Cybersecurity, An On Going Threat

Cybersecurity is a great concern for organizations of all types and sizes. There is a significant potential for a wide variety of issues to arise from such a disruption. This is particularly true for public companies which are required to make filings with the Commission that may involve disclosing the event and response.

Last week the Commission reported four proceedings in which issuers were charged with violations of the securities laws based on cyber incidents. See, e.g. In the Matter of Unisys Corporation, Adm. Proc. File No. 3-22272 (October 22, 2024).

Respondent is a Delaware corporation based in Blue Bell, Pennsylvania. The firm’s shares are traded on the NYSE. The company information tech network and resources regularly stored and transmitted its customers’ data and information as well as its own.

The matter here involving Unisys centers on two incidents. First, in December 2020 Unisys identified a computer that was part of its network that had a version of SolarWinds Orion software. The company believed the device had likely been infected with malicious code that allow for unauthorized activity on affected computers and networks. Unisys also received notifications about, and discovered, compromises of its environment. Those compromises took place over a period of about 16 months beginning in January 2020. The issues and compromises involved at least seven network credentials and 34 cloud-based accounts. At least 33 gigabytes of data had been transferred. Unisys was aware that its investigations involved gaps based on the activity analyzed. The firm also believed that the issues likely arose from a nation-state threat actor.

In its Form 10-K for the fiscal years ended December 31, 2020 and 2021, the firm made disclosures regarding the incident. Those disclosures were not accurate. Specifically, they did not accurately describe the intrusions. The disclosures also did not accurately describe the risk of unauthorized data access, phrasing it in hypothetical terms rather than specifically stating what happened.

Second, in July 2022, the firm experienced a separate threat actor. It was a Russian-speaking ransomware group that successfully compromised the network. This group successfully exfiltrated certain cybersecurity product and platform software code for products the company offers to customers.

Prior to December 2022 Unisys’ incident response policies did not reasonably require cybersecurity personal to report information to company disclosure decision makers. It also did not require cybersecurity personnel to report information to the disclosure decision makers. Thus, senior cybersecurity personnel repeatedly failed to report incidents to executive management and the legal department.

Subsequently, the firm took a number of remedial steps regarding its policies and disclosed a material weakness in its disclosure controls. The complaint alleges violations of Securities Act Sections 17(a)(2) and 17(a)(3). The Commission considered the firm’s remedial acts and cooperation.

Respondent resolved the matter, consenting to the entry of a cease-and-desist order based on the Sections cited in the Order. In addition, Respondent agreed to pay a penalty of $4 million. See also In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar incident and issues re cybersecurity incident; resolved on similar terms); In the Matter of Check Point Software Technologies, Ltd., Adm. Proc. File No. 3-22270 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Avaya Holdings Corp., Adm. Proc. File No. 3-22269 (Oct. 22, 2024)(similar issues resolved on similar terms).