Undeterred by the SolarWinds Storm: SEC Charges Victims of Compromised Software
The SEC on Oct. 22, 2024, announced charges against four companies for allegedly making materially misleading disclosures concerning the impact of cybersecurity incidents associated with the compromised SolarWinds' Orion software. As detailed in our prior article, SolarWinds is a software development company with a flagship network monitoring and management product known as the Orion Platform (Orion). As early as January 2019, nation-state actors inserted malicious code into the Orion software build for three product updates, which allowed cybercriminals to access the systems of SolarWinds' customers who used these versions of Orion.
Unisys Corp. (Unisys), Avaya Holdings Corp. (Avaya), Check Point Software Technologies Ltd. (Check Point) and Mimecast Limited (Mimecast) were victims of cybersecurity attacks attributed to the compromised Orion software. The SEC alleged that these four companies' disclosures concerning these incidents or cyber risk factors "negligently minimized" the impact of the incidents. Without admitting or denying fault, the companies each agreed to settle the charges and pay civil penalties, as described below.
As with other SEC cyber enforcement actions, Commissioners Hester Peirce and Mark Uyeda (together, the "Dissenting Commissioners") opposed the charges claiming that the SEC is "playing Monday morning quarterback" and engaging in "hindsight review to second-guess the disclosure."1 Recently, the U.S. District Court for the Southern District of New York dismissed nearly all counts against SolarWinds in the SEC's landmark enforcement litigation against the company and its chief information security officer (CISO) Tim Brown. Throughout its opposition, the commissioners noted the similarities in the charges in these four cases with those dismissed by the court in the Securities and Exchange Commission v. SolarWinds Corp. & Timothy G. Brown decision. The SEC's latest charges make clear that the agency is undeterred in pushing its cyber enforcement agenda ahead.
Allegedly Misleading Cybersecurity Incident Disclosures
Both Avaya and Mimecast publicly disclosed the cybersecurity incidents that they experienced. The SEC does not claim that these disclosures contained a materially false representation. Rather, similar to the unsuccessful arguments it made in the SolarWinds case, the SEC alleges that the disclosures contained material omissions.
Avaya
Avaya is a global provider of digital communication products and service and was a public company from January 2018 to February 2023. According to the SEC,2 Avaya identified two servers segmented from the corporate network that had the compromised Orion software installed. Through this compromised software, threat actors obtained unauthorized access to Avaya's systems from January through December 2020. The threat actors, who were likely nation-state hackers, accessed 145 shared files, some of which contained confidential and/or proprietary information, including instructions regarding remote access and product configurations for at least one customer, and monitored the email traffic of one of the company's cybersecurity personnel.
In February 2021, Avaya disclosed this incident in its quarterly report on a Form 10-Q. The report stated that the incident resulted in "access to a limited number of Company email messages" and "no current evidence of unauthorized access to our other internal systems."
The SEC claimed that this disclosure was deficient because it omitted information that the SEC deemed to be material in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20 and 13a-13 thereunder.3 Specifically, the SEC alleged that the report failed to disclose "the likely attribution of the activity to a nation-state threat actor, the long-term unmonitored presence of the threat actor in Avaya's systems, the access to at least 145 shared files some of which contained confidential and/or proprietary information, and the fact that the mailbox the threat actor accessed belonged to one of Avaya's cybersecurity personnel." Avaya settled with the SEC, consented to cease and desist from committing or causing any violations of the above listed securities laws and agreed to pay a $1 million civil penalty.
Mimecast
Mimecast is a provider of cloud security and risk management services and was a public company until May 2022. The SEC alleged4 that the same threat actors responsible for the SolarWinds incident used the compromised Orion software to access Mimecast computers. The SEC further alleged that these threat actors accessed internal emails, accessed most of the data export code used in Mimecast software, exfiltrated authentication certificates and accessed five customers' cloud platforms using stolen certificates. In addition, the threat actor accessed an encrypted database containing approximately 31,000 customers and the server and configuration information for approximately 17,000 customers, although Mimecast's investigation found no evidence that the threat actor had accessed the relevant decryption keys or had accessed customer email or archive data.
Mimecast filed multiple Form 8-Ks disclosing this incident. In a Jan. 12, 2021, Form 8-K, the company disclosed that Mimecast-issued certificates provided to certain customers had been compromised and that approximately 10 percent of its customers used the connection that was impacted by the stolen certificates. A Jan. 26, 2021, Form 8-K Mimecast filed noted that this incident was related to the SolarWinds Orion software compromised and perpetrated by the same sophisticated threat actors. It also noted that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials used to connect to on-premise and cloud services. A March 16, 2021, Form 8-K disclosed that the threat actor used stolen certificates to target only a small number of customers and accessed a limited amount of the company's source code that would not be sufficient to build or run any aspect of the Mimecast service.
