The high-profile SolarWinds data breach that put a spotlight on threats to the software supply chain is continuing to roil the IT industry more than four years later, with the federal government this week fining four tech companies for making misleading disclosures following the attack.

The Securities and Exchange Commission (SEC) charged Unisys, Avaya, Check Point Software, and Mimecast with minimizing the level of intrusion that the Russia-linked bad actors made into their systems and the threat that posed to their shareholders.

The disclosures the four companies made to the government left “investors in the dark about the true scope of the incidents,” Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a statement. “While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

The SEC said that Unisys, Avaya, and Check Point learned in 2020 – and Mimecast in 2021 – that the advanced persistent threat (APT) group behind the SolarWinds attack had accessed their systems and that each company minimized the extent of the incident in its public disclosures.

Millions of Dollars in Fines

Unisys is paying a $4 million fine after the SEC found that company executives in their disclosures said the company’s risks from the SolarWinds attack were hypothetical even though they knew that there were two SolarWinds-related intrusions that resulted in gigabytes of data being exfiltrated from their systems. All four companies were charged with making materially misleading disclosures; Unisys is paying the largest fine for also being charged with disclosure controls and procedures violations.

In a filing with the SEC, Unisys executives wrote that through the agreement, the agency recognized the company’s cooperation and remediation steps it’s taken since the disclosure issues were first raised in November 2022, “including enhancing disclosure policies and procedures and augmenting its cybersecurity personnel and tools, both internally and externally, to strengthen its cybersecurity risk management and protections.”

Avaya is paying a $1 million fine, while Check Point will pay $995,000 and Mimecast $900,000. Avaya executives knew the threat actor had accessed at least 145 files but stated that the attacker had accessed a “limited number of … email messages,” according to the SEC. Check Point used generic terms in describing the intrusion and risks, while Mimecast failed to the disclose the nature of the code the bad actor had exfiltrated and the amount of encrypted credential it had accessed.

No Half-Truths

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” Jorge Tenreiro, acting chief of the SEC’s Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

The SEC fines underscore the importance of companies being clear, honest, and timely when disclosing cybersecurity incidents to investors, according to Keith McCammon, CTO of cybersecurity firm Red Canary.

“One of the best things companies can do to prepare is to clearly define a material cybersecurity incident in the context of their business, where a key component of both the criteria and response plan is the identification of key stakeholders,” McCammon said. “We are starting to see more and clearer signals that the U.S. government at-large – via the National Cybersecurity Strategy, CISA, and other agencies – will continue to push for legislation and enforcement as it relates to cybersecurity preparedness, compliance, and reporting.”

The Data Breach’s Ripple Effects

The SolarWinds breach was significant in multiple ways. In the attack, an APT group that the U.S. government linked to the Russian Foreign Intelligence Service (SVR) inserted malicious code into the company’s Orion software, used by many organizations and government agencies. Orion is a performance monitoring solution that tracks the status of customers, many of whom unknowingly downloaded the malicious code into their systems when updating the software.

The Russian threat group used the hack to steal data and spy on thousands of organizations and government agencies, including the departments of Justice, State, Treasury, and Energy. According to a 2021 report by cybersecurity firm IronNet, 85% of 473 security IT decision makers surveyed said they were impacted by the SolarWinds attack and 31% said the impact was significant.

The attack played a role in President Biden issuing his 2021 executive order to strengthen the nation’s cybersecurity posture and ramped up the attention paid to the cyberthreats to the software supply chain. The SEC in recent years has rolled out new requirements on public companies regarding disclosing data breaches.

The SEC also charged SolarWinds and CISO, Timothy Brown, with lying to shareholders in comments between 2017 and 2021 that the agency said overstated the company’s cybersecurity protections and played down or not disclosing known security risks. Much of the case was dismissed by a U.S. District Court judge who said many of the charges were based on “hindsight and speculation.”