Man
Professional
- Messages
- 3,222
- Reaction score
- 808
- Points
- 113
The attempt to mislead revealed new consequences of the hack.
The U.S. Securities and Exchange Commission (SEC) has fined four companies for providing misleading information related to the 2019 data breach caused by the SolarWinds attack.
The list of violators includes two information security companies - Check Point ($995,000 fine) and Mimecast ($990,000 fine), as well as IT companies Unisys ($4 million fine) and Avaya ($1 million). Companies were victims of the attack on SolarWinds, which affected many organizations, including government agencies.
According to the agency, the violations identified consisted in the fact that these firms provided incomplete information about the incidents that occurred, leaving investors in the dark about the true consequences of the attacks. The SEC stressed that companies are obliged to be honest with shareholders and investors by providing full information about the cyberattacks they have faced.
Each of the companies committed different violations:
All companies cooperated with the SEC during the investigation and agreed to pay fines as well as stop further violations. At the same time, the companies did not admit their guilt, but did not challenge the SEC's conclusions.
An Avaya spokesperson noted that the company voluntarily cooperated with the SEC and took steps to improve cybersecurity. Check Point said it found no evidence of a leak of customer data, but decided to settle the dispute with the SEC in its own interests. Mimecast also stressed that it took proactive measures to inform customers and partners, even those who were not affected by the attack.
For several years, the SEC has been tightening requirements for public companies in terms of disclosing information about cyberattacks and their consequences for business and customers. So, in May, the SEC tightened control over data leaks. The Commission has introduced new rules that require financial institutions to report data breaches within 30 days of discovery.
In one of the cases, the SEC accused the American company Intercontinental Exchange (ICE) of a fine of $10 million for violations related to the failure to timely notify of a security breach.
Source
The U.S. Securities and Exchange Commission (SEC) has fined four companies for providing misleading information related to the 2019 data breach caused by the SolarWinds attack.
The list of violators includes two information security companies - Check Point ($995,000 fine) and Mimecast ($990,000 fine), as well as IT companies Unisys ($4 million fine) and Avaya ($1 million). Companies were victims of the attack on SolarWinds, which affected many organizations, including government agencies.
According to the agency, the violations identified consisted in the fact that these firms provided incomplete information about the incidents that occurred, leaving investors in the dark about the true consequences of the attacks. The SEC stressed that companies are obliged to be honest with shareholders and investors by providing full information about the cyberattacks they have faced.
Each of the companies committed different violations:
- Avaya said that the attackers gained access to a limited number of emails, but did not mention that "at least 145 files" in the company's cloud file storage were compromised.
- Check Point described the risks associated with hacks in general phrases, avoiding specifics.
- Mimecast downplayed the scale of the incident by not disclosing details about the stolen code and the amount of encrypted data stolen.
- Unisys described the threats from cyberattacks as hypothetical, although it itself has suffered from SolarWinds-related breaches twice.
All companies cooperated with the SEC during the investigation and agreed to pay fines as well as stop further violations. At the same time, the companies did not admit their guilt, but did not challenge the SEC's conclusions.
An Avaya spokesperson noted that the company voluntarily cooperated with the SEC and took steps to improve cybersecurity. Check Point said it found no evidence of a leak of customer data, but decided to settle the dispute with the SEC in its own interests. Mimecast also stressed that it took proactive measures to inform customers and partners, even those who were not affected by the attack.
For several years, the SEC has been tightening requirements for public companies in terms of disclosing information about cyberattacks and their consequences for business and customers. So, in May, the SEC tightened control over data leaks. The Commission has introduced new rules that require financial institutions to report data breaches within 30 days of discovery.
In one of the cases, the SEC accused the American company Intercontinental Exchange (ICE) of a fine of $10 million for violations related to the failure to timely notify of a security breach.
Source