Even though Mimecast provided substantial detail concerning the cybersecurity incident in its Form 8-K filings, the SEC argued that these disclosures omitted material information concerning the scope and impact of the incident in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20 and 13a-13 thereunder. Specifically, the SEC alleged that Mimecast failed to disclose the large number of impacted customers, the percentage of code exfiltrated by the threat actor and the value of the exfiltrated code to the security of Mimecast's overall service offering. Mimecast settled with the SEC, consented to cease and desist from committing or causing any violations of the above-listed securities laws, and agreed to pay a $990,000 civil penalty.
Allegedly Misleading Cyber Risk Factors
Unisys and Check Point did not publicly disclose the cybersecurity incidents. Rather, the SEC challenged their disclosed risk factors concerning cybersecurity incidents. Notably, the SEC did not allege that any representation was materially false. Instead, similar to the unsuccessful arguments it made in the SolarWinds case, the SEC alleged that these risk factors were generic and misleading by omission.
Unisys
Unisys is a global provider of information technology (IT) services and solutions. According to the SEC,5 due to the compromised Orion software, threat actors obtained access to Unisys's corporate network and noncustomer cloud environment. The threat actors compromised several network credentials and cloud-based accounts and transferred 33 gigabytes of data. Unisys did not publicly disclose this incident via a Form 10-K, 10-Q or 8-K. The Order also states that separately, in July 2022, a ransomware group successfully accessed and exfiltrated data from Unisys's network.
The SEC claimed that Unisys violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1 and 13a-15(a) thereunder.6 Specifically, the SEC alleged that throughout this period, the disclosed risks factors on Unisys's annual report via Form 10-K stated that a cybersecurity incident was a hypothetical possibility despite the company's awareness of the actual unauthorized access of its network. The SEC further alleged that the company's incident response plan did not reasonably require cybersecurity personnel to report information to appropriate disclosure decision-makers. Unisys settled with the SEC, consented to cease and desist from committing or causing any violations of the above listed securities laws, and agreed to pay a $4 million civil penalty.
Check Point
Check Point is a provider of IT security products and services. The SEC alleged7 that threat actors used the compromised Orion software to obtain unauthorized access to Check Point's environment. According to the SEC in the Order, the threat actors engaged in network reconnaissance, installed unauthorized software and compromised two accounts. Check Point did not publicly disclose this incident.
In the settlement, the SEC argued that Check Point's Form 20-F disclosures were generic and insufficient. The SEC pointed to Check Point's failure to make any substantive or material changes to these disclosures after the discovery and response to the incident.
The SEC alleged that the disclosed risks factors on Check Point's Form 20-F Annual Report were generic, not tailored to the company's particular situation and materially misleading because it did not disclose how the company's cybersecurity risk had increased due to its compromised network. As a result, the SEC claimed that Check Point violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20 and 13a-1 thereunder. Check Point settled with the SEC, consented to cease and desist from committing or causing any violations of the above listed securities laws, and agreed to pay a $995,000 civil penalty.
A Continuing Dissent
The Dissenting Commissioners have dissented consistently to the agency's cyber enforcement actions and argued repeatedly about the SEC's overreach in these cases.
This time, the Dissenting Commissioners opposed the four enforcement actions strongly and claimed that the SEC is attempting to regulate by enforcement. The Dissenting Commissioners argued that the SEC's charges rely on hindsight analysis to second-guess disclosures and admonished the agency for raising similar complaints that were rejected by the federal court in the SolarWinds litigation.
The Dissenting Commissioners also expressed particular concern with the SEC's settlement with Avaya and the allegations that the likely attribution to a nation-state actor constitutes omitted material information. The Dissenting Commissioners noted that no comment to the 2023 rulemaking on cybersecurity incident disclosure (the 2023 Cybersecurity Rule) suggested or recommended the identity of the threat actor be treated as material. To the contrary, such information speaks to the "details regarding the incident," which the 2023 Cybersecurity Rule specifically cautions against.
Similarly, with respect to Mimecast, the Dissenting Commissioners stated that the SEC's attention on the number of customer credentials or percentage of code accessed focuses on the details of the incident and fails to account for the big picture painted by the disclosures. In raising this argument, the Dissenting Commissioners noted that the Court in the SolarWinds case advised that "perspective and context are critical" in assessing such disclosures.
The Dissenting Commissioners also questioned the SEC's allegation that Unisys was required to alter its cyber risk disclosures. The SEC's Order did not argue that the incident was material. Material incidents are to be reported elsewhere and not in the section related to risk factors,8 which are intended to warn investors of potential risks that could materially affect the company. Finally, the Dissenting Commissions pointed out that Check Point's cyber risk disclosures were similar to those found by the Court to be sufficient in SolarWinds.
Key Takeaways
The SEC's Focus Beyond Impact May Be a Growing Concern
One of the most significant concerns about the 2023 Cybersecurity Rule was the level of detail that would ultimately be required in the disclosures:
Commenters' criticisms of Item 1.05 generally arose from two aspects of the proposal: (1) the scope of disclosure; and (2) the timing of disclosure. With respect to disclosure scope, we note in particular commenter concerns that the disclosure of certain details required by proposed Item 1.05 could exacerbate security threats, both for the registrants' systems and for systems in the same industry or beyond, and could chill threat information sharing within industries.
