Image courtesy of Google StreetView
Unisys among four companies charged with misleading the public
One Blue Bell-based business is facing some serious charges from a federal level regarding misleading cyber disclosures.
According to a release from the United States Securities and Exchange Commission (SEC) last week, four technology companies face charges after they created “materially misleading disclosures regarding cybersecurity risks and intrusions.” The four named businesses included Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Limited.
One of those named, Unisys Corp., is headquartered in Blue Bell, Whitpain Township. In addition to the charges faced by the four current and former public companies, Unisys is also to face charges for “disclosure controls and procedure violations.”
All four organizations agreed to pay civil penalties to settle the charges. Those included:
The SEC allegations noted that the four companies were impacted by a compromise of “SolarWinds’ Orion software” and other related activity.
“As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement. “Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
The SEC said that three of the four, Unisys, Avaya, and Check Point, learned in 2020 about the threats, and Mimecast in 2021. They allege that the organizations knew about a threat, and that the actor “likely behind the SolarWinds Orion hack had accessed their systems without authorization. The SEC said that each then “negligently minimized its cybersecurity incident in its public disclosures.”
In Unisys’ case, the SEC additionally found that the company “described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two, SolarWinds-related intrusions involving exfiltration of gigabytes of data,” according to the release.
The release added that order also found these “materially misleading disclosures” were a result of, in part, Unisys’ “deficient disclosure controls.”
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit (CACU). “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
The order from the SEC found that each of the companies had violated applicable provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and “related rules thereunder.” The companies have not admitted nor denied the SEC findings, as each agreed to Cease and desist from future violations of the charged provisions, while also agreeing to pay the civil penalties.
According to the SEC release, the internal investigation involving the four companies was conducted by Arsen Ablaev and Michael Baker of the CACU, and David D’Addio in the Boston Regional Office. It was supervised by Amy Flaherty Hartman and Mr. Tenreiro of the CACU and Kathryn A. Pyszka of the Chicago Regional Office.
Unisys is headquartered at 801 Lakeview Dr. in Blue Bell. For more information on its functions, visit Unisys.com.
