SEC Charges Four Companies With Misleading Cyber Disclosures Four public technology companies survived one of the most sophisticated cyberattacks in history—then faced SEC enforcement not for being breached, but for how they told investors about it.

On October 22, 2024, the SEC charged Avaya, Check Point, Mimecast, and Unisys with making materially misleading disclosures related to the 2020 SUNBURST supply chain attack. Penalties ranged from $990,000 to $4 million. All four companies had installed infected SolarWinds software. All four disclosed the incidents to investors. None of them disclosed accurately enough.

For boards and executives, this is not primarily a legal compliance story. It is a governance story. The SEC is asking whether accurate cybersecurity information traveled from technical teams to investors—and whether the governance structures to make that happen existed at all. In most of these cases, they did not.

TLDR

  • Four public tech companies were charged by the SEC for misleading cyber disclosures tied to the 2020 SUNBURST/SolarWinds attack—penalties ranged from $990,000 to $4 million.
  • Violations fell into two types: boilerplate risk language used after a known breach, and selective disclosures that omitted material facts about scope and severity.
  • Unisys also faced disclosure controls charges—incident information never reached senior leadership, which the SEC treated as a governance failure.
  • Cooperation with the SEC materially reduced penalty exposure for all four companies.
  • The core lesson: incident response and disclosure are not two separate workflows—they're one.

The Four Companies, the Attack, and What It Cost Them

What SUNBURST Was

SUNBURST was a supply chain attack in which Russian Foreign Intelligence Service (SVR) operators embedded malware into a SolarWinds Orion software update distributed between March and June 2020. Organizations that installed the update unknowingly gave attackers a persistent foothold—one that could go undetected for months. CISA issued its alert on December 13, 2020. By then, thousands of downstream organizations had already been compromised.

SolarWinds was the entry point. The damage extended across its customer base.

In October 2023, the SEC sued SolarWinds and its CISO directly. A federal judge dismissed most of those claims on July 18, 2024. The October 2024 charges against these four downstream victims represent the SEC's next move—and a clear signal that the Commission is not retreating from cybersecurity disclosure enforcement.

Penalties at a Glance

All four companies settled without admitting or denying the findings and agreed to cease and desist from future violations.

Company Penalty Additional Charges
Unisys $4,000,000 Disclosure controls and procedures violation
Avaya $1,000,000
Check Point $995,000
Mimecast $990,000

SEC SUNBURST enforcement penalties comparison table for four technology companies

Each settlement order explicitly credits cooperation. All four companies voluntarily provided analyses and presentations and took steps to strengthen cybersecurity controls during the investigation. That cooperation directly reduced penalty levels—boards should treat it as a standing input to incident response planning, not an afterthought.

Avaya and Mimecast have since gone private, which limits the forward-looking regulatory implications for those specific entities. Unisys and Check Point remain public companies.

Two Categories of Misleading Disclosures

The SEC's charges fall into two distinct patterns. Understanding which applies to which company matters for boards evaluating their own exposure.

Category One: Hypothetical Language After a Real Breach

Check Point identified infected SolarWinds Orion software on two of its servers in December 2020. The SEC found that unauthorized activity had occurred from July through October 2020—including compromise of two corporate accounts, execution of unauthorized data compression software, and attempted lateral movement. Despite knowing this, Check Point's 2021 and 2022 Form 20-F filings contained cybersecurity risk factor language that was virtually unchanged from prior years.

Generic framing. No acknowledgment that a likely nation-state actor had been active in their environment for months.

Unisys used future-tense, conditional language in its 2020 and 2021 annual reports—phrases like "could result in" and "if our systems are accessed"—despite knowing that two SolarWinds-related intrusions had already occurred. The SEC found that approximately 23GB of data had been transferred out of Unisys's network and roughly 7GB transferred in.

Jorge Tenreiro, Acting Chief of the SEC's Crypto Assets and Cyber Unit, put it plainly: "The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures."

When a nation-state actor has been active in your environment, risk factor language that predates that activity is no longer accurate — and accuracy is a legal obligation, not a best practice.

