Overview
On October 22, 2024, the US Securities and Exchange Commission (SEC, or Commission) brought settled actions against four publicly traded companies that were downstream victims of the Russia-linked cyberattack on SolarWinds known as SUNBURST. The four companies – all prominent technology and communications companies – had unknowingly installed SUNBURST malware and were compromised by a likely nation-state threat actor during the SolarWinds attack.
In announcing these enforcement actions, the SEC alleged the companies “negligently minimiz[ed] [the SolarWinds] cybersecurity incident,” thereby “victimiz[ing] their shareholders” and other investors. The SEC’s settlements focused on different time frames in the arc of a company’s response to the security incident and varying disclosure documents, highlighting the importance of full and accurate disclosures related to an incident itself, as well as in annual risk-factor disclosures. Announcing the settlements together sent a clear warning about increased regulatory scrutiny related to cybersecurity disclosures.
Below, we summarize each settlement and provide some considerations for public companies to keep in mind as they navigate the challenging balance of responding to cybersecurity incidents and complying with securities regulatory disclosure obligations.
In Depth
UNISYS
Unisys is an American information technology (IT) service provider to large commercial and public-sector entities, including the US government. In its order, the SEC alleged that the company mischaracterized cybersecurity risks as “hypothetical,” despite knowing that the SolarWinds attack had actually compromised Unisys’s network and non-customer facing cloud environment beginning in 2020.
The cybersecurity risk disclosures in the company’s 2020 and 2021 Forms 10-K stated that a cybersecurity incident “could … result in the loss … or unauthorized disclosure or misuse of company information” and that “[i]f our systems are accessed without our authorization … we could … experience data loss and impediments to our ability to conduct our business, and damage the market’s perception of our services and products” (emphasis in the order). The order states that Unisys’s use of hypothetical language was “inaccurate” because at the time of the disclosures, Unisys knew that “intrusions had actually happened and in fact involved unauthorized access and exfiltration of confidential and/or proprietary information.” In addition, the SEC alleged that the company lacked effective procedures to elevate cybersecurity concerns to senior management and sufficient log data to cover the scope of the incident, in violation of the Exchange Act.
The SEC’s order called out that Unisys cooperated with the investigation and presented to the SEC on key factual issues, and that Unisys implemented remedial measures to its cybersecurity reporting procedures. While neither admitting nor denying the SEC’s findings, Unisys agreed to pay a $4 million penalty.
CHECK POINT
Check Point is an Israeli technology company that provides cybersecurity solutions for IT companies worldwide. The SEC alleged that Check Point made materially misleading statements in its 2021 and 2022 Forms 20-F cybersecurity risk-factor disclosures. The SEC characterized the disclosures as “generic” and identical to previous disclosures, despite Check Point learning of installation and use of unauthorized software typically associated with malicious data exfiltration and network reconnaissance in late 2020. The disclosures stated that “[w]e regularly face attempts … to gain unauthorized access through the Internet or to introduce malicious software to our … systems,” that “malicious hackers may attempt to gain unauthorized access,” but that “[t]o date, [no attempts] have resulted in any material adverse impact to our business or operations.”
The SEC alleged that Check Point’s failure to update its annual cybersecurity risk disclosures after learning about the cybersecurity compromise was negligent, and that it was materially misleading for the company to frame the cybersecurity compromises as immaterial. The agency suggested that the incidents were material because the threat actor had access to Check Point’s network “unmonitored for several months,” deployed unauthorized software, and “attempted” to move laterally in the network. The SEC also suggested that the nation-state threat actor’s identity was material because of Check Point’s status as a cybersecurity solutions provider.
The order acknowledged that Check Point cooperated with the SEC’s investigation, including by conducting its own internal investigation, sharing its findings with SEC staff, and enhancing its cybersecurity controls. While neither admitting nor denying the SEC’s findings, Check Point agreed to pay a $995,000 penalty.
A US DIGITAL COMMUNICATIONS PROVIDER
The SEC alleged that a US digital communications provider (the company) made materially misleading statements about the SolarWinds cybersecurity incident in its quarterly Form 10-Q disclosure after learning that a threat actor had accessed 145 files and a cybersecurity employee’s email account.
The company disclosed in its quarterly Form 10-Q that it “believed” a cybersecurity incident “resulted in unauthorized access to our email system” and to “a limited number of . . . email messages.” The filing also stated, “we do not believe that this incident has had or will have a material adverse impact on our business or operations.” The SEC found that the statements “minimized” the cybersecurity incident and “omitted material facts,” including that the activity was attributable to “a nation-state threat actor.” Although the SEC’s new cybersecurity disclosure rules do not require identification of the threat actor in disclosures, the order suggested that a nation-state threat actor’s identity was material because the company provided services to “large enterprises and governments” and the company’s “ability to protect information and data stored on and transmitted over its systems was critically important to its reputation and ability to attract and retain customers.”
The order acknowledged that the company cooperated with the SEC’s investigation, including by conducting its own internal investigation, sharing its findings with SEC staff, and enhancing its cybersecurity controls. While neither admitting nor denying the SEC’s findings, the company agreed to pay a $1 million penalty.
MIMECAST
Mimecast is an American-British cloud security and risk-management services provider. The SEC alleged that the company made materially misleading statements when disclosing the SolarWinds cybersecurity incident in Forms 8-K.
