United States of America: Issued ruling in SEC investigation into technological companies over alleged misleading cybersecurity disclosures

On 22 October 2024, the United States Securities and Exchange Commission (SEC) charged four companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, with providing materially misleading information about cybersecurity risks and incidents. The investigation into the companies' disclosures following the compromise of SolarWinds’ Orion software and related cybersecurity breaches. Unisys, in addition to misleading disclosures, was charged with violations of disclosure controls and procedures, agreeing to pay a USD 4 million civil penalty. The other companies faced penalties ranging from USD 990,000 to USD 1 million for their misleading disclosures. The SEC highlighted the importance of accurate disclosures regarding cybersecurity incidents to prevent further victimisation of shareholders and the investing public. Each company has agreed to cease and desist from future violations without admitting or denying the SEC’s findings, and they have taken voluntary steps to enhance their cybersecurity controls.