Four tech firms have copped $10.6 million ($US7 million) in fines after the US Securities and Exchange Commission (SEC) found they “negligently” deceived investors about their exposure to the SolarWinds data breach – the latest sign that regulators are fed up with companies downplaying the impact of cybercrimes.
Technology giants Unisys, Avaya, Check Point Software Technologies and Mimecast each suffered from the 2020 supply chain compromise of SolarWinds’ Orion network monitoring platform, SEC found.
That compromise – which was attributed to Russian government sponsored hackers and led to US sanctions on Russia – affected 18,000 Orion customers who downloaded and installed malware that was embedded in a software update pushed out to their systems.
Even as it became clear that they were among the companies affected by the attack – Mimecast found out in 2021 and the others in 2020 – SEC alleges that all four tech companies “negligently minimised [the] cyber incident in [their] public disclosures.”
Unisys, for example, “described its risks from cyber security events as hypothetical,” SEC argued, “despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.”
Avaya said cybercriminals had accessed a “limited number” of company emails when it actually knew at least 145 files had been stolen from its cloud file sharing environment, while SEC said Check Point described its cyber intrusions and risks “in generic terms”.
After a breach is no time for wordplay
By failing to disclose the nature of the stolen code and the quantity of encrypted credentials accessed, SEC said Mimecast had “minimised the attack” – flaunting federal laws that, SEC Crypto Assets and Cyber Unit acting chief Jorge G Tenreiro said, “prohibit half-truths.”
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” Tenreiro said.
“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned-of risks had already materialised.”
Unisys agreed to pay a $6 million ($US4 million) civil penalty, while the other companies will pay around $1.5 million ($US1 million) each.
The SolarWinds investigation drove worldwide panic amongst the large corporations that are Orion’s core user base, as well as revelations of poor executive security practices and Microsoft’s role, and SEC charges against SolarWinds chief information security officer (CISO) Timothy Brown.
Brown, SEC alleged, had knowingly “ignored repeated red flags” about “well known” cyber risks that had left the company “very vulnerable” to compromise and unable to fix newly identified security issues – leaving cybercriminals to “basically do whatever.”
By describing those security issues as generic and hypothetical in outside communications, SEC – echoing its new allegations against the four tech firms – said Brown had “misled investors” who had poured funds into the company after it went public in October 2018.
Half-truths or complete lies?
SEC’s determination to crack down on companies understating their cyber security exposure reflects global regulators’ growing intolerance of companies that fail to be candid about the risks that cyber security attacks pose to the company – even after a breach.
In the wake of a series of high profile outages – including recent incidents at the likes of Westpac, the Commonwealth Bank of Australia, and Optus – regulators and the public have pushed for more transparency from listed companies whose compromises create chaos.
Many breaches expose poor IT practices – as with the software upgrade that broke Optus; a separate 8-hour Westpac outage due to a routine IT update, and a global CrowdStrike outage in which the company used “weapons-grade corpo speak” to deflect responsibility.
Optus was recently fined $12 million by the ACMA after its network outage and has joined the likes of Medibank in facing potentially massive fines over action stemming from its breaches.
ASIC has also pursued several companies for failing to implement adequate cyber and consumer protections, and last year hit now defunct startup GetSwift with a $15 million fine for making misleading statements in its ASX announcements.
“Disclosure is critical to market integrity and consumer protection,” ASIC deputy chair Sarah Court said at the time, warning that “ASIC will continue to take action to hold companies and individuals to account for corporate misconduct of this kind.”
Could increased enforcement actually hurt cyber security?
As companies try to blameshift – often hiding behind claims that attacks are “sophisticated” when they are so often not – SEC Division of Enforcement acting director Sanjay Wadhwa remains unrepentant about the agency’s crackdown.
“While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimise their shareholders or other members of the investing public,” he said, “by providing misleading disclosures about cyber security incidents they have encountered.”
“Misleading disclosures about the incidents at issue [left] investors in the dark about the true scope of the incidents.”