The Securities and Exchange Commission (SEC) has issued fines to four cybersecurity companies for minimizing the effects of the 2020 Russian hack on SolarWinds, misleading investors about the breach’s impact on their own networks.

The companies, IT security firms Check Point and Mimecast, IT solutions provider Unisys, and cloud collaboration software maker Avaya, each “agreed to cease and desist from future violations of the charged provisions and to pay the penalties,” according to a press release.

“Downplaying the extent of a material cybersecurity breach is a bad strategy,” Jorge Tenreiro, acting chief of the SEC’s crypto assets and cyber unit, said in a statement.

In the 2020 SolarWinds hack, suspected Russian hackers infiltrated various US government agencies and private companies by compromising software updates from SolarWinds, a Texas-based IT provider serving thousands of enterprise clients.

According to the SEC, Unisys referred to the breach as “hypothetical” even though it knew about two SolarWinds-related intrusions that resulted in the exfiltration of gigabytes of data. As a result, it’ll pay a $4 million civil penalty.

Meanwhile, Avaya told investors the hack impacted only a limited number of email messages; however, the attackers had actually accessed at least 145 files. The company has agreed to a $1 million fine.

Check Point “knew of the intrusion but described cyber intrusions and risks from them in generic terms,” the SEC explained. For this, Check Point will pay $995,000.

Finally, Mimecast will pay a fine of $990,000, the least of all the companies, for failing to disclose details about the type of computer code stolen by hackers and the amount of encrypted credentials taken.

“In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures,” Tenreiro said.

The SEC has become stricter about enforcing its cybersecurity disclosure requirements.

Last year, the agency introduced new regulations mandating that companies disclose any cybersecurity incidents with a material impact on their operations within four business days.