SEC is Not Accepting Half-Truths
Recent developments in cybersecurity regulation underscore the growing importance of transparent and timely communication about cyber risks and incidents. In a notable case, the U.S. Securities and Exchange Commission (SEC) has fined four major companies—Unisys, Avaya, Check Point, and Mimecast—for materially misleading investors regarding their cybersecurity vulnerabilities and breaches, particularly related to the infamous SolarWinds cyberattack. These enforcement actions are a wake-up call for companies, boards, and Chief Information Security Officers (CISOs) to uphold transparency and integrity in reporting security incidents.
Tech in Trouble: Misleading Disclosures
The fines stem from the companies’ deliberate decisions to downplay or obscure the full extent of the cyberattacks they experienced. The SolarWinds incident, one of the largest and most impactful cyberattacks in recent history, compromised numerous organizations, including major corporations and government agencies. However, the SEC found that Unisys, Avaya, Check Point, and Mimecast failed to fully inform their customers and shareholders of the gravity of the breaches they faced.
Instead of delivering clear and accurate information, these companies framed their cybersecurity risks in hypothetical terms or discussed them in overly generic ways, even after being aware of material issues. This lack of transparency misled investors about the risks these organizations were facing, which is a violation of SEC regulations. Public companies are legally required to report material issues to ensure that investors are equipped with the same level of information as the company's insiders.
Jorge G. Tenreiro, acting chief of the SEC's Crypto Assets and Cyber Unit, issued a stern warning, stating that “downplaying the extent of a material cybersecurity breach is a bad strategy.” The SEC’s investigation revealed that by providing vague or incomplete disclosures, these companies misrepresented the actual state of their cybersecurity defenses, putting shareholders and the broader public at risk.
The Consequences
As a result of these findings, Unisys Corporation has been fined $4 million as a civil penalty for misleading disclosures and failing to maintain proper controls over its public statements. Meanwhile, Check Point, Avaya, and Mimecast each face fines of close to $1 million for similar violations. These penalties are not just financial punishments but serve as a message to all public companies about the need for honest and accurate reporting of cybersecurity incidents.
Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, emphasized the importance of transparency, stating, “while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”
A Message to CISOs and Leadership
The enforcement actions taken by the SEC send a clear message to boards of directors, executive teams, and especially CISOs: when it comes to cyberattacks, transparency is non-negotiable. Misleading or vague statements about material breaches will not be tolerated by regulators, and organizations must ensure they are providing accurate and timely information to their shareholders.
For CISOs, this adds a new layer of responsibility. Security professionals must navigate the delicate balance between protecting sensitive information and ensuring that the company is not engaging in misleading practices. Ethical considerations are at the forefront of this shift. Cybersecurity must be seen as a cornerstone of trust, and this trust is built on the ethical representation of risks and impacts to both shareholders and customers. Misleading disclosures not only erode this trust but also expose companies to significant legal and financial consequences.
CISOs and corporate leaders need to proactively engage in transparent communication about cyber risks, breaches, and the measures being taken to mitigate them. The recent SEC actions highlight the growing regulatory focus on cybersecurity, and failure to comply could lead to severe penalties.
A Warning to Leadership
The fines against Unisys, Avaya, Check Point, and Mimecast should serve as a stark reminder to all organizations about the importance of cybersecurity transparency. The SEC’s actions reinforce that public companies have a duty to provide accurate and timely information regarding material cybersecurity incidents. As cyber threats continue to evolve, organizations must ensure their cybersecurity strategies are not just robust but also ethically transparent, with CISOs playing a critical role in this endeavor.
SEC Press Release: https://www.sec.gov/newsroom/press-releases/2024-174
