SEC Dismisses Remains of Lawsuit Against SolarWinds and Its CISO
None
<p>The Securities and Exchange Commission (SEC) this week <a href="https://www.sec.gov/files/litigation/complaints/2025/comp26423.pdf" target="_blank" rel="noopener">dismissed</a> what remained of its two-year-old, high-profile lawsuit against SolarWinds and its CISO stemming from the massive supply chain attack launched by a Russian nation-state threat group that was detected in 2020.</p><p>The decision by the U.S. agency comes a more than a year after U.S. District Court Judge Paul Engelmayer <a href="https://securityboulevard.com/2024/07/judge-dismisses-most-sec-charges-against-solarwinds/" target="_blank" rel="noopener">threw out most of the case</a> against the software maker and its top cybersecurity offer, Timothy Brown, writing in a 107-page decision that the charges about disclosures the company and CISO made after the attack “do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation.”</p><p>Fifteen months later, the SEC <a href="https://www.sec.gov/enforcement-litigation/litigation-releases/lr-26423" target="_blank" rel="noopener">dismissed</a> the remaining charges, in agreement with SolarWinds and Brown.</p><p>“Today marks the end of a transformative chapter for SolarWinds and the beginning of our next,” SolarWinds President and CEO Sudhakar Ramakrishna <a href="https://www.solarwinds.com/blog/forged-in-fire-focused-on-the-future" target="_blank" rel="noopener">wrote in a blog post</a>. “With the U.S. Securities and Exchange Commission dropping its case against both SolarWinds and our CISO, Tim Brown, we close an era that challenged our company, our team, and our principles. We emerge stronger, more secure, and better prepared than ever for what lies ahead.”</p><h3>High-Profile Supply Chain Attack</h3><p>In the Sunburst attack, Russian-backed bad actors identified as APT29 hacked into SolarWinds’ Orion platform and created trojanized updates to the Orion performance monitoring software. Threat groups then took advantage of the malicious updates to install stealthy malware on the networks of SolarWinds customers and steal data and spy on other organizations.</p><p>There was a broad array of victims, including both government agencies and private corporations.</p><p>The SEC took a big swing at SolarWinds and Brown, accusing them of making false or misleading claims to investors about the strength of the company’s security measures and downplaying risks between 2017 and 2021.</p><h3>CISOs at Risk</h3><p>Including Brown in the lawsuit sent wave of angst and concern among CISOs and other top cybersecurity executives at other organizations, who now found that they, too, could be held liable for cyberattacks at their companies.</p><p>A survey of IT security decision-makers last year by security vendor BlackFog found that 70% of respondents said cases like Brown’s – where the CISO is held personally responsible for cybersecurity incidents – <a href="https://www.blackfog.com/personal-liability-cybersecurity-leaders/" target="_blank" rel="noopener">negatively affected their opinions</a> about the position, and 34% said being prosecuted after an attack <a href="https://securityboulevard.com/2024/12/charges-against-cisos-create-worries-hope-in-security-industry-survey/" target="_blank" rel="noopener">creates a no-win situation</a> for them.</p><p>“The role of the CISO is all about managing risk for the organization, but, as regulations tighten, security leaders increasingly need to consider their own personal risk,” BlackFog founder and CEO Darren Williams said in a statement at the time. “High-profile instances of individuals being charged will no doubt add to the pressures they feel but could also be a catalyst for boards [of directors] to support their leaders.”</p><h3>‘Frustration, Concern, and Fear’</h3><p>In an interview last year with endpoint security vendor Tanium, Jessica Nall, a partner at the Chicago-based law firm Baker McKenzie LLP, talked about “a <a href="https://www.tanium.com/blog/the-feds-are-coming-for-cisos-heres-how-to-steer-clear/" target="_blank" rel="noopener">rising level of concern</a>, obviously. The role of the CISO has become increasingly difficult as we layer in new technologies like AI governance. … It’s getting to be a harder job. … There are definite feelings of frustration, concern, and fear, especially since the SolarWinds SEC enforcement action.”</p><p>In reaction, some cyber insurance companies began offering professional liability insurance coverage for CISOs.</p><p>Insurance firm <a href="https://www.prnewswire.com/news-releases/crum--forster-introduces-professional-liability-insurance-for-chief-information-security-officers-302300733.html?tc=eml_cleartime" target="_blank" rel="noopener">Crum & Foster said its program</a> was “to protect CISOs from personal liability in an increasingly challenging risk landscape. The policy offers crucial coverage for CISOs who, despite their pivotal role in defending organizations against complex cyber threats, often lack the same protections afforded to other senior executives designated as legal officers of the organization.”</p><h3>‘A Pivotal Moment’ for SolarWinds</h3><p>In its joint statement with SolarWinds and Brown, the SEC said the “decision to seek dismissal is ‘in the exercise of its discretion’ and ‘does not necessarily reflect the Commission’s position on any other case.’”</p><p>SolarWinds’ Ramakrishna wrote that the Sunburst attack “marked a pivotal moment” for the company, forcing it transform itself into a company that thought more deeply about emerging threats and processes like “Secure by Design.” It also pushed back against the charges brought by the SEC, he wrote.</p><p>“We said from the beginning – and demonstrated during the litigation – the claims were unfounded, and we are happy the SEC has finally decided to abandon them,” the CEO wrote. “We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/sec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso/" data-a2a-title="SEC Dismisses Remains of Lawsuit Against SolarWinds and Its CISO"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso%2F&linkname=SEC%20Dismisses%20Remains%20of%20Lawsuit%20Against%20SolarWinds%20and%20Its%20CISO" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso%2F&linkname=SEC%20Dismisses%20Remains%20of%20Lawsuit%20Against%20SolarWinds%20and%20Its%20CISO" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso%2F&linkname=SEC%20Dismisses%20Remains%20of%20Lawsuit%20Against%20SolarWinds%20and%20Its%20CISO" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso%2F&linkname=SEC%20Dismisses%20Remains%20of%20Lawsuit%20Against%20SolarWinds%20and%20Its%20CISO" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fsec-dismisses-remains-of-lawsuit-against-solarwinds-and-its-ciso%2F&linkname=SEC%20Dismisses%20Remains%20of%20Lawsuit%20Against%20SolarWinds%20and%20Its%20CISO" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>