Four cybersecurity companies have been fined millions of dollars for lackluster disclosures following the Russian cyberattack on software company SolarWinds in 2020.

The Securities and Exchange Commission (SEC) charged four companies —- Check Point, Avaya, Unisys and Mimecast — for making “materially misleading” disclosures related to cybersecurity risks and intrusions. Tuesday’s  announcement is  the result of a years-long investigation into public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.

Unisys will pay a $4 million fine; Avaya will pay $1 million; Check Point will pay $995,000; and Mimecast will pay $990,000.

Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said companies that are facing cyberattacks must “not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”

“Here, the SEC’s orders find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents,” Wadhwa said.

The SEC accused all four companies of learning in 2020 and 2021 that the hacker behind the SolarWinds attack — which the U.S. government attributed to the Russian Foreign Intelligence Service — also accessed their systems but “each negligently minimized its cybersecurity incident in its public disclosures.”

For Unisys specifically, the SEC investigation found that the company described the risks of cybersecurity events as hypothetical even after knowing the SolarWinds hackers breached their systems twice and stole gigabytes of data.

Avaya was criticized for saying in a public notice that the hacker had access to a “limited number” of email messages despite knowing the threat actor also accessed 145 other files.

Check Point only described the incident in generic terms and Mimecast “minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.”

Jorge Tenreiro, acting chief of the SEC Crypto Assets and Cyber Unit, criticized the companies that framed the cybersecurity risk hypothetically or generically when the companies knew the risks “had already materialized.”

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” he said. “The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

All of the companies complied with the investigations and the civil penalties allow each to neither admit nor deny the SEC’s findings.

When contacted for comment, each of the four companies confirmed the settlement agreement with the SEC but some said that while they disagree with the findings, they wanted to put the issue to bed.

A spokesperson for Check Point said they already discussed the issue in a 6-K form filed with the SEC in December 2023.

“As mentioned in the SEC’s order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed,” a spokesperson told Recorded Future News.

“Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world.”

Mimecast said in a statement that it made “extensive disclosures” during its response to the incident in 2021 and were transparent with both partners and customers. 

Avaya’s statement resembled the others, reiterating that they are pleased to have resolved the issue with the SEC.

A Unisys spokesperson declined to comment beyond an SEC filing the company made on Tuesday announcing the settlement. 

In the filing, the company said the $4 million civil penalty was fully accrued in the company’s 2023 financials and the cash impact was assumed in its 2024 free cash flow.

“The SEC recognized the Company’s cooperation in its investigation and the remediation steps the Company has taken in the years since disclosing a material weakness in November 2022, including enhancing disclosure policies and procedures and augmenting its cybersecurity personnel and tools, both internally and externally, to strengthen its cybersecurity risk management and protections,” the company said in the filing. 

The SolarWinds incident — which saw Russian operatives insert malware into a version of SolarWinds’ Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets — has become one of the most consequential cyber incidents in history. 

Dozens of companies and government agencies were affected by the attack, including the departments of Commerce, Defense, Energy, Homeland Security, Justice, Treasury and State. 

The SEC launched an unprecedented legal crusade against Solarwinds and its Chief Information Security Officer Timothy Brown for their role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks” from 2017 to 2021.

In July, a U.S. District Court judge dismissed most of the case, arguing that most of the government’s charges against Solarwinds “impermissibly rely on hindsight and speculation.”