Don’t sell your cybersecurity incident short.
That’s the lesson from the Securities and Exchange Commission (SEC)’s late October announcement of charges (and settlements) with four companies—Unisys, Avaya, Check Point, and Mimecast. Following impacts from the 2019–2020 compromise of SolarWinds’s Orion software, the four vendors, according to the agency, made “materially misleading disclosures regarding cybersecurity risks and intrusions.”
Each “negligently minimized its cybersecurity incident in its public disclosures,” the SEC said in an Oct. 22 announcement:
- Unisys, the commission said, had “deficient disclosure controls” and described its cyber risks as hypothetical “despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data.”
- For Avaya, the SEC disputed a threat actor’s access to what the company called a “limited number of [the] Company’s email messages.”
- The SEC claims Check Point described its cyber intrusions in “generic terms.”
- The commission charged Mimecast with minimizing the attack “by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.”
When reached for comment, Unisys, Avaya, Check Point, and Mimecast each sent paragraph-long statements to IT Brew via representatives emphasizing, in part, their voluntary and extensive cooperation with the SEC and desire to better serve their customers. SolarWinds stated it is not part of the proceedings and had no further comment.
While two commissioners wrote a dissenting opinion of the charges, the Harvard Law School Forum on Corporate Governance offered key takeaways for public companies following the SEC announcement, including, “The SEC’s recent cybersecurity settlements reinforce the importance of disclosure and escalation procedures in the wake of a major cybersecurity incident.”
We asked lawyers and consultants about the lessons they see from the SEC announcement.
Their responses have been edited for length and clarity.
Luke Tenery, partner at StoneTurn: Organizations would be wise to think about under-characterizing certain impacts or situations that the firm has had from a cyber incident standpoint, as well as just the overall sufficiency of the detection and response activities to it. I think the SEC has taken interest in not just how organizations or what they report, but also how they conducted their operations during the incident. I think organizations too would benefit by not just having these things procedurally lined out, even if they’re in the absence of an incident, but that an organization practices those through realistic tabletop exercises or other simulations.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Douglas Clare, managing director and head of cyber strategy at ISS-Corporate: What constitutes materiality?…Every mosquito bite maybe doesn’t deserve a disclosure, but you’ve got to figure out where you’re going to draw that line.
Anna Rudawski, partner at A&O Shearman: I think companies are really struggling with how you link up your IT, CISO, cybersecurity function with your disclosure decision-makers, and how those two sides of the house have to speak together and be in step. I think, for too long, cybersecurity IT has sort of functioned as a highly technical space that sometimes those disclosure decision-makers have been afraid to get their hands in.
Robert W. Taylor, of counsel at Carstens, Allen & Gourley: I think, oftentimes, CISOs feel like if there’s a breach or an incident, they’re going to be the scapegoat. They might get fired. Well, don’t try to keep it all within your department, because if it is something severe…it’s actually probably going to come back to bite you worse if you didn’t raise it to the right level of attention in the company.
Cinthia Motley, director of the data privacy and information security practice group at Dykema: Don’t downplay…when we hear in these cases of exfiltration of data, now you’re talking not just an intrusion to the systems, which obviously can have the financial impact, but also to the entity itself. With the exfiltration of data, it could be personal identifiable information of individuals, it could be corporate information, it could be trade secrets.
Rudawski: You want to show that you have a process…and that the right information is getting to the right people. It doesn’t mean that in hindsight, you have to have made the right decision every single time, but creating a process that you follow that’s repeatable, that produces results that you can document, that’s what good cyber governance is going to look like.