Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Security and Exchange Commission compliance (SEC)
Check Point, Mimecast Settle SEC Case From SolarWinds Hack
SEC: Check Point, Mimecast Disclosures Didn't Capture Severity of SolarWinds HackCheck Point and Mimecast will each pay federal regulators nearly $1 million to settle charges of making materially misleading disclosures related to the SolarWinds Orion hack.
See Also: VMware Carbon Black App Control
The U.S. Securities and Exchange Commission alleged public disclosures from Check Point and Mimecast didn't capture the severity of the SolarWinds compromise on their businesses, misleading investors about the extent of the incidents and the potential fallout. Digital communications company Avaya and IT services behemoth Unisys also settled with the SEC on this matter and agreed to pay fines.
“Downplaying the extent of a material cybersecurity breach is a bad strategy,” said SEC Acting Chief Jorge Tenreiro. “In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned-of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”
The SEC said Check Point provided generic disclosures about cyber risks and failed to disclose material risks specific to its own systems, even after discovering malicious activity linked to the SolarWinds hack. Mimecast was accused to failing to fully disclose the extent of data exfiltration after the hack, including encrypted credentials for 31,000 customers and source code related to the Microsoft 365 integration.
A Check Point spokesperson told Information Security Media Group the company decided that cooperating and settling the dispute with the SEC was in its best interest, while a Mimecast spokesperson told ISMG the firm resolved the matter with the SEC to put it behind the company. Neither Silicon Valley-based Check Point Software nor Boston-area Mimecast admitted wrongdoing as part of the settlement (see: Why SEC, SolarWinds Eye Settlement Talks in Cyber Fraud Case).
"While public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” Sanjay Wadhwa, acting director of the SEC’s Division of Enforcement, said in a statement.
SEC: Where Check Point's Response to the SolarWinds Hack Fell Short
In December 2020, Check Point identified two servers on its network running compromised versions of the SolarWinds Orion software, which had been infiltrated by the Russian foreign intelligence service. A third-party vendor also informed Check Point about unauthorized activity in its environment related to the SolarWinds attack, the SEC order stated. Check Point agreed to settle and pay a $995,000 penalty.
Check Point's internal probe found unauthorized activity occurred between July and October 2020. The attack compromised two Check Point corporate accounts and involved unauthorized communications with the threat actor's command-and-control server. There was evidence of unauthorized software execution - used in preparation for data exfiltration - and attempts to move laterally within the network.
Despite discovering this significant breach, Check Point kept using generic cybersecurity risk disclosures in its 2021 and 2022 annual reports, which didn't name SolarWinds and were nearly identical to its pre-breach filings in 2020, the SEC said. The disclosures did not adequately reflect the actual risk posed by the SolarWinds attack and the subsequent compromises within Check Point's network, according to the SEC.
Check Point did not admit or deny the SEC's findings but acknowledged the materiality of the risks posed by the breach. The company cooperated significantly with the SEC by voluntarily providing detailed analyses, conducting an internal investigation and taking steps to enhance its cybersecurity controls. This cooperation helped expedite the investigation and resolve the matter, according to the SEC.
"Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code or other sensitive information was accessed," a company spokesperson told ISMG in an emailed statement. "Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest."
SEC: Where Mimecast's Response to the SolarWinds Hack Fell Short
In December 2020, Mimecast identified systems within its network that had installations of SolarWinds Orion software infected by malicious code. Then in January 2021, Mimecast found the same threat actor had compromised one of its authentication certificates used by about 10% of its customers to connect to Microsoft 365. The threat actor used the certificate to access five customers' cloud platforms.
Mimecast's investigation found the attacker accessed internal emails, source code related to Microsoft 365 authentication and data exgestion - an internal Mimecast process that converts email data stored in Mimecast's proprietary storage format into an open format - and a database with encrypted credentials for about 31,000 customers. The attacker also obtained server configuration data for approximately 17,000 customers. While Mimecast disclosed some aspects of the compromise, the company allegedly omitted key details.
For example, Mimecast did not disclose the exact nature of the source code that was exfiltrated, which included 58% of its exgestion source code and large pieces of M365 authentication and interoperability code. Omitting this - as well as the number of customers affected - created a misleading impression of the scope of the breach and misled investors about the impact of the compromise, the SEC alleged.
In public filings, Mimecast downplayed the beach's scope, saying the source code taken was "incomplete and would be insufficient to build or run any aspect" of the company’s services. But the SEC found this statement was misleading because the exfiltrated code was crucial for key security functionalities in Mimecast’s tools, and its exposure to a nation-state threat actor was material information for investors.
Mimecast settled the charges by agreeing to pay a $990,000 penalty without admitting or denying the SEC's findings. The SEC cited Mimecast’s cooperation, including conducting an internal investigation, enhancing cybersecurity controls, and voluntarily sharing findings with regulators and affected clients. Mimecast also took remedial actions such as enhancing its incident response procedures, the SEC said.
"We believed that we complied with our disclosure obligations based on the regulatory requirements at that time," a Mimecast spokesperson told ISMG in an emailed statement. "We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."