“Monday morning quarterbacking” refers to criticizing the actions or decisions of others after the fact, using hindsight to assess situations and specify alternative solutions.
Recently, SEC Commissioners Hester Peirce and Mark Uyeda blasted the SEC for “Monday morning quarterbacking” for a recent enforcement action.
First, some background.
This 2023 post highlighted the SEC’s enforcement action against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The SEC’s complaint, filed in the Southern District of New York, alleged that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.
As highlighted in this prior post, in July 2024, Judge Paul Engelmayer rejected the SEC’s broad internal controls enforcement theory. In dismissing those charges, the judge stated that “the history and purpose of the [FCPA] confirm that cybersecurity controls are outside the scope of [the internal controls provisions].”
Certain portions of the SEC’s non-internal controls claims against SolarWinds remain pending.
Meanwhile, last week the SEC announced that it “charged four current and former public companies – Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited – with making materially misleading disclosures regarding cybersecurity risks and intrusions.”
As stated in the SEC release:
“The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity.
[…]
According to the SEC’s orders, Unisys, Avaya, and Check Point learned in 2020, and Mimecast learned in 2021, that the threat actor likely behind the SolarWinds Orion hack had accessed their systems without authorization, but each negligently minimized its cybersecurity incident in its public disclosures. The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data. The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls. The SEC’s order against Avaya finds that it stated that the threat actor had accessed a “limited number of [the] Company’s email messages,” when Avaya knew the threat actor had also accessed at least 145 files in its cloud file sharing environment. The SEC’s order against Check Point finds that it knew of the intrusion but described cyber intrusions and risks from them in generic terms. The order charging Mimecast finds that the company minimized the attack by failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed.”
Without admitting or denying the SEC’s findings, Unisys agreed to pay a $4 million civil penalty; Avaya a $1 million civil penalty; Check Point a $995,000 civil penalty; and Mimecast a $990,000 civil penalty.
Commissioners Peirce and Uyeda objected to the enforcement actions and released this blistering statement.
It states in pertinent part:
According to the Government Accountability Office, the 2019-2020 cyberattacks against SolarWinds Corporation (“SolarWinds”) and its Orion software were “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and the private sector.” It was an attack against America. How has the Commission responded? By first charging SolarWinds in district court and, in today’s settled proceedings, charging four customers of its Orion software, with violations of the federal securities laws. Today’s proceedings impose nearly $7 million in penalties against these victims of the cyberattacks.
The four proceedings can be divided into two categories. Two of the companies – Avaya Holdings Corp. (“Avaya”) and Mimecast Limited (“Mimecast”) – disclosed information about the cyberattack. However, the Commission finds that the disclosures omitted certain material information. The other two companies – Check Point Software Technologies Ltd. (“Check Point”) and Unisys Corporation (“Unisys”) – did not update an existing risk factor in response to the cyberattack. The Commission finds that those risk factors became materially misleading without disclosure that the Orion software in the companies’ respective network had been compromised.
The common theme across the four proceedings is the Commission playing Monday morning quarterback. Rather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engages in a hindsight review to second-guess the disclosure and cites immaterial, undisclosed details to support its charges. Accordingly, we dissent.”
[…]
Cybersecurity incidents are one of a myriad of issues that most companies face. The Commission needs to start treating companies subject to cyberattacks as victims of a crime, rather than perpetrators of one. Yes, the Commission must protect investors by ensuring that companies disclose material incidents, but donning a Monday morning quarterback’s jersey to insist that immaterial information be disclosed — as the Commission did in today’s four proceedings — does not protect investors. It does the opposite.”
