SEC Settlements Signal Increased Scrutiny of Cybersecurity Disclosures
The US Securities and Exchange Commission (SEC) recently settled actions with four publicly traded companies impacted by the SolarWinds cyberattack. These companies, all in the technology and communications sectors, fell victim to the SUNBURST malware, which was linked to a nation-state threat actor. The SEC’s enforcement actions focused on the companies’ responses to the cybersecurity incident and the accuracy of their disclosure statements.
In one case, the SEC alleged that Unisys, an American IT service provider, downplayed the cybersecurity risks posed by the SolarWinds attack in its 2020 and 2021 Forms 10-K. Despite knowing that their network had been compromised, Unisys described the risks as “hypothetical” and failed to provide accurate disclosures. The company did not have effective procedures to address cybersecurity concerns, leading to a violation of the Exchange Act. Unisys agreed to a $4 million penalty as part of the settlement.
Check Point, an Israeli cybersecurity solutions provider, faced similar allegations of misleading statements in its 2021 and 2022 Forms 20-F. The SEC found that Check Point’s disclosures were generic and failed to update investors on the cybersecurity compromise it had experienced. Despite unauthorized software being detected on their network, Check Point claimed no material adverse impacts had occurred. The SEC determined that these statements were negligent and agreed to a $995,000 penalty as part of the settlement.
Lastly, a US digital communications provider was accused of making materially misleading statements about a cybersecurity incident in its disclosure documents. The company’s failure to provide accurate information about the breach led to regulatory scrutiny and ultimately a penalty, although the specific details and settlement terms were not disclosed in the summary.
These settlements highlight the importance of transparent and accurate cybersecurity disclosures for public companies. As regulatory scrutiny increases, companies must ensure they are fully disclosing and addressing cybersecurity incidents to protect their shareholders and investors. By implementing effective cybersecurity reporting procedures and working closely with regulators, companies can navigate the complex landscape of cybersecurity risks and compliance obligations effectively.
