{"id":6294,"date":"2025-12-22T07:00:00","date_gmt":"2025-12-22T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6294"},"modified":"2025-12-22T07:00:00","modified_gmt":"2025-12-22T07:00:00","slug":"what-cisos-should-know-about-the-solarwinds-lawsuit-dismissal","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6294","title":{"rendered":"What CISOs should know about the SolarWinds lawsuit dismissal"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US Securities and Exchange Commission\u2019s Nov. 30 decision to dismiss its lawsuit<\/a> against SolarWinds and its CISO, Tim Brown, was met with immediate and widespread joy across the cybersecurity leadership community.<\/p>\n

For many CISOs, the dismissal landed not as an abstract legal development, but as something deeply personal. \u201cThank God,\u201d Gadi Evron<\/a>, CEO and founder of Knostic and CISO in Residence for AI at the Cloud Security Alliance, said when he learned of the dismissal. \u201cPeople are feeling relieved, and there is a sense of community and celebrating together,\u201d he tells CSO.<\/p>\n

\u201cI breathed a sigh of relief,\u201d Diana Kelley<\/a>, CISO of Noma Security, tells CSO. After five years of investigation, litigation, and public scrutiny, \u201cI think a lot of CISOs [let out a collective exhale] around this case,\u201d she adds.<\/p>\n

That collective sense of relief, however, should not be mistaken for closure. Experts emphasize that the case did not erase the personal and professional risks of being a CISO, nor did it resolve the deeper structural tension it exposed. Security leaders are still held publicly accountable for cyber failures while lacking full authority over budgets, disclosures, and enterprise risk decisions.<\/p>\n

Even though the SolarWinds case<\/a> sparked a deeper recognition that cybersecurity responsibility should be a shared responsibility across enterprises, shifting policy priorities and future administrations could once again put CISOs in the SEC\u2019s crosshairs, they warn.<\/p>\n

In the meantime, the legal saga of Tim Brown \u2014 along with the federal conviction<\/a> of former Uber CISO Joe Sullivan in 2022 \u2014 highlights critical steps CISOs can take to protect themselves and their organizations before any similar litigation arises in the future.<\/p>\n

Overview of the case: From Russian hackers to dismissal<\/h2>\n

To understand why the SolarWinds case sent such a chill through the CISO community, and why its dismissal matters, a recap of how the breach unfolded<\/a> and how the SEC framed its claims is useful.<\/p>\n

Beginning in 2019 and continuing through November 2020, threat actors \u2014 widely believed to be the threat group known as APT20 or Cozy Bear, part of Russia\u2019s foreign intelligence service or SVR \u2014 compromised the Orion IT management solution<\/a> sold by SolarWinds by inserting malicious code into a legitimate software update.<\/p>\n

Using malware called SUNBURST, the attackers installed a backdoor<\/a> that affected roughly 18,000 customers, although a much smaller subset was selectively exploited, including multiple US government agencies and major companies.<\/p>\n

Years after the technical compromise itself, the fallout took a more personal turn. Amid a streak of other publicly alarming, high-profile breaches in the US, on Oct. 30, 2023, the US Securities and Exchange Commission filed a civil action against SolarWinds<\/a> and \u2014 to the shock of many \u2014 its CISO, Brown, alleging fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.<\/p>\n

The lawsuit claimed that SolarWinds and Brown defrauded investors by overstating SolarWinds\u2019 cybersecurity practices<\/a> and understating or failing to disclose known risks. On July 18, 2024, federal judge Paul Engelmayer dismissed most of the lawsuit\u2019s claims<\/a>.<\/p>\n

\u201cHe basically dismissed all the charges in terms of post-incident activity and said it is easy to be a Monday morning quarterback, but you\u2019re going to have to prove that they really did something intentionally misleading,\u201d Sullivan<\/a>, who is also a former federal prosecutor and is now CEO of Joe Sullivan Security, tells CSO.<\/p>\n

The remaining claims focused on Brown and the degree to which cybersecurity statements posted on SolarWinds\u2019 website before the incident were appropriate in terms of advising customers of their risks. \u201cThe judge really focused on that one publication on the company\u2019s website that went into some specificity about what the company does from a cybersecurity perspective and got frankly fairly granular as far as these things go,\u201d Cara Peterman<\/a>, partner with Alston & Bird\u2019s Securities Litigation Group, tells CSO.<\/p>\n

The judge\u2019s reasoning reassured many security leaders, but it also exposed a more profound discomfort about how accountability is assigned inside modern organizations. \u201cThe area that a lot of us were really uncomfortable about was the idea that an operational head of security could be personally responsible for what the company says about its cybersecurity investments,\u201d Sullivan says.<\/p>\n

He adds, \u201cTim didn\u2019t have the CISO title before the incident. And so there was just a lot there that made security people very concerned. Why is this operational person on the hook for representations?\u201d<\/p>\n

But even if he had had the CISO role before the incident, the argument still holds, according to Sullivan. \u201cHistorically, the person who had that title wasn\u2019t a quote-unquote \u2018chief\u2019 in the sense that they\u2019re not in the little room of people who run the company,\u201d Sullivan says. \u201cThey don\u2019t report to the CEO; they don\u2019t get a huge budget.\u201d<\/p>\n

Perhaps in recognition of this fact, and after settlement talks among the SEC, SolarWinds, and Brown, the securities regulator dropped its suit.<\/p>\n

