that had been loaded on at least one of its network computers. The company subsequently learned that the threat actor was likely associated with a nation-state, reportedly the Russian Federation.
Over the next 16 months, as alleged, the company received several notifications that the threat actor engaged in persistent unauthorized activity, including accessing and compromising numerous accounts (some with administrative privileges), transferring large amounts of data to and from the network and accessing the contents of numerous “cloud-based mailboxes, including high-level IT personnel and a Chief Information Officer for the company’s then federal government business.” The SEC claimed that “Unisys was aware that its investigations of the compromise involved significant gaps in its ability to identify the full scope of the unauthorized activity due to the lack of availability of the forensic evidence.” In addition, the SEC charged, Unisys was slow in reviewing the messages and shared files, as “the threat actor exploited information obtained in 2020.” The SEC claimed that “Unisys’s policies did not include adequate escalation procedures in the event of a cybersecurity incident, and Unisys cybersecurity personnel did not report this activity to senior management.” In April 2023, “Unisys received yet another notification of unauthorized activity by likely the same threat actor,” but, this time, the company’s “cybersecurity personnel reported this activity to senior management the same day they received the notification.”
But, when the company filed its Forms 10-K in 2021 and 2022, the SEC charged, it “negligently framed risks from cybersecurity events as hypothetical despite the company’s awareness of the SolarWinds Compromise-related activity, thereby rendering these disclosures materially misleading.” Moreover, as alleged, the disclosures were substantially unchanged from the prior year, before the discovery of the unauthorized activity.
In a separate incident, the SEC also charged that Unisys’s internal cybersecurity systems issued at least 10 alerts about the activity of password-stealing ransomware on seven computers, but company personnel erroneously believed that the malware was quarantined and failed to investigate the activity for almost a week. The company “discovered that its endpoint detection and response system was not set up properly to automatically send alerts” as required by the company’s policies and procedures. After the ransomware event, the company filed a Form 8-K disclosing a material weakness in both its “disclosure controls and procedures and internal control over financial reporting related to the design and maintenance of effective formal policies and procedures over information being communicated by the IT function and the legal and compliance function to those responsible for governance to allow timely decisions related to both financial reporting and other non-financial reporting.” The company also took steps to remediate the control deficiencies.
The SEC contended that the company’s risk disclosures were hypothetical and, in failing to provide specific information about the incident, materially misleading. Given its customer base, “Unisys’s information and data were of great interest to state-sponsored cyber threat actors, such as the threat actor likely behind the SolarWinds Compromise.” Moreover, its ability to protect information “was critically important to its reputation and ability to attract and retain customers and to investors.” According to the Order, the threat actor’s unauthorized activity changed Unisys’s cybersecurity risk profile materially—the implication being that its risk factors should have been updated as a result—because “(1) a persistent and reportedly nation-state supported threat actor compromised the company’s environment; (2) the threat actor persisted in the environment unmonitored for a combined span of at least sixteen months; and (3) the company’s investigation of the activity suffered from gaps that prevented it from identifying the full scope of the compromise.”
In addition to charges of misleading disclosure, the SEC also charged disclosure control violations, alleging that “Unisys’s cybersecurity personnel failed to report the 2020 and 2021 activity to disclosure decision-makers until a year after discovering it, and the 2022 extortion incident until the hackers’ public statement. At the time of these events, Unisys did not maintain effective controls requiring escalation of potentially material incidents to senior management and disclosure decision-makers. At the same time, Unisys did not have controls and procedures designed to ensure that its disclosure decision-makers reviewed cybersecurity incident information in Unisys’s possession in order to determine which information about the incident may be required to be disclosed in Commission filings.”
The SEC charged that Unisys violated Securities Act Sections 17(a)(2) and (a)(3), Exchange Act Section 13(a) and Rule 12b-20 (regarding its Form 10-K) and Rule 13a-15(a) (regarding its disclosure controls). Unisys agreed to pay a civil penalty of $4 million.
Check Point. Like Unisys, the SEC’s order against Check Point charged that the company was aware of the “intrusion but described cyber intrusions and risks from them in generic terms.” As alleged, Check Point had identified two servers on its network infected with SolarWinds Orion software, which allowed for unauthorized activity on affected computers and their networks. The SEC claimed that Check Point’s risk factor disclosures were generic and unchanged from the prior year before discovery of the unauthorized activity. Check Point agreed to pay a $995,000 civil penalty.
