Four years after the SolarWinds breach first became a major news item, the resulting aftermath of this incident is still being felt industry wide. This breach, which affected both government and private sectors alike, has prompted numerous regulatory investigations. The Securities and Trade Commission (SEC) has been one of the more active agencies enforcing more rigorous standards for disclosing cybersecurity risks from major breaches like SolarWinds.
Just last week, the SEC issued a new round of enforcement actions against companies whose systems were compromised during the SolarWinds breach. As a result of the breaches, the SEC's recent enforcement action highlight a heightened regulatory focus on accurate, specific, and investor-informed cyber disclosures.
Given the enforcement actions taken against these companies, the expectations for cybersecurity disclosure, and the implications of the SEC's stance for corporate leaders and legal teams, is now heightened. Even long after the affects of a major breach are remedied, companies need to ensure publicly filed disclosures fully and adequately disclose the severity of a breach or they risk possible enforcement actions by the SEC.
Background of SolarWinds Breach and SEC Lawsuit
The 2020 SolarWinds breach involved a sophisticated supply chain attack where hackers, reportedly linked to a nation-state, injected malicious code into SolarWinds' Orion network management software. Hackers believed to be directed by the Russian intelligence service, the SVR, used a routine software update to inject malicious code into SolarWinds' Orion's software allowing them unauthorized access to countless systems operated by U.S. government agencies and private companies.
In 2023, the SEC filed a landmark enforcement litigation not only against SolarWinds, but also the companies Chief Information Security Officer (CISO). The SEC litigation alleged SolarWinds and its CISO defrauded investors and customers through false and misleading statements about both the company's cybersecurity risks and practices and the attack itself. The complaint even alleged both SolarWinds and its CISO were aware hackers had exploited vulnerabilities within its software for months, possibly years, and these allegedly known vulnerabilities were never disclosed to investors.
This past summer, however, the U.S. District Court for the Southern District of New York dismissed most of SEC's allegations against SolarWinds. This decision was significant as the SEC had attempted to expand its internal accounting controls to include cybersecurity access controls.
The SEC's Latest Enforcement Actions
While the court's decision left in doubt how—or if—the SEC would initiate further enforcement actions based on the SolarWinds breach, just last week the SEC responded with a round of actions against Unisys, Avaya, Check Point, and Mimecast. In each of these actions, the SEC seems to have followed the court's decision that risk disclosures should disclose the manner and severity of a known risk, but the disclosure does not need to provide a level of specificity that could arm a potential threat actor.
For instance, the SEC alleges Avaya downplayed the SolarWinds incident by stating it involved only a few emails, omitting the fact that 145 shared files, including sensitive data, had been accessed. The SEC also alleged Avaya failed to disclose that a threat actor had monitored one of its cybersecurity team members, compromising the company's incident response.
The SEC likewise alleged Check Point maintained generic cybersecurity language in its filings for 2021 and 2022, despite knowing that it had encountered unauthorized access linked to the SolarWinds compromise. The company's vague risk language left investors unaware of the true gravity and heightened risks it faced from this prolonged intrusion.
Mimecast Limited and Unisys Corporation also faced SEC scrutiny for incomplete and misleading disclosures. Mimecast initially reported a 2021 breach but omitted critical details, such as the compromise of an encrypted database with sensitive credentials for 31,000 customers and substantial Microsoft 365-related code exfiltration. Unisys, despite experiencing multiple breaches, characterized its cybersecurity risks as hypothetical, concealing the fact that a threat actor had persistently accessed its network and administrative accounts over sixteen months.
All four companies' omissions prevented investors from understanding the full extent of the breaches and the associated risks. The SEC's allegation was therefore grounded in each companies failure to provide accurate information to investors by describing confirmed cyber incidents as hypothetical risks or omitting specifics about the data affected. The SEC stated such omissions misled investors about the companies' exposure and response to the breach, thus violating federal securities laws. The SEC's actions therefore appear to follow the N.Y. Court's decision from this past summer that the actions of all four companies reside within a “narrow circumstance” where the disclosures warned of a risk that has already occurred.
Where do companies go from here?
In light of the N.Y. court's recent decision and the SEC's recent actions, companies should be working to ensure their cyber controls and procedures are updated and well-documented. For risks that have already occurred, companies should also be cautious of framing cyber incidents as hypothetical. Ensuring transparent, accurate, and non-omissive disclosure of cyber events can mitigate potential SEC scrutiny, while still ensuring the disclosure does not provide details to potential threat actors.
Regardless of how the breach occurred, it is necessary the disclosures include:
- Clear Communications: Companies should include non-hypothetical information regarding known data breaches or security incidents in their SEC filings even if the company is a third-party that did not directly cause but was affected by the breach. This ensures investors are aware of the actual impact and potential risks. Accurate and thorough disclosures now appear necessary to meet SEC's transparency expectations.
- Scope of an Incident: Use enough details to describe the nature and extent of a breach. But caution should be taken to ensure the disclosure doesn't over-inform potential threat actors.
It is also recommended companies work to annually update internal policies to implement the following processes:
- Thorough Disclosure Controls: Implement rigorous processes to ensure relevant cybersecurity impacts are accessible for public disclosures.
- Regular Assessments: Continuously evaluate cyber risks and review disclosure protocols to align with regulatory guidance and best practices.
In conclusion, the recent SEC enforcement actions suggest a heightened duty for companies to disclose material cybersecurity risks and incidents in a timely manner, even when companies are third-parties that did not directly cause but were affected by material cybersecurity risks and incidents. Given the fiduciary duty to inform investors of significant, material events that could impact investors' understanding of the financial state and risks of the company, companies should be aware of its duty to report such incidents as part of their obligations under federal securities laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.