Category Two: Selective Disclosure That Creates a Misleading Picture

Avaya disclosed in its February 2021 Form 10-Q that a breach had resulted in access to a "limited number of Company email messages." What it omitted:

  • Threat actors accessed at least 145 files in its cloud file-sharing environment
  • Avaya could only recover and review 44 of those files
  • Some files contained confidential security procedures and passwords
  • The threat actors monitored the email account of one of Avaya's cybersecurity incident response employees

The SEC rejected Avaya's argument that the cloud file-sharing environment was not technically "internal." The company stored its working documents there. The omission created a materially misleading picture.

Mimecast filed Form 8-Ks describing a "small" or "low single digit" number of targeted customers. What it omitted was substantially more significant:

  • Threat actors accessed a database with encrypted credentials for approximately 31,000 customers
  • Server and configuration data for approximately 17,000 customers was accessed
  • 58% of one source code repository was exfiltrated
  • 50% of its Microsoft 365 authentication source code was taken
  • 76% of its Microsoft 365 interoperability source code was taken

Mimecast versus public disclosure comparison showing actual breach scope omitted data

The SEC's position: if you choose to quantify, you own the full picture. Disclosing one number while omitting three others that tell a different story is not partial disclosure — it's a misrepresentation.

What the SEC Is Really Demanding: A Governance Standard

These cases are not primarily about the words companies chose. They are about whether the governance infrastructure existed to make accurate disclosure possible at all.

The Unisys Disclosure Controls Failure

Unisys was the only company charged with a disclosure controls and procedures violation under the Exchange Act—and the specifics are instructive. The SEC found that Unisys had no established procedures to ensure cybersecurity incident information was escalated to senior management within required timeframes.

In August 2021, credible information indicated a threat actor had accessed Unisys's environment through its VPN using a former employee's credentials. That information was never escalated to senior management. The SEC's order states directly: "decision makers failed at the time to reasonably assess the materiality of these events and new risks arising therefrom."

That is a board governance failure. Not a legal technicality.

Where the Materiality Chain Breaks

Materiality determinations require information to travel:

  1. Technical responders → identify and document the incident
  2. Security leadership (CISO) → assess scope and potential impact
  3. Legal and disclosure counsel → evaluate materiality under securities law
  4. Executives (CEO, CFO) → make disclosure decisions
  5. Board → receive notification before public filings are made

Each handoff is a failure point. The SEC's enforcement pattern shows it will scrutinize whether that chain functioned—specifically whether escalation thresholds were defined, whether legal teams were looped in promptly, and whether the board was informed before disclosures went out.

The Logging Problem

Both the Unisys and Check Point orders found that incomplete logs prevented the companies from fully identifying what had happened. Check Point's logs covered only September through December 2020, leaving the July–September activity period unexamined. Unisys's order cites lack of forensic evidence as creating significant gaps in scope assessment.

The disclosure implications are direct: without a complete picture of what happened, no one in the materiality chain can make a defensible determination. The SEC has signaled it may treat investigation gaps as a disclosure failure in their own right — which means log retention is a governance question, not just an IT operations decision.

The 2023 SEC Rules Raise the Bar Further

The disclosures in these four cases pre-date the SEC's formal cybersecurity disclosure rules, which took effect for most companies in December 2023. But the Commission is explicitly signaling how it will evaluate compliance going forward:

  • Form 8-K Item 1.05: Material cybersecurity incidents must be disclosed within four business days of a materiality determination
  • Form 10-K (Regulation S-K Item 106): Annual disclosure of cybersecurity risk management processes, board oversight governance, and management's role in assessing material risks

SEC 2023 cybersecurity disclosure rules Form 8-K and Form 10-K requirements overview

The governance structures the SEC found lacking in these four cases are now formally required. Companies that still lack defined escalation thresholds, documented materiality workflows, and board notification procedures aren't just behind — they're already non-compliant.

