Reports began circulating earlier this year that federal regulators were looking into the behavior of some of the victim organizations of the high-profile SolarWinds data breach to see if what they disclosed to investors aligned with what they knew internally.
The targets of the investigation were not named at the time, but the tech industry got some answers this week when the U.S. Securities and Exchange Commission (SEC) fined four companies for making misleading statements in their public disclosures that downplayed the effects of the hack on their businesses.
To settle the cases, Unisys agreed to pay a $4 million fine, while Avaya will pay $1 million. Check Point Software was fined $995,000 and Mimecast $990,000. The regulators said that by holding back important information, the publicly traded companies victimized again shareholders who already were dealing with the fallout from the attack.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned-of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
The investigations began soon after the SEC charged SolarWinds and CISO Timothy Brown for lying to shareholders in comments before and after the data breach about the company’s cybersecurity capabilities. Most of the charges were dismissed in July when a U.S. District Court judge said they relied on hindsight and speculation.
Ripple Effects Continue
The ramifications of the attack on SolarWinds by a threat group linked to the Russian Foreign Intelligence Service (SVR) continue to reverberate four years later. The attackers inserted malicious code into an update of the Austin, Texas-based company’s popular Orion remote performance monitoring software, so downstream customers unwittingly downloaded the malicious code into their systems when installing the update.
Nine government agencies and thousands of organizations were affected by the hack, which was done to steal information and spy on the victims. The attack – which began in late 2019 when the bad actors were able to access SolarWinds’ systems and blossomed in 2020 – put a spotlight on the growing cyberthreats to the software supply chain and accelerated government efforts to put more stringent disclosure regulations for public companies in place.
Minimized the Effects
According to the SEC, Unisys, Avaya, and Check Point learned in 2020 that the hackers likely had accessed their systems, while Mimecast got similar information a year later. Regulators found that Unisys executives, after finding out the company was breached, described its risks to attacks as hypothetical even while knowing that two SolarWinds-related intrusions led to the exfiltration of gigabytes of data.
Avaya executives said the threat group had accessed a “limited number” of company emails despite knowing that at least 145 cloud files had been compromised. Check Point officials described the intrusions and their risks in generic terms and Mimecast failed to disclose the code that the attackers exfiltrated and the number of encrypted credentials they’d accessed.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement.
A Wake-Up Call for Organizations, MSSPs
Keith McCammon, CTO of cybersecurity firm Red Canary, said the SEC’s actions should serve as a warning to organizations that have been hit with a cyberattack.
“The SEC is looking retroactively at major incidents such as the SolarWinds breach and imposing fines based on violations of long-standing rules,” McCammon said. “This underscores the importance of clear, honest, and timely disclosure of material cybersecurity incidents to all stakeholders.”
He said that the fines against the companies shouldn’t be seen as a one-off. Instead, companies need to be ready to clearly define a material cybersecurity incident in the context of their business, with key stakeholders a part of both the criteria and response plan.
“We are starting to see more and clearer signals that the U.S. government at large – via the [U.S.] National Cybersecurity Strategy, CISA, and other agencies – will continue to push for legislation and enforcement as it relates to cybersecurity preparedness, compliance, and reporting,” McCammon said.
Guy Moskowitz, CEO of Coro Cybersecurity, which focuses on mid-market companies, noted two of the companies fined – Check Point and Mimecast – are cybersecurity vendors. If such companies don’t have a proactive approach to security measures and a strong incident response, they’re not only vulnerable but also abdicating their responsibilities to users.
That message also applies to service providers.
The fines “offer a reminder for MSPs and MSSPs to remain vigilant in securing their supply chain and monitoring the security practices of their partners,” Moskowitz told MSSP Alert. “Detecting anomalies early in the attack lifecycle is vital. Most importantly, service providers need to prioritize communication and transparency with their clients.”
He added that if they don’t embrace the duty and trust they hold as providers, “MSPs and MSSPs may find themselves in the same position as Check Point and Mimecast.”
