SEC hits Avaya with $1M penalty for ‘misleading cyber disclosures’

Morristown company among four to settle with commission regarding SolarWinds' Orion software hack

Jessica Perry//October 22, 2024//

Cloud computing

PHOTO: DEPOSIT PHOTOS

Cloud computing

PHOTO: DEPOSIT PHOTOS

SEC hits Avaya with $1M penalty for ‘misleading cyber disclosures’

Morristown company among four to settle with commission regarding SolarWinds' Orion software hack

Jessica Perry//October 22, 2024//

Listen to this article

The Securities and Exchange Commission charged four companies Oct. 22 for making misleading disclosures regarding risks and hacks, including Morristown-based

To settle Avaya will pay a $1 million civil penalty, the said.

The charges stem from an investigation involving potential impacts from the compromise of SolarWinds’ Orion software, as well as other related activity. Unisys Corp., Check Point Software Technologies Ltd. and Mimecast Ltd. were additionally charged. To settle, those companies also each agreed to pay civil penalties:

  • Unisys, Blue Bell, Pa. – $4 million
  • Check Point, Redwood City, Calif. (U.S. HQ)  – $995,000
  • Mimecast, London, U.K.  – $990,000

 

“[W]hile may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” commented acting director of the SEC’s Division of Enforcement Sanjay Wadhwa. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”

Resolving matters

According to the SEC, Avaya, Unisys and Check Point learned in 2020 that the actor likely behind the SolarWinds Orion hack had accessed their systems without authorization. After, the commission said each business negligently minimized its own incident in public disclosures.

Avaya provides cloud communications and workstream collaboration services. The SEC’s order finds the company stated the threat actor had accessed a “limited number of [the] Company’s email messages.” However, the commission said Avaya knew the hack also accessed at least 145 files in its cloud file sharing environment.

The order details violations for each company of certain applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934 and related rules thereunder, the SEC said.

Beyond paying the aforementioned penalties, each company agreed to cease and desist from future violations of the charged provisions without admitting or denying the findings, the SEC said. The four businesses cooperated during the investigation. According to the commission, that includes by providing analyses, presentations and voluntarily taking steps to enhance cybersecurity controls.

“We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls.

“Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations,” the company said in a statement shared with NJBIZ.

In August, a U.S. judge dismissed most of the SEC’s case against software company SolarWinds.