In October of 2024, the Securities and Exchange Commission (the “SEC”) charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC’s decision to pursue these companies serves as a warning to reporting companies that the SEC intends to aggressively enforce its enhanced cybersecurity disclosure requirements.
We addressed these enhanced disclosure requirements in prior publications. Specifically, the SEC requires reporting companies to disclose (1) cybersecurity incidents through a required Form 8-K item and (2) cybersecurity risk management and governance through a required Form 10-K item.
The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software, one of the most widespread cyberattacks to date. Although all four companies were victims of the cyberattack, the SEC asserted that each company negatively impacted their investors by “negligently” minimizing its impact. “[W]hile public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” remarked Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, in an SEC press release.
The SEC also charged Unisys with disclosure controls and procedures violations. In its Cease-and-Desist Order against Unisys, the SEC claims that the materially misleading statements were partly caused by the company’s failure to design controls and procedures to address cybersecurity incidents. The SEC wrote the following in its order:
Unisys’s materially misleading statements resulted in part from the company’s failure to design controls and procedures to ensure (1) that information about potentially material cybersecurity incidents was timely recorded, processed summarized and reported, within the time frame period specified as appropriate in the [SEC]’s rules and forms, and (2) that information was accumulated and communicated to the company’s management to allow timely decisions regarding required disclosures. As a result, decision makers failed at the time to reasonably assess the materiality of these events and new risks arising therefrom.
Companies should take note of the important connection the SEC makes in the foregoing between the day-to-day operations of a company and the filings reporting companies are required to make. Companies should not only carefully evaluate what they disclose publicly, but, just as crucially, how they manage and assess the risks that could give rise to public disclosures.