Mimecast. Mimecast, a “provider of cloud security and risk management services for email and corporate information,” was alleged to have “minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.” According to the Order, in December 2020, Mimecast learned that some of its network computers had installations of SolarWinds’ Orion software. In January 2021, after an investigation, the SEC charged, Mimecast learned that “the threat actor exfiltrated a Mimecast-issued authentication certificate used to connect Mimecast to Microsoft and compromised five customers’ cloud platforms using the stolen certificate,” in addition to accessing internal email, authentication codes, an encrypted database containing customer credentials and customer server and configuration information.
According to the Order, the company filed several Forms 8-K, including disclosure of the compromise of an authentication certificate, which affected about 10% of the company’s users, disclosure that “a low single digit number of [its] customers’ M365 tenants were targeted,” and disclosure that the incident was related to SolarWinds and that the culprit was same sophisticated threat actor, which “accessed, and potentially exfiltrated, certain encrypted service account credentials.” A Form 8-K filed about two months later disclosing the final results of the investigation, stating “in part: ‘the evidence showed that this certificate was used to target only the small number of customers . . .’ ” The SEC alleged that the company “negligently omitted a number of material aspects of the Compromise, including information regarding the large number of impacted customers and the percentage of code exfiltrated by the threat actor.” In particular, the company “failed to report that the threat actor had accessed a database containing encrypted credentials for approximately 31,000 customers and server and configuration information for approximately 17,000 customers. The disclosures further omitted the material information that the threat actor gained access to tens of thousands of customers’ credentials as part of the Compromise, representing the majority of its customers.”
As alleged, the company also disclosed in a Form 8-K that the threat actor accessed and downloaded some of the company’s source code, which Mimecast described as “incomplete and…insufficient to build and run any aspect of the Mimecast service” and involving a “limited number” of code repositories. But the SEC claimed that the disclosure omitted that, while the exfiltrated code “represented a small portion of Mimecast’s complete product code,” the threat actor had exfiltrated the majority of the source code for “exgestion,” authentication and interoperability. These were functions important to the security of Mimecast’s overall service offering and material to Mimecast’s investors. According to the Order, “Mimecast negligently created a materially misleading picture of the Compromise, providing quantification regarding certain aspects of the Compromise but not disclosing additional material information on the scope and impact of the incident.”
According to Axios, a “Mimecast spokesperson said in a statement the company believes it complied with the disclosure requirements it was facing at the time of the incident. ‘Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected,’ the person said.”
The SEC charged that the company violated Section 17(a)(2) and (a)(3) of the Securities Act and Section 13(a) of the Exchange Act and related Rule 13a-11 and Rule 12b-20. Mimecast agreed to pay a civil penalty of $990,000.
Avaya. Similarly, the SEC’s order charged that Avaya identified two servers that had installations of SolarWinds’ Orion software, which allowed for unauthorized activity on affected servers and their networks. The Order charged that Avaya “minimized the compromise and omitted material facts known to Avaya personnel regarding the scope and potential impact of the incident, stating “that the threat actor had accessed a ‘limited number of [the] Company’s email messages,’ when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment.” Avaya agreed to pay a civil penalty of $1 million.
Dissenting statement. In their quite lengthy and detailed dissenting statement, Peirce and Uyeda railed against the SEC’s approach to SolarWinds: bringing charges against victims of the cyberattack over omission of disclosure that the dissenters considered immaterial. According to the statement, the “common theme across the four proceedings is the Commission playing Monday morning quarterback. Rather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engages in a hindsight review to second-guess the disclosure and cites immaterial, undisclosed details to support its charges.”
That was not the dissent’s only theme. Another seemed to be that, because the information that the SEC claimed was negligently omitted from the disclosures was not even material, penalizing a company for omitting it was effectively regulation by enforcement. For example, the SEC claimed that Avaya’s failure to identify the threat actor was material information. But, the dissenters point out, in the course of the SEC’s cybersecurity disclosure rulemaking, “neither investors nor the Commission expressed a view that the identity of the threat actor is material information…. When adopting the 2023 Cybersecurity Rule, the Commission stated that disclosure of cybersecurity incidents should ‘focus…primarily on the impacts of…[the]…incident, rather than on…details regarding the incident itself.’ The identity of the threat actor, while an obvious ‘detail…regarding the incident,’ lacks a clear link to the ‘impact’ of the incident. By using a settled proceeding to convey the view that this information is material, the Commission regulates by enforcement.” The other omitted information also belongs in the “details” category, they argued.
