The U.S. Securities and Exchange Commission (the SEC) has been expanding its oversight of the publicly traded companies’ actions with regard to data security events. Recently, that oversight has included downstream effects of hacks by state-sponsored hackers. Importantly, the SEC oversight has less to do with breach prevention than about how companies address their failures.

On Oct. 22, 2024, the SEC announced settled charges in separate actions against four technology companies—Avaya Holdings Corp. (Avaya), Check Point Software Technologies Ltd. (Check Point), Mimecast Limited (Mimecast) and Unisys Corp. (Unisys)—each of which was a downstream victim of the unprecedented 2020 cyberattack in which threat actors believed to be state-sponsored hackers in Russia inserted malware called SUNBURST (the SUNBURST malware) into a SolarWinds software update (the SUNBURST attack). 

The SUNBURST attack was previously the subject of multiple claims against the upstream victim: SolarWinds. However, in July 2024, Judge Engelmayer dismissed nearly all of the SEC’s claims against SolarWinds and its now chief information security officer. These orders concerning downstream victims can show the regulatory risks for all companies affected by the SUNBURST Attack.

According to the SEC’s Orders (the Orders), all four downstream companies unknowingly installed the SUNBURST malware prior to the public announcement of the SUNBURST attack in 2020, and all four were ultimately compromised by the perpetrators of that attack. While the breach itself was not a violation, the SEC alleged that each company made materially misleading cybersecurity-related statements or omissions related to these events, in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 (the Securities Act) and Section 13(a) of the Securities Exchange Act of 1934 (the Exchange Act). While neither admitting nor denying the findings in the Orders, each company agreed to pay a penalty of between $990,000 and $4 million. 

While these actions provide some guidance, there are fissures appearing in the SEC’s approach to these matters. Commissioners Peirce and Uyeda issued a lengthy joint dissenting statement in which they raised multiple criticisms of the resolutions, and emphasized that, “donning a Monday morning quarterback’s jersey to insist that immaterial information be disclosed—as the Commission did in today’s four proceedings—does not protect investors.” 

Despite these misgivings, the Oct. 22 actions represent the SEC’s first resolutions based on its multi-year investigations into the adequacy and accuracy of disclosures made by the downstream victims of the SUNBURST attack. The four companies charged by the Commission are alleged to have certain common attributes: all were public technology or software companies at the time; all had installed at least one instance of the SUNBURST malware; and all experienced SUNBURST-related intrusions between at least 2020 and 2021 by the Russian nation-state threat actors. The last commonality was that the SEC alleged that all four made materially misleading statements about their victimization. 

A few takeaways are worth noting from these orders: 

• Notably, the materiality of every purported violation was heightened by the nature of the respondents’ businesses: IT service and software providers. Therefore, companies in those spaces need to pay particular attention to their disclosures. 
• Also, the companies were dinged for reusing the same risk disclosures. Companies should therefore refresh their risk factors to acknowledge new cybersecurity risks and incidents. 
• Companies should also establish processes coordination between cybersecurity and disclosure personnel during an actual incident. The Unisys Order confirmed that the SEC is prepared to charge alleged disclosure process breakdowns in connection.
• Companies’ 8-K cybersecurity analysis should articulate key elements of materiality such as the duration and scope of threat actor access; volume and type of data accessed and/or exfiltrated; and potentially even the identity of the threat actor. Companies should avoid language that could be seen as misleadingly downplaying the severity of an event.
• The Commission has consistently emphasized the importance of cooperation, and its press release announcing the four settlements noted that “[e]ach company cooperated during the investigation, including by voluntarily providing analyses or presentations that helped expedite the staff’s investigation and by voluntarily taking steps to enhance its cybersecurity controls.” A company faced with an SEC cybersecurity investigation should strongly consider availing themselves of “cooperation credit.” 
• To prevent an investigation that “suffered from gaps” that limit the ability of a company to check the scope of breach, companies should invest in enhancing logging capabilities.