The Securities and Exchange Commission announced that they charged four current and former public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. Check Point Software Technologies Ltd is one of them.

The 4 companies agreed to pay the following civil penalties to settle the SEC’s charges:

• Unisys will pay a $4 million civil penalty;
• Avaya. will pay a $1 million civil penalty;
• Check Point will pay a $995,000 civil penalty; and
• Mimecast will pay a $990,000 civil penalty.

SEC wrote in their release that the charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.

Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement said: “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

According to the SEC’s orders, Check Point learned in 2020 that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but negligently minimized its cybersecurity incident in its public disclosures. 

The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit. 

The SEC’s orders find that each company violated certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and related rules thereunder.

Photo Credit: Arie Kutz, CC BY-SA 4.0, via Wikimedia Commons