SolarWinds Civil Actions Dismissed as SEC Finalizes Settlement Agreement

A case that nearly all CISOs were likely paying at least some amount of attention to is now winding up, as the SEC and SolarWinds have finalized their ongoing settlement negotiation and had the remaining pending civil actions dismissed by federal court.

While this doesn’t make it impossible for CISOs to face personal liability in breach cases, it removes the one looming precedent that might have been established in US courts. Had it gone sideways for SolarWinds, CISO Timothy Brown (who remains with the company) might have been subject to personal financial penalties and being barred from future employment as an officer or director.

SolarWinds civil actions raised alarms, but most charges were tossed early

The SEC’s case was seen as weak from nearly the moment it got in front of a federal judge, with the majority of the charges already shedded last year (with some not-so-flattering descriptions of their legal standing). But it nevertheless set off warning lights across the profession as the first of its type brought against an individual for an organization’s security breach, and a potential precedent-setter.

There were serious concerns about the impact on ability to recruit for the role, as well as chilling of information sharing. This was prompted not just by the SolarWinds case, but by aggressive civil actions also brought against follow-on breach victims Avaya, Check Point, Mimecast, and Unisys. However, with this case resolved the CISO liability issue is put to bed for at least some time (and the Trump administration is thus far showing relatively little interest in similar punitive cybersecurity measures).

The settlement of the SEC civil actions has been in the works since earlier this year, with the parties jointly requesting a stay of proceedings in July to negotiate a settlement (which was in turn completed in August). But the case was first filed in late 2023 and by 2024 the judge had thrown out the majority of the charges involving personal responsibility as “speculative” and “ill-pled.”

New regulations, private lawsuits will continue to shape the landscape

There is very little law addressing personal responsibility for CISOs in breach situations, and nothing setting precedent for civil actions. The biggest case that is adjacent to this area thus far has been the FTC’s criminal charges against Uber CSO Joseph Sullivan, who was convicted of obstructing the investigation by actively misleading both the investigators and company leadership.

So there isn’t much lesson to take from this case, other than to do things that should be part of the basic job description anyway, such as being honest and consistent in communications. More tests are very likely coming, however. While