Ropes & Gray Discusses SEC Settlements With Four Issuers in Cybersecurity-Disclosure Cases

On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected customers of SolarWinds’ Orion software. Alleging that the issuers “negligently minimized” the impacts of the breach, the SEC levied civil monetary penalties ranging from $990,000 to $4 million. Each settled order credits the issuers with cooperating in the SEC’s investigation. A dissent by Commissioners Hester Peirce and Mark Uyeda criticizes the majority for playing “Monday morning quarterback.”

As the first cybersecurity-related settlements of the agency’s new fiscal year, these cases illustrate the SEC’s continued focus on disclosure of cyber incidents. In the previous fiscal year, the SEC settled with R.R. Donnelley & Sons Company for alleged disclosure and internal control failures following a ransomware attack. And in 2023, the SEC charged SolarWinds and its Chief Information Security Officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities – although that case was significantly cut back by the district court following the defendants’ motion to dismiss, which included dropping the internal controls charges.1 There has also been further implementation of the SEC’s rules requiring public companies to disclose material cybersecurity incidents and information regarding their cybersecurity risk management, strategy, and governance, which took effect in December 2023. (Ropes & Gray covered these rules in detail here). As such, this year is likely to be another active one for the Enforcement Division’s Crypto Assets and Cyber Unit.

The SEC’s Enforcement Actions

The settlements each include charges, on a no-admit, no-deny basis, under Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, based on the companies’ allegedly negligent material misstatements regarding cybersecurity risks and intrusions. In addition, the orders charge violations of the periodic reporting requirements of Section 13(a) of the Securities Exchange Act of 1934 and Rule 12b-20 thereunder and, as to Avaya, Rule 13a-13 (relating to Form 10-Q); as to Check Point, Rule 13a-1 (relating to annual reports); as to Mimecast, Rule 13a-11 (relating to Form 8-K); and as to Unisys, Rules 13a-1 and 13a-15(a), the latter relating to disclosures controls.

As to Unisys, the SEC’s order – which imposes a penalty of $4 million — alleges that in December 2020, Unisys identified a computer in its network with a version of the Orion software. Compromises of Unisys’s systems had allegedly taken place over a combined span of 16 months, accessing several parts of the corporate network and non-customer facing cloud environment, including network credentials, cloud-based accounts, 27,000 emails, and 130 shared files, in addition to the exfiltration of 7GB of data. According to the order, Unisys filed two annual reports with the SEC, framing the risks from cybersecurity events as hypothetical, despite knowledge of the compromise and of an additional ransomware incident. The order also finds that Unisys lacked effective controls around escalation of potentially material cyber incidents to senior management and to disclosure decision-makers.

The settlement with Avaya, which involved a $1 million penalty, pertained to a single Form 10-Q. The SEC alleged that two servers, segmented from Avaya’s corporate network, had installations of Orion software, and that the same threat actor had, through other means, compromised the company’s cloud email and sharing environment as early as January 2020, allegedly accessing shared files with sensitive company information. Avaya’s Form 10-Q identified the cybersecurity incident and stated that there was “no current evidence of unauthorized access to our other internal systems.” According to the order, this disclosure omitted the likely attribution of the activity to a nation-state threat actor, the unmonitored presence of the threat actor, and the access to shared files with confidential information.

Regarding Check Point, the SEC’s order alleges that in December 2020, the company identified two servers on its network that had versions of Orion software. Soon after, a third-party vendor also notified Check Point of potential unauthorized activity. The company commenced an internal investigation that revealed that two corporate accounts had been compromised and that the threat actors had attempted to move laterally in the corporate environment. Two Forms 20-F filed by Check Point however contained nearly the same disclosures as in prior public filings, according to the order. Imposing a $995,000 penalty, the SEC found that the disclosures omitted new material cyber risks resulting from the compromise.

The settlement with Mimecast, which included a $990,000 penalty, pertained to allegedly misleading Forms 8-K. The order alleges that in December 2020, Mimecast identified computers in its network with installations of Orion software. In January 2021, the company allegedly learned that a threat actor exfiltrated a Mimecast-issued authentication certificate used by approximately 10% of its customers and compromised certain customers’ cloud platforms, as well as gaining access to a database with tens of thousands of customers’ encrypted credentials and server and configuration information. According to the order, Mimecast’s Forms 8-K discussing the compromise failed to disclose the number of customers whose credentials were accessed and the nature and significance of the exfiltrated source code.

Commissioners Hester M. Peirce and Mark T. Uyeda Dissent

Commissioners Peirce and Uyeda dissented from the settlements, writing that “[t]he common theme across the four proceedings is the Commission playing Monday morning quarterback. Rather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engages in a hindsight review to second-guess the disclosure and cites immaterial, undisclosed details to support its charges.” The dissenting commissioners noted aspects of each of the orders where they disagreed that the omitted information was material, or where they disputed that additional detail would have been useful in the issuers’ risk disclosures – also noting that allegations regarding cybersecurity risk disclosures in the SEC’s pending enforcement action against SolarWinds were dismissed by the district court.

Key Takeaways

While the settled orders vary in their allegations as to what information each company is alleged to have omitted, each demonstrates a stringent, hindsight parsing of the issuers’ cyber-related disclosures concerning these incidents. None appear to describe effects from the SUNBURST incident on the issuers that caused appreciable harm to the companies’ shareholders. Moreover, at the time of the allegedly omissive disclosures, extensive information had been reported publicly concerning the SolarWinds compromise, including given the US government’s inquiries concerning the threat actor.

These actions further signal that disclosures made under the SEC’s recently-enacted rules for public companies’ disclosures of cyber incidents may bear equally exacting scrutiny – particularly around the nature and the degree of the details regarding a breach, as well as whether accompanying risk disclosures remain accurate. Navigating this disclosure obligation in the context of a cyber intrusion – particularly one that is ongoing, the origin of which is unknown – has been identified as among the thorniest challenges of the new SEC disclosure rule. Issuers must consider carefully when and how to disclose material cybersecurity incidents and ensure that they implement and maintain related disclosure controls. Though enforcement focus and rulemaking in this space may be in flux given recent challenges to the SEC’s rulemaking authority and the upcoming U.S. election, public companies and others should continue to closely monitor this space.

ENDNOTE

  1. SEC v. SolarWinds Corp. and T. Brown, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024).

This post come to us from Ropes & Gray LLP. It is based on the firm’s memorandum, “SEC Announces Settlements with Four Issuers regarding Cybersecurity Disclosures,” dated October 31, 2024, and available here.

Leave a Reply

Your email address will not be published. Required fields are marked *