See id.
In the Final Rule, the SEC attempted "to balance investors' needs with the concerns raised by commenters" by requiring disclosures to primarily focus on the impacts of a material cybersecurity incident, rather than on requiring details regarding the incident itself.
However, as the Dissenting Commissioners noted, in the SolarWinds case and these four cases, the SEC appears to focus on the details of the incident and not necessarily on its impact. For example, in Avaya, the SEC determined that the threat actor "likely" being a nation-state actor was material, but the agency provided little guidance on how this fact materially impacted Avaya. The SEC asserted that data maintained by Avaya would be of "great interest to state-sponsored cyber threat actors." Yet, data being valuable to a foreign intelligence agency, without more, may not have a material financial, operational or reputational impact on the company.
With respect to Mimecast, the SEC's focus on the number of potential customers impacted and percentage of code exfiltrated does not include a material impact analysis. As a preliminary matter, there is no allegation that the threat actor had obtained the relevant decryption key to the encrypted database or accessed customer email or data. As the Dissenting Commissioners noted, "access to credentials, by itself, may not be material if the threat actor does not use the credentials to misappropriate customer information." Moreover, investors may not appreciate the percentage of code exfiltrated or the subject matter of the code. Rather, the more meaningful information may be how the exfiltrated code could impact the company, which Mimecast disclosed.
The 2023 Cybersecurity Rule requires public companies to report material cybersecurity incident via a Form 8-K within four days of determining materiality. These cases raise significant concerns about the level of detail such disclosures will require and the SEC's ability to second-guess such real-time disclosures. Companies may feel it necessary to not only describe the impact of the incident, but speculate on facts the SEC may find material at some future point in time. This could result in over-disclosure of the incidents that could potentially harm the disclosing company, confuse investors regarding the true impact of the incident or immune investors to such disclosures. Ultimately, the SEC's actions in SolarWinds and these cases place public companies in a challenging position to comply with murky, yet stringent, disclosure obligations while speculating on what the SEC, through hindsight analysis, may find to be insufficient.
The SEC's Aggressive Enforcement of Cyber Incidents Will Continue
The cases illustrate that the SEC continues to, and likely will continue to, be aggressive in the cyber enforcement space even after the noteworthy dismissal of most of its claims in the SolarWinds case.
In the SolarWinds case, the court dismissed the SEC's material omission claims and noted that the SEC's allegations "impermissibly rely on hindsight and speculation" and found that disclosure must be "[r]ead fairly and in totality" and that "perspective and context are critical." In addition, the court dismissed the SEC's allegation that SolarWinds' cyber risk disclosure was generic and created a misleading picture. The court held that fraud claims based on risk disclosures are uncommon and actionable only in "narrow circumstances" and that such risk disclosure did not require the level of specificity for which the SEC argued.
Here, the SEC alleged similar claims against the four companies. Although the facts differ, the Dissenting Commissioners did not, and many others may not, find these differences substantial. Nevertheless, in bringing these four cases, the SEC has underscored its intention to continue to be aggressive in this area of law under its current 3-2 split among the commissioners. As such, public companies should not expect the SEC to curtail its cyber enforcement efforts as a result of the SolarWinds case.
Holland & Knight's Securities Enforcement Defense Team and Data Strategy, Security & Privacy Team will continue to monitor developments of the SEC's cybersecurity-related enforcement actions. For more information about this case, contact the authors.
Notes
1 See, e.g., statements by Commissioner Hester Peirce, 1 and 2, and Peirce with Commissioner Mark Uyeda.
2 In the Matter of Avaya Holdings Corp., Release No. 34-101398 (Oct. 22, 2024) ("Avaya Order").
3 Section 17(a)(2) of the Securities Act prohibits the offer or sale of a security by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading. Section 17(a)(3) of the Securities Act makes it unlawful for any person in the offer or sale of a security to engage "in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser." Section 13(a) of the Exchange Act and Rule 13a-13 requires the filing of quarterly reports in conformity with the SEC's rules and regulations. Rule 12b-20 requires issuers to include in quarterly reports any material information necessary to make the required statements in the filing not misleading.
4 In the Matter of Mimecast Limited, Release No. 34-101400 (Oct. 22, 2024) ("Mimecast Order").
5 In the Matter of Unisys Corporation, Release No. 34-101401 (Oct. 22, 2024) ("Unisys Order").
6 Rule 13a-15(a) requires issuers to maintain disclosure controls and procedures that are designed to ensure that information required to be disclosed is accumulated and communicated to management to allow for timely decisions regarding disclosure.
7 In the Matter of Check Point Software Technologies Ltd., Release No. 34-101399 (Oct. 22, 2024) ("Check Point Order").
8 The disclosures and risk factors in these four cases preceded the 2023 Cybersecurity Rule, which now requires material cybersecurity incidents to be disclosed in Item 1.05 on the Form 8-K.