The Dissenting View Worth Knowing

Commissioners Hester Peirce and Mark Uyeda voted against all four enforcement actions. Their joint dissent accused the Commission of "playing Monday morning quarterback"—reviewing disclosure decisions with hindsight and demanding disclosure of incident details that no reasonable investor would have found significant.

Their specific argument: details like the percentage of source code exfiltrated, or the identity of the threat actor, do not "significantly alter the 'total mix' of information" available to a reasonable investor. Companies should focus on business impact, not operational minutiae.

The dissent did not prevail. But it matters to boards for one reason: it confirms genuine disagreement within the Commission about how far disclosure obligations extend, particularly on incident details versus business impacts.

Two practical takeaways for boards:

  • No safe harbor here: The majority's position controls. The dissent cannot justify withholding material information.
  • Useful calibration on depth: When determining what to disclose, anchor to scope and potential business impact — what a reasonable investor would consider material, not operational minutiae.

What Boards and Executives Must Do Before the Next Incident

Audit Your Risk Factor Language Now

Pull your current Form 10-K cybersecurity risk disclosures. Ask one question: does this language reflect your actual, current risk profile—or is it the same generic text that was there before your last significant security event?

If the language hasn't changed materially after any notable cybersecurity event, it may already be creating exposure. Risk factors must reflect known risks, not hypothetical ones.

Build an Escalation Protocol That Connects IR to Disclosure

The Unisys case is the clearest instruction the SEC has issued on board governance expectations. Document the answers to these questions before an incident occurs:

  • Who can declare a potential material incident?
  • What triggers escalation from the SOC to the CISO?
  • When does the General Counsel get notified?
  • What does the board chair receive in the first update, and when?
  • Who owns the Form 8-K decision?

Tabletop exercises that include the 8-K filing decision alongside the technical response are essential. That governance structure — documented decision rights, defined escalation thresholds, clear board notification triggers — is what determines whether your disclosure process holds up when the SEC comes looking.

Five-step cybersecurity incident escalation chain from technical responders to board notification

Cooperate Early and Document Everything

The SEC's cooperation credit across all four settlements is not a footnote. It is a concrete signal about how engagement posture affects outcomes. Incident response plans should include:

  • A clear process for engaging outside counsel early
  • Evidence preservation from the first hours of an incident
  • A defined approach for proactive regulator engagement when a material incident occurs

The companies that fared best in these settlements had one thing in common: they could show the SEC an organized timeline of what they knew, when they knew it, and what decisions were made. That documentation doesn't assemble itself after the fact.

Frequently Asked Questions

What is the SUNBURST attack, and why were these specific companies charged?

SUNBURST was a 2020 supply chain attack in which Russian SVR operators inserted malware into a SolarWinds Orion software update, compromising thousands of downstream organizations. The four companies were charged not for being victimized, but because the SEC found their public disclosures about the incidents were materially misleading or incomplete.

Can a company face SEC charges even if it was the victim of a cyberattack and not the cause?

Yes. Being a breach victim does not shield a company from enforcement. The SEC's obligation is to protect investors, and materially misleading disclosures violate securities laws regardless of how the underlying incident occurred.

What is the difference between a Form 8-K cybersecurity disclosure and a Form 10-K risk factor disclosure?

Form 8-K Item 1.05 requires disclosure of a material cybersecurity incident within four business days of a materiality determination, covering the nature, scope, and impact. Form 10-K annual filings require ongoing description of risk management processes and board oversight—and that language must reflect actual known risks, not hypothetical scenarios.

What does it mean to have "disclosure controls and procedures" for cybersecurity incidents?

These are the internal processes that ensure material information reaches decision-makers in time to be accurately reflected in public filings. In Unisys's case, the SEC found these controls deficient because no escalation procedures existed to route incident information to senior management for materiality assessment.

How should boards evaluate whether their company's cybersecurity disclosures are adequate?

Boards should pressure-test three things:

  • Whether current risk factor language reflects known incidents or material changes in risk profile
  • Whether a documented escalation path exists from security teams to legal and disclosure teams
  • Whether post-incident disclosures describe actual scope and business impact—not minimized through selective quantification or hypothetical framing