On October 22, 2024, the Securities and Exchange Commission (“SEC”) charged four current or former publicly traded companies with disseminating materially misleading disclosures regarding cybersecurity risks and actual infiltrations. The charges arose from an investigation of companies impacted by the well publicized 2020 cybersecurity incident involving SolarWinds Corporation’s flagship Orion software platform. The SEC charged that each of these companies learned in either 2020 or 2021 that the perpetrator of the SolarWinds Orion cyberattack had also infiltrated their respective systems, but in their respective public disclosures in 2021 and/or 2022, each company negligently minimized the impact of the cybersecurity incident.
The SEC Staff reiterated its position that, although public companies may be victims of cyberattacks, they may not harm their shareholders or the investing public by issuing misleading disclosures about such cybersecurity incidents. The SEC alleged that each company violated Section 13(a) of the Securities Exchange Act of 1934, as amended, as well as the respective rules promulgated thereunder that require public companies to file annual, quarterly and current reports in conformity with the SEC’s rules and regulations. The companies agreed to settle the SEC’s charges as follows: Company A agreed to a $990,000 civil penalty In multiple Forms 8-K filed in 2021, Company A minimized the severity of the attack on it by, among other things, failing .
