The U.S. Securities and Exchange Commission (SEC) recently announced fines amounting to nearly $7 million for violations of financial disclosure rules in the wake of the SunBurst attack on SolarWinds.
The fines, against four SolarWinds customers, signal a new and pointed push for private-sector transparency around adverse cybersecurity incidents for both software development organizations and their customers.
To meet the challenge, publicly traded firms will need to upgrade both their incident response practices and tooling to better respond to software supply chain risk. Here's what you need to know about the SEC action.
[ See Special Report: How to Manage Commercial & Third-Party Software Risk ]
Fine size depends on level of risk minimization
The SEC investigation found evidence that all four firms knew that their IT environments were compromised as a result of the SolarWinds attack but each one “negligently minimized its cybersecurity incident in its public disclosures.”
In an October 22 statement, the SEC said that Unisys will pay a $4 million civil penalty for its failure to disclose to its investors that it was impacted by the breach of SolarWinds, that Avaya will pay a $1 million civil penalty, that Check Point Software Technologies was assessed a $995,000 civil penalty, and that Mimecast received a $990,000 civil penalty.
The varying sizes of the fines appear to relate to the extent to which the firms in question minimized the scope of the cyber-incident in their SEC filings. For example, Unisys paid the largest fine, having described the risks from cybersecurity events in purely hypothetical terms in SEC filings subsequent to the disclosure of the attack on SolarWinds, despite knowing that it was the victim of two SolarWinds-related intrusions that resulted in the theft of gigabytes of data, the SEC said.
The SEC’s order against Avaya found that the company stated that the threat actor accessed a “limited number of [the] Company’s email messages,” despite knowing that the threat actor also accessed at least 145 files in its cloud file-sharing environment — information that was not disclosed to investors. Likewise, the SEC’s order against CheckPoint found that the company knew of the intrusion but described subsequent cyber-intrusions and risks from them only in generic terms in its SEC filings. And the SEC’s order cited Mimecast for failing to disclose that the threat actor behind the SolarWinds campaign had exfiltrated sensitive code and encrypted credentials from the company’s environment.
The federal push for software transparency
The SEC’s fines and actions are based on established rules regarding the need for publicly traded firms to disclose “material events” in quarterly filings or annual filings (8-K, 10-Q) in addition to information on their cybersecurity risk management and governance practices (10-K) so that investors can honestly assess a company when making investment decisions.
Generally, materiality is defined as any information that might sway a “reasonable investor’s” decision to buy, sell, or hold on to shares. In assessing materiality, companies must determine whether an incident has the potential to cause substantial harm to their business, stakeholders, or reputation and whether it exposes them to regulatory, legal, or financial risks. That includes operational disruptions as well as regulatory or litigation risks.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors."
—SEC Chair Gary Gensler
In 2023, the SEC issued more guidance on material cyber-breaches, requiring companies to disclose in 8-K filings “any cybersecurity incident they determine to be material” within four business days of its discovery and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the firm. Material incident reporting requires ongoing updates as the impact or nature of the incident
These changes raise the bar for publicly traded firms to identify and respond to cyber-incidents or face significant penalties. That includes stealthy software supply chain attacks in which malicious code hides inside of signed software updates received from trusted suppliers.
Wanted: New tools to detect supply chain attacks
The SEC’s actions make it clear that publicly traded firms that do not currently have a way of assessing commercial binaries for embedded cyber-risks such as those in the compromise of SolarWinds’ Orion software will need to start doing so if they hope to avoid civil penalties like those imposed on Unisys and the others. Specifically, companies must describe how they assess, identify, and manage cybersecurity risks in their 10-K. This includes whether they have processes for overseeing risks from third-party service providers, in this case, software vendors.
To date, however, few organizations have the tooling and talent needed to detect and respond to such attacks, said Joshua Knox, senior cybersecurity technologist at ReversingLabs.
“The SEC's actions make it clear that 'we didn't know' is no longer an acceptable defense. Companies need to invest in modern security tools that can analyze their binaries and detect tampering in their software supply chain. Without these capabilities, organizations are not only at risk of breaches, but also regulatory penalties."
—Joshua Knox
Tougher disclosure rules demand an upgrade of existing application security tooling such as static application security (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) to incorporate complex binary analysis that can spot evidence of tampering or malware – giving end-user organizations an early warning about software supply chain threats. Upgrading tooling to more modern approaches such as complex binary analysis and reproducible builds can prevent compromises or, at the very least, provide the information needed to make accurate disclosures to regulatory bodies such as the SEC, said Knox.
Spectra Assure, ReversingLabs’ software supply chain security solution, provides customers with such an upgrade. It allows security teams to peer into commercial and third-party binaries to spot security risks, including the presence of malware, evidence of tampering and outdated or suspicious code — providing an early warning about risks lurking in commercial software updates.
