In the release, Sanjay Wadhwa, acting director of the SEC’s division of enforcement, stated, “as today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered.”
The SEC’s orders, he said, “find that these companies provided misleading disclosures about the incidents at issue, leaving investors in the dark about the true scope of the incidents.”
All four organizations, the release stated, learned in either 2020 or 2021 that “the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures.”