In January 2021, Mimecast learned that the threat actors had accessed its internal emails and exfiltrated an authentication certificate, large parts of its software code, a database with encrypted login details for 31,000 customers, and server and setup information for around 17,000 customers. Shortly thereafter, Mimecast filed three Forms 8-K in January and March 2021 disclosing the incident. The Forms 8-K stated a “low single digit” and a “small” number of customers were targeted. The Forms 8-K also stated that the threat actor exfiltrated a “limited number” of emails, and that the incident did not have “any impact on our products.” The SEC found these statements downplayed the scale of the incident and omitted key information, including the number of customers affected and the large amount of software code exfiltrated.
The order acknowledged that Mimecast cooperated with the SEC’s investigation, including by conducting its own internal investigation, sharing its findings with SEC staff, and enhancing its cybersecurity controls. While neither admitting nor denying the findings in the order, Mimecast agreed to pay a $990,000 penalty.
REPUBLICAN COMMISSIONER DISSENT
Commissioners Hester M. Peirce and Mark T. Uyeda dissented from the SEC’s settlement orders. The dissent accused the SEC of “playing Monday morning quarterback” by “engag[ing] in a hindsight review to second-guess the disclosure and cit[ing] immaterial, undisclosed details to support its charges.”
The dissent argued the SEC’s finding that disclosures needed to include details such as “specific percentages and types of source code” contradicted its previous statements that called for disclosures to focus on the impact of an incident. As a result, according to the dissent, companies will disclose immaterial details or events in order “to avoid being second-guessed by the Commission.” The dissent also criticized the SEC’s conclusion that improperly omitting the threat actor’s identity was material, a detail the SEC never previously stated was material.
The dissent argued that using hypothetical language or omitting immaterial cybersecurity incidents in risk-disclosure statements is not improper. The dissent noted the similar facts in the SEC’s case against SolarWinds, where Judge Paul A. Engelmeyer of the US District Court for the Southern District of New York dismissed some SEC claims based on SolarWinds’ use of hypothetical language in cybersecurity-risk disclosures. The dissent added that the purpose of risk-factor statements is to “warn investors about events that could occur … to the extent that an event has occurred and has materially affected the company, it is generally required to be disclosed in another part of the filing” (emphasis in original). The dissent warned that the SEC’s reasoning will lead to a proliferation of disclosures of immaterial events.
KEY TAKEAWAYS
Notwithstanding the vigorous dissent, and the possibility of a changed SEC enforcement agenda in the Trump administration, we believe that the orders convey important lessons for public companies facing cybersecurity events.
- When making a disclosure decision:
- The SEC settlements illustrate the importance of the SEC’s new rules regarding Form 8-K Item 1.05 disclosure requirements, which require domestic registrants to disclose material cybersecurity incidents within four business days of determining that an incident is material. However, the rules did not define materiality. Instead, the SEC’s explanation of the new rules stated that whether information regarding a cybersecurity incident is material should be assessed “through the lens of the reasonable investor.” The orders reflect that the SEC’s lens may be more of a microscope, as at least two orders focused on the failure to identify a nation-state threat actor.
- The SEC also explained that the new rules do not require a “quantifiable trigger” for disclosure of a cybersecurity incident. The SEC explained that “an incident that results in significant reputation harm to a registrant may not be readily quantifiable … but it should nonetheless be reported if the reputational harm is material.” Instead, it will be up to companies to develop policies and processes that include quantitative and qualitative triggers that properly investigate, escalate, and disclose incidents.
- The SEC settlements, coupled with the SEC’s explanation of the new rules, show that the SEC views materiality in the cybersecurity context broadly, and expects companies – particularly companies with large enterprise or government clients and that transmit and store their data on the companies’ networks – to promptly report cybersecurity incidents in filings.
- Content of the disclosure:
- These SEC settlements also show that when a company experiences a significant cyber incident, enforcement staff will scrutinize public statements about the incident, including those made at the time of the incident and which describe how the incident effects annual risk-factor disclosures. That scrutiny will be done with the benefit of hindsight.
- Companies should be cautious about describing cybersecurity risks in hypothetical terms when an incident has occurred. The SEC found that Check Point failed to update its annual report cybersecurity risk disclosures despite knowledge of a cybersecurity incident. Check Point’s annual report included affirmative disclosures that it faced regular attempts to compromise its network by threat actors, but that none of those attempts was material. The SEC viewed Check Point’s claim of immateriality to be misleading, because the company’s risk profile “had increased” following the SolarWinds cybersecurity attack.
- Companies should also consider quantifying aspects of the attack to the extent possible. The new Form 8-K Item 1.05 requires companies reporting material incidents to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Companies should focus on the duration and scope of threat-actor access and potentially consider the relevance of the threat actor’s identity to a reasonable investor. Companies should also evaluate the number of customers affected and the amount of information exfiltrated.
- These SEC settlements also show that when a company experiences a significant cyber incident, enforcement staff will scrutinize public statements about the incident, including those made at the time of the incident and which describe how the incident effects annual risk-factor disclosures. That scrutiny will be done with the benefit of hindsight.
- During an investigation:
- Public companies should further understand that while cooperation and voluntary remediation is important, a resolution with the SEC may still result in an enforcement order and monetary penalty because there is an increased regulatory focus on cybersecurity. However, that may change with a Republican-led SEC.
- Even in the upcoming Trump administration, we expect continued emphasis by the SEC in the cybersecurity space, which has been championed by Republicans and Democrats. That said, we expect the SEC to be more willing to entertain the argument that victimized companies already have been harmed and to engage in less second guessing of timely, good-faith disclosures of incidents.