In a landmark decision that sent a wave of relief through corporate security offices, the U.S. Securities and Exchange Commission (SEC) has formally dismissed its remaining civil enforcement claims against SolarWinds Corp. and its CISO, Tim Brown, concerning the infamous 2020 Sunburst supply-chain attack.
The dismissal, filed on Thursday, Nov. 20, marks the end of a high-profile legal battle that had been closely watched as a potential precedent for individual CISO liability and corporate cybersecurity disclosure. As reported by CRN, SolarWinds characterized the outcome as a "vindication" of the company's position, asserting that the team "acted with integrity throughout," CRN reported.
For the company and its executive, the resolution is absolute and welcome. The joint filing by the parties requested the dismissal "with prejudice," meaning the charges cannot be refiled. This brings closure to years of intense legal scrutiny following the 2023 complaint, which alleged securities fraud and internal control failures based on statements made before and after the attack.
Vindication and Integrity: For SolarWinds, the dismissal validates their fierce defense against the SEC's broad allegations. It affirms the company’s stance that they properly managed the incident and did not materially mislead investors. SolarWinds CEO Sudhakar Ramakrishna stated the company emerges "stronger, more secure, and better prepared" for the future (Source: American Banker, CyberScoop).
CISO Relief: For Tim Brown, this eliminates the immediate threat of being held personally liable for a state-sponsored cyberattack, a situation that cybersecurity leaders widely feared could criminalize the act of honestly documenting internal vulnerabilities. The removal of this risk allows him to focus fully on his responsibilities without the immense personal and professional distraction of federal litigation.
Brown posted about the decision on LinkedIn:
"It’s been a long road and I’m glad it is finally over. We did nothing wrong and fought relentlessly over the last three years to prove that. We did not take the easy road although it was tempting many times. I’m so thankful for SolarWinds, it is the best company and leadership team in the world. I’m also thankful for my security community. You allowed me to share, to teach, to vent, to laugh and to see some good come from my ordeal. I truly believe this would not have ended this way without the best legal teams in the world having our back."
He continued, "Finally, I need to thank my family without their support I would not have gotten through this. I’ve learned a great deal, helped the world in some small ways and I’m able to end this saga with my head held high."
The greatest industry anxiety surrounding the SolarWinds case was the concept of the "chilling effect." The concern centered on the idea that if the SEC could successfully prosecute a CISO for allegedly not disclosing every known security deficiency—even when facing a sophisticated nation-state attack—it would discourage security teams from:
Documenting Risk: Teams might hesitate to create comprehensive internal risk reports, assessments, and "red-flag" memos if those very documents could be used as evidence against them in future litigation.
Candid Disclosure: Executives might become overly cautious, leading to generic, legally sanitized public statements that are less transparent and less useful to the investment community.
The decision to drop the case significantly eases these fears. As one SolarWinds spokesperson noted, they "hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work."
The outcome signals a recalibration in the SEC's enforcement approach, moving away from sweeping claims about basic security failures and controls. It suggests a narrower, more focused regulatory lens on cases involving demonstrable, material misrepresentation, rather than criminalizing the aftermath of a sophisticated breach.
While it is a victory for SolarWinds and the CISO community, security professionals mustn't interpret the dismissal as a green light to relax. The foundational legal and regulatory environment for cybersecurity disclosure has been permanently reset.
The SEC’s decision came after a federal judge in July 2024 severely gutted the original lawsuit, dismissing most of the claims, including the SEC's novel theory about internal accounting controls related to source code security. This judicial pushback effectively limits the SEC's ability to pursue these expansive theories in the future.
The dismissal of the 2020 case does not change the SEC’s new, explicit cybersecurity disclosure rules. Public companies are now required to disclose a material cybersecurity incident within four business days of determining its materiality. The focus has shifted from retrospective argument about old internal controls to immediate, transparent disclosure of material events.
The most significant takeaway for security leaders is the need for absolute candor in public statements. If a company's public-facing security statements or marketing materials (like a "Security Statement" on a website) materially misrepresent the actual, known state of its security program, the risk of fraud claims remains high.
Hundreds of Brown's peers commented on his LinkedIn post, providing congratulations and support:
The SolarWinds dismissal offers a sigh of relief, but it does not equate to executive immunity. Instead, it offers a crucial clarification: while the SEC may have retreated from weaponizing the work of internal risk reporting, CISOs and enterprises must double down on robust security programs coupled with unambiguous, truthful public and investor disclosures under the SEC's new regime.