Want to share this?

One year after passing the Cybersecurity Disclosure Rule, the SEC cracks down on misleading cybersecurity disclosures. The SEC has imposed almost $7 million in fines on U.S. tech companies based on disclosures that left investors without a complete scope of cyber risk management and response processes.

Since the rules passed, risk managers in publicly traded companies have searched for consistent, repeatable processes when determining the materiality of cyber events.

Since the rules passed, risk managers in publicly traded companies have searched for consistent, repeatable processes when determining the materiality of cyber events. From financial losses to business continuity and disaster recovery, all try to tell a complete story of risk to investors without giving out misleading information.

Per the SEC, “Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized.”

The SEC emphasized that companies have a duty to provide investors with accurate and timely information about cybersecurity incidents and that downplaying the extent of a breach is unacceptable. Companies must ensure their risk factor disclosures reflect actual risks, not hypothetical scenarios.

  • Unisys Corp. received the largest penalty of $4 million. The SEC found that Unisys described cybersecurity risks as hypothetical even though it knew it had suffered two intrusions related to the SolarWinds hack, resulting in the exfiltration of gigabytes of data. Unisys was also charged with disclosure controls and procedures violations.
  • Avaya Holdings Corp. was fined $1 million for stating that a threat actor had only accessed a limited number of emails when it knew the actor had also accessed 145 files in its cloud storage.
  • Check Point Software Technologies Ltd. was fined $995,000 for using generic language to describe cyber intrusions, concealing its involvement in the SolarWinds compromise.
  • Mimecast Limited was fined $990,000 for downplaying the severity of its breach by failing to disclose the type of code that was exfiltrated and the number of encrypted credentials that were accessed.

Watch On-Demand: SEC Cybersecurity Rules: 1+ Year Later

Watch Now

A Warning to All Public Companies

All four companies have agreed to cease and desist from future violations, pay penalties, and implement enhanced disclosure controls. They’ll also improve their cybersecurity monitoring and reporting procedures, develop better incident response protocols, and introduce more rigorous risk assessment frameworks.

This enforcement action serves as a warning to all public companies to ensure they’re transparent about cybersecurity risks and incidents. The SEC is demonstrating that it will hold companies accountable for misleading disclosures, particularly those that fail to conduct proper risk analysis and provide accurate information to investors.

Operationalize SEC Rules in Radar® Compliance