SEC Dismisses Remains of Lawsuit Against SolarWinds and Its CISO
The Securities and Exchange Commission has dismissed the remaining claims in its high-profile, two-year lawsuit against SolarWinds and the company’s chief information security officer, Timothy Brown. The move effectively closes the government’s case tied to the 2020 Sunburst supply chain attack, a breach attributed to a Russian state-backed group that reshaped how enterprises and regulators think about software supply chain risk.
A two-year legal saga, unwound
The SEC’s dismissal follows a major setback for the agency more than a year ago, when U.S. District Court Judge Paul Engelmayer tossed out most of the claims against SolarWinds and Brown. In a 107-page ruling, the judge wrote that the allegations about the company’s disclosures after the attack “do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation.”
Fifteen months later, the SEC agreed with SolarWinds and Brown to dismiss the charges that were still pending. In a joint statement, the Commission emphasized that its “decision to seek dismissal is in the exercise of its discretion and does not necessarily reflect the Commission’s position on any other case.”
The Sunburst backdrop
At the heart of the matter was the Sunburst intrusion, in which a Russian nation-state threat group identified as APT29 compromised SolarWinds’ Orion IT monitoring platform. Attackers inserted malicious code into legitimate software updates, which were then pushed to customers. Those tampered updates opened a stealthy backdoor on victim networks, enabling data theft and surveillance across a wide range of targets spanning U.S. government agencies and private enterprises.
SEC allegations—and their ripple effects
The SEC had accused SolarWinds and Brown of making false or misleading statements to investors about the company’s security posture and cyber risk between 2017 and 2021. The inclusion of a sitting CISO as a defendant sent shockwaves through the security community, raising fears that individual security leaders could face personal liability for organizational breaches.
That concern was reflected in industry sentiment. A 2024 survey by security vendor BlackFog found that 70% of IT security decision-makers said cases like Brown’s negatively affected their views of the CISO role, and 34% believed the prospect of prosecution after an incident creates a no-win scenario for those leaders. “The role of the CISO is all about managing risk for the organization,” BlackFog founder and CEO Darren Williams said at the time. “High-profile instances of individuals being charged will no doubt add to the pressures they feel but could also be a catalyst for boards to support their leaders.”
Legal experts echoed that anxiety. “There’s a rising level of concern, obviously. The role of the CISO has become increasingly difficult as we layer in new technologies like AI governance. … It’s getting to be a harder job,” said Jessica Nall, a partner at law firm Baker McKenzie, in a 2024 interview with endpoint security vendor Tanium. “There are definite feelings of frustration, concern, and fear, especially since the SolarWinds SEC enforcement action.”
Insurance steps in
As the case reverberated across boardrooms, some insurers introduced policies aimed at protecting individual security leaders. Crum & Forster, for example, launched professional liability coverage “to protect CISOs from personal liability in an increasingly challenging risk landscape,” noting that CISOs, “despite their pivotal role in defending organizations against complex cyber threats, often lack the same protections afforded to other senior executives designated as legal officers of the organization.”
SolarWinds: “We emerge stronger”
SolarWinds President and CEO Sudhakar Ramakrishna framed the dismissal as the close of a difficult chapter and the start of a stronger phase for the company. “Today marks the end of a transformative chapter for SolarWinds and the beginning of our next,” he wrote in a blog post. “With the U.S. Securities and Exchange Commission dropping its case against both SolarWinds and our CISO, Tim Brown, we close an era that challenged our company, our team, and our principles. We emerge stronger, more secure, and better prepared than ever for what lies ahead.”
Ramakrishna called the Sunburst breach “a pivotal moment” that pushed the company to double down on its “Secure by Design” program and rethink its approach to emerging threats. He also reiterated the company’s long-held position on the SEC’s claims: “We said from the beginning—and demonstrated during the litigation—the claims were unfounded, and we are happy the SEC has finally decided to abandon them. We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout.”
What the dismissal means for CISOs
While the SEC’s decision lifts a cloud from SolarWinds and Brown, its statement makes clear the agency is not setting a broad precedent. For CISOs, the underlying pressures remain: heightened disclosure expectations, complex threat landscapes, and scrutiny from regulators, investors, and boards.
Still, the outcome may temper fears of retroactive second-guessing when organizations act in good faith during fast-moving incidents. The broader lesson for security leaders and boards is unchanged: align cyber risk disclosures with reality, document decisions and risk trade-offs, and ensure governance, audit, and legal teams are part of incident and disclosure workflows.
The bottom line
The SEC’s retreat from the remaining SolarWinds claims ends one of the most closely watched cybersecurity enforcement actions in recent memory. The case sparked intense debate about personal accountability for security leaders, the boundaries of investor disclosures during crises, and the long tail of supply chain risk. With the legal battle over, the industry will continue to grapple with those themes—this time with a clearer reminder that discretion, documentation, and board-level support are essential parts of the CISO toolkit.
