On October 22, 2024, Republican SEC Commissioners Hester Peirce and Mark Uyeda issued a joint dissent sharply criticizing charges brought against four companies for allegedly making materially misleading disclosures regarding cybersecurity. The charges stemmed from the SEC’s investigation into public companies impacted by the widespread 2019–2020 compromise of SolarWinds’ Orion software. The companies agreed to pay civil penalties ranging from $900,000 to $4 million.
According to the SEC’s orders against the four companies — Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd., and Mimecast Ltd. — each was aware that a threat actor had accessed their systems as a result of the SolarWinds Orion hack but negligently minimized these cybersecurity incidents in public disclosures filed with the SEC.
The dissent characterizes the enforcement allegations as being of two types:
(1) Failing to disclose material information (in the cases of Avaya and Mimecast); and
(2) Failing to update an existing risk factor in response to a cyberattack (in the cases of Check Point and Unisys).
However, Peirce and Uyeda accused the majority commissioners of “playing Monday morning quarterback” and giving insufficient attention to whether the omitted disclosures would truly be material to investors in light of all the other information available to them.
Reviewing the Avaya order, the dissent took issue with the majority’s view that not disclosing the identity of the threat actor constituted a material omission. As such attribution was never mentioned as being material in any comment letters to the SEC during its “cybersecurity rule” rulemaking, the dissent believes it highly unlikely that investors would view attribution as material. Furthermore, at the time of Avaya’s disclosure, the attribution of the SolarWinds attack was already widely reported in the media. This, the dissenters say, is an example of the majority’s focus on immaterial “details regarding the incident itself” rather than its overall “impact.”
With respect to Mimecast, the majority took issue with its failure to disclose the number or percentage of encrypted customer credentials that were accessed by the threat actor, and the failure to state the amount of source code downloaded by the threat actor. On both topics, the dissent argues that the majority failed to assess Mimecast’s disclosure “as a whole.” The dissent highlights that Mimecast’s disclosure stated that the credentials were reset, and there was no evidence of any access to its customers’ email or archive content. Mimecast also disclosed that it believed that the downloaded source code was “insufficient to build and run any aspect of the Mimecast service.”
In the case of Check Point, the dissent compared its disclosures to those made by SolarWinds. In the SolarWinds case brought by the SEC, the court rejected the argument that SolarWinds made “unacceptably boilerplate and generic” disclosures. Given the court’s decision, and the substantial similarity of Check Point’s disclosures to those of SolarWinds, the dissent was deeply skeptical about the case against Check Point.
The dissenters also discount the majority commissioners’ claims that Unisys framed cybersecurity events as hypothetical, notwithstanding that a compromise of its network had already occurred. Rather the dissenters think that an enforcement action on this basis was unnecessary and that the majority failed to explain why any of the alleged omissions were material from a securities law perspective.
The dissent concludes that the majority failed to apply a “reasonable investor” standard in each of these orders. When adopting its cybersecurity rule, the SEC recognized that immaterial disclosure may “divert investor attention” and result in “mispricing of securities,” and the dissenters foresee that the practical effect of these enforcement actions will be an increase in filings reporting on immaterial events.