In some cases, they contended, whether omitted information was material depended on the context. In the case of Mimecast, for example, “[w]here the compromised information consists of a large percentage of customer credentials, disclosure of such fact can be material.” The SEC had charged that, while the company disclosed that the threat actor had exfiltrated a “limited number” of its source code repositories, that information was materially misleading because the source code exfiltrated represented the majority of the source code for those three areas. The dissenters, however, were “doubtful that a reasonable investor would understand how exfiltration of such precise percentages of those three types of source code affects Mimecast. Similar to the Avaya case, such information is ‘details regarding the incident itself’ that do not need to be disclosed. For us, the material disclosure by Mimecast is that the cyberattack did not result in modifications of the company’s source code or have effects on its products.” The dissenters also made the point that Mimecast had filed three Form 8-Ks, including a three-page incident report, before the requirements even went into effect. But instead of being rewarded for its efforts, the company was charged.
In this context, the dissenters expressed concern that companies preparing Forms 8-K Item 1.05 could reasonably conclude, based on these cases, that the SEC “will evaluate their Item 1.05 disclosure with a hunger for details that runs contrary to statements in the adopting release,” adding all kinds of immaterial details to their disclosure or filing under Item 1.05 for immaterial incidents. The SEC recognized in the rule release that “immaterial disclosure about cybersecurity incidents may ‘divert investor attention’ and result in ‘mispricing of securities,’” but this enforcement action, they contend, could undermine the objective implicit in that statement.
The dissenters then turned to the theme of hypothetical or generic risk factors, using the court’s decision in the SEC’s case against SolarWinds as a template. In the SolarWind’s case, the SEC had contended that SolarWind’s “risk factor was ‘unacceptably boilerplate and generic,’” but the court performed a detailed review of the disclosure and rejected the argument, concluding that “‘[v]iewed in totality, [such] disclosure was sufficient to alert the investing public of the types and nature of cybersecurity risks SolarWinds faced and the grave consequences these could present for the company’s financial health and future.’” Performing a side-by-side comparison of the Check Point risk disclosure against that of SolarWinds, together with the court’s conclusions that the SolarWind’s provisions were not generic, the two Commissioners suggested that the risks described by both companies were arguably similar as disclosed and, as a result, the SEC’s contention “merits cautious consideration.”
With regard to Unisys, the two Commissioners did not support the charges, maintaining that “the case against Unisys is one that did not need to be brought.” The dissenters challenged the SEC’s contention that the hypothetical risk factors were problematic. In particular, they took issue with the three reasons given by the SEC that the company’s risk profile had changed materially as a result of the incident. First, they disagreed that the fact that a “reportedly nation-state supported threat actor compromised the company’s environment” was necessarily material. That the threat actor persisted for 16 months in the environment may be concerning, the dissenters argued, but the SEC did not explain why, from a securities law perspective, the information was material, particularly in the absence of a finding of an adverse effect on financial results or reputation. As to the weaknesses in the company’s investigation, the dissenters did not see “how an after-the-fact investigation of a cybersecurity incident affects the materiality of the incident itself” or how a “subpar investigation relates to adverse effects on the company.”
With regard to the SEC’s approach to hypothetical risk factors in general, the two Commissioners offered this caution:
“Risk factors are designed to warn investors about events that could occur and materially affect the company. To the extent that an event has occurred and has materially affected the company, it is generally required to be disclosed in another part of a filing, such as the description of the business, management’s discussion and analysis, or the financial statements and notes thereto. Whether risk factors need to be updated because certain hypothetical risks have materialized is not always a straightforward matter, [noting here that SCOTUS is considering this issue in a pending case], and the Commission should be judicious in bringing charges in this area. If the Commission does not exercise restraint, it could find a violation in every company’s risk disclosure because risk factors cover a wide range of topics and are inherently disclosure of hypothetical events. Aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission. Such a result would frustrate the Commission’s goal of preventing a lengthy risk factor section filled with immaterial disclosure.”
In their conclusion, the two dissenters contended that “[c]ybersecurity incidents are one of a myriad of issues that most companies face. The Commission needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one. Yes, the Commission must protect investors by ensuring that companies disclose material incidents, but donning a Monday morning quarterback’s jersey to insist that immaterial information be disclosed—as the Commission did in today’s four proceedings—does not protect investors. It does the opposite.”