Recent SEC enforcement actions against Unisys, Avaya, Check Point, and Mimecast underscore the need for stronger board level oversight on cybersecurity disclosures.

The SEC charged these companies for misleading investors about cybersecurity risks, including incidents linked to the SolarWinds hack. The SEC is of the opinion that they downplayed breaches or framed them as hypothetical, despite knowing of their significance. Unisys faced additional charges for lacking effective disclosure controls. Penalties ranged from $990,000 to $4 million, and all companies agreed to enhance their practices.

Why It Matters:
This move signals the SEC’s heightened focus on cybersecurity transparency. Board members must ensure accurate reporting of risks and strong internal controls to maintain compliance with SEC rules. The SEC action underscores that misleading disclosures, even if not intentional, can damage reputations and result in significant financial penalties.

Key Points:

• SEC actions focus on truthful risk reporting following SolarWinds-related breaches.
• The companies accepted penalties and agreed to strengthen their cybersecurity and disclosure controls.
• Unisys faced additional scrutiny for inadequate internal controls.

What’s Next:
With increasing regulatory attention, boards should reassess cyber risk governance and disclosure policies to align with evolving SEC standards.

Recommendations:
Board members should ensure robust cybersecurity risk reporting and disclosure practices. Periodically review and update internal controls to reflect new threats and regulatory expectations.

For more on how to do this see: Beyond Compliance: How the SEC’s Materiality Rules Should Transform Cybersecurity Oversight

For the full details of the SEC action, see SEC Press Release.