On October 22, 2024, the Securities and Exchange Commission (“SEC”) filed settled enforcement orders involving four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Ltd, and Mimecast Limited. The settlements concern the issuers’ disclosures relating to cybersecurity risks and intrusions following the December 2020 SUNBURST cybersecurity incident, which affected customers of SolarWinds’ Orion software. Alleging that the issuers “negligently minimized” the impacts of the breach, the SEC levied civil monetary penalties ranging from $990,000 to $4 million. Each settled order credits the issuers with cooperating in the SEC’s investigation. A dissent by Commissioners Hester Peirce and Mark Uyeda criticizes the majority for playing “Monday morning quarterback.”
As the first cybersecurity-related settlements of the agency’s new fiscal year, these cases illustrate the SEC’s continued focus on disclosure of cyber incidents. Click here to read the full Ropes & Gray client alert.