SEC Hits Four Cos. on Cyber

The Securities and Exchange Commission sanctioned four companies this week for poor disclosure of cybersecurity incidents they suffered, the latest reminder from the agency that it expects companies to be more forthcoming with investors about the cyber issues they have.

The sanctions were announced Tuesday against four companies, all of which made inadequate or misleading disclosures about breaches they suffered in 2020 or 2021 from the SolarWinds cyber attack. That attack, launched by Russia, planted spyware in software that IT services firm SolarWinds provided to its corporate customers. Thousands of corporations, colleges, and government agencies were affected.

The four companies cited today all agreed to pay civil monetary penalties to settle the cases (although without admitting or denying the SEC’s charges, of course). They are:

• Unisys, $4 million civil penalty;
• Avaya, $1 million civil penalty;
• Check Point, $995,000 civil penalty; 
• Mimecast, $990,000 civil penalty.

Unisys had to pay a considerably higher fine because the SEC also found that the company (a government contractor and IT services firm with $2 billion in annual revenue) also had deficient disclosure controls. 

“While public companies may become targets of cyberattacks, it’s incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a statement.

Compliance officers, CISOs, and SEC reporting teams should take note here. The SEC adopted new rules in 2023 for expanded disclosure of cybersecurity risks and “material cybersecurity incidents,” and figuring out what that means in practice has been a bear ever since. The agency has filed other enforcement actions over poor cyber disclosures from time to time, and last year even filed a lawsuit against SolarWinds for poor disclosures related to that 2020 attack. Over the summer a federal judge allowed the disclosure issues in that case to proceed, so clearly getting this stuff wrong can bring expensive consequences.

The Unisys Incident

Let’s take a close look at the Unisys settlement since it’s the largest and involves deficient disclosure controls and processes. The SEC settlement order for that case paints quite a picture.

The company’s troubles began in December 2020, when IT personnel discovered infected SolarWinds software on a Unisys computer. Subsequent investigations by Unisys personnel and an outside consultant found two more computers that had malware installed, although not the SolarWinds software. The consultant recommended a deeper forensic analysis, but Unisys decided not to undertake one.

So far, not so good. Then came worse news: Unisys personnel discovered later that same month that those same Russian-backed hackers had actually cracked into Unisys networks in February 2020 even before they penetrated the company later that year via the contaminated SolarWinds software. By August 2021, Unisys had credible information that the hackers were back again, infiltrating various accounts, IT systems, email messages, and cloud-based files. 

All told, Unisys suffered multiple attacks by the same hacking group for 16 months in 2020 and 2021. The company knew the hackers had gained access to specific systems and had absconded with at least 7 gigabytes of data. 

In Unisys’ annual reports for those two years, however, the company only described the risks from cyber attacks in hypothetical terms:

cyberattacks “could… result in the loss… or the unauthorized disclosure or misuse of information of the company” and that “if our systems are accessed without our authorization … we could … experience data loss and impediments to our ability to conduct our business, and damage the market’s perception of our services and products.” (Emphasis added.)

We have two points to ponder here. First, multiple attacks by a single threat actor are precisely the sort of material cybersecurity incident the SEC has in mind for disclosure. That scenario is expressly mentioned in the SEC’s cyber disclosure rule: a string of individually immaterial incidents can become material, such as when an attacker “engages in a number of smaller but continuous related cyberattacks against the same company.”

Second, disclosing cyber incidents in hypothetical terms when the company knows an attack has caused actual harm really ticks off the SEC. The agency has fined companies for years for that bad habit, even before adopting its enhanced disclosure rules in 2023. 

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” Jorge Tenreiro, acting chief of the SEC’s cyber and crypto unit, said in a statement. “In two of these cases” — Unisys being one of them — “the relevant cybersecurity risk factors were framed hypothetically or generically, when the companies knew the warned-of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The Role of Disclosure Processes

OK, so Unisys (and the other three offending companies) flubbed its disclosure externally, to investors — but that only happened because the company flubbed its disclosure internally, from the cybersecurity team handling the attacks to the disclosure team in charge of passing along material information to investors.

Those internal failures were rooted in poor policy and procedure. Specifically, the SEC order says, “Unisys’s incident response policies did not reasonably require cybersecurity personnel to report information to Unisys’s disclosure decision makers and contained no criteria for determining which incidents or information should be reported outside the information security organization.” 

That’s the issue CISOs and SEC reporting teams need to unpack at your own organizations. Have you defined a process to evaluate cyber incidents, so that the security team will know when it has a potentially material incident on its hands and the disclosure team should be alerted? Does that process have precise, objective criteria for evaluating incidents, or do you rely on subjective judgment to a degree that might be unwise? 

In Unisys’ case, the security team didn’t report the Russian hackers’ 2020 and 2021 activity to the company’s disclosure decision-makers until a year after discovering it. In a separate extortion attack in 2022, the security team didn’t report that to the disclosure folks until the hackers posted a public statement about their attack. 

Now consider the sort of company that Unisys is: an IT services contractor to large corporations and government agencies. Of course it is a tempting target for cyber attacks, and its effectiveness at thwarting those attacks would naturally be a material concern for investors. Management should have known that from the start, and built strong internal processes to support clear, prompt communication between Unisys’ cybersecurity team and the external reporting team.

Unisys finally improved its disclosure policies and controls at the end of 2022, after it disclosed a material weakness related to “the design and maintenance of effective formal policies and procedures over information being communicated by the IT function and the legal and compliance function to those responsible for governance.” 

And for the lack of those internal processes, the rest of this mess happened.