In a statement, company CEO Sudhakar Ramakrishna said, \u201cWe said from the beginning \u2014 and demonstrated during the litigation \u2014 the claims were unfounded, and we are happy the SEC has finally decided to abandon them. We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout.\u201d SolarWinds has kept Brown on as CISO and paid for his legal representation.<\/p>\n

Responsibility without authority is the real risk<\/h2>\n

At the heart of the SolarWinds lawsuit was a familiar problem for security leaders: responsibility without authority<\/a>. The dynamic that caught Tim Brown in the SEC\u2019s jaws is that, despite his experience, seniority, and title, he, like most CISOs, carries tremendous responsibility without any real organizational authority to back him up \u2014 with concerns around personal liability in the face of that further souring many CISOs on the role<\/a>.<\/p>\n

\u201cWe have a lot of the responsibility and very little of the authority,\u201d Knostic\u2019s Evron says. \u201cThe organization manages the risk. Our job is to present the risk and to manage the risk once the organization decides what risk to take.\u201d<\/p>\n

\u201cWe work in a larger ecosystem,\u201d Noma Security\u2019s Kelley adds. \u201cWe are not all-powerful. We cannot make all decisions in a company. We must work within the budget. We can advocate for a budget, but then the budget is decided collaboratively by the business. The same with our resources for headcount, or decisions on what is allowed or what\u2019s not allowed in terms of new controls or new policies.\u201d<\/p>\n

However, since the lawsuits against Sullivan and Brown first emerged, CEOs and other high-ranking decision-makers have increasingly come under more pressure to accept some of the cyber incident legal liabilities that have often been the sole province of CISOs.<\/p>\n

\u201cIn my case<\/a>, at my sentencing hearing, the judge turned to the prosecutor and repeatedly asked, \u2018Why isn\u2019t the CEO charged?\u2019\u201d Sullivan says. \u201cThe judge literally said, \u2018As far as I\u2019m concerned, the CEO is at least as culpable, if not more, as anyone else inside the company when it comes to the situation.\u2019\u201d<\/p>\n

Sullivan adds, \u201cIn Australia, in the Qantas case<\/a>, the board took away the bonuses for the CEO and a bunch of others. In one of those DOJ civil cyber fraud cases, the Aero Turbine<\/a> case, they pierced the corporate veil and went after the private equity firm as well. There is a growing recognition inside government enforcement authorities that if you want to change corporate behavior, you\u2019ve got to aim a little higher than the CISO.\u201d<\/p>\n

How CISOs should protect themselves<\/h2>\n

If the SolarWinds case clarified anything, it\u2019s that relief is temporary and preparation is essential. CISOs have a window of opportunity to shore up their organizational and personal defenses<\/a> in the event the political pendulum swings and makes CISOs litigation targets again.<\/p>\n

\u201cI feel that the SEC staff over the past five to ten years has become more educated and has a more in-depth understanding and knowledge as to how this all works,\u201d Alston & Bird\u2019s Peterman says. \u201cCISOs should be breathing a sigh of relief with this development, but I would be cautious about reading into it too broadly based on shifting changes within this administration or the next one,\u201d Peterman adds.<\/p>\n

\u201cBrown\u00a0had to live through five years of this, first, investigation and, then, litigation,\u201d she says. \u201cAnd I assume that comes with a significant personal toll, psychological toll, and physical toll. [Brown suffered a heart attack during the litigation.]\u00a0If CISOs don\u2019t have the necessary indemnification agreements or directors and officers [D&O] insurance protections<\/a> via the bylaws or by agreement, it can also mean that even if you win, it carries a significant financial toll.\u201d<\/p>\n

Noma Security\u2019s Kelley emphasizes that CISOs will still be the face of cybersecurity for most organizations, which means continued diligence in how risks are communicated<\/a>. \u201cWhen customers or regulators or investors need answers, none of that has changed [as a result of the SolarWinds dismissal]. One of the takeaways is being very intentional and accurate in how we communicate about our programs.\u201d<\/p>\n

Sullivan advises CISOs and other security leaders to become proactive and communicate throughout the organization what they need. \u201cIt\u2019s really important that we not sit in the corner and just let all the risks sit on our shoulders,\u201d he says. \u201cWe have to engage with the rest of the executives and the CEO and say, \u2018Look, cybersecurity is a company decision.\u2019\u201d<\/p>\n

He also stresses that the CISO community owes a debt of gratitude to Brown for his fortitude. \u201cA lot of us are really grateful for Tim for how he didn\u2019t disappear during this process,\u201d Sullivan says. \u201cHe spent a lot of time out at different events<\/a>, typically closed-door ones, meeting with a lot of people. I had the opportunity to be on panels and calls with him where he and I shared a stage. All of us are very happy that Tim made it through this in one piece, and that he\u2019s standing and that he still has his job.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US Securities and Exchange Commission\u2019s Nov. 30 decision to dismiss its lawsuit against SolarWinds and its CISO, Tim Brown, was met with immediate and widespread joy across the cybersecurity leadership community. For many CISOs, the dismissal landed not as an abstract legal development, but as something deeply personal. \u201cThank God,\u201d Gadi Evron, CEO and […]<\/p>\n","protected":false},"author":0,"featured_media":6295,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6294","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6294"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6294"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6294\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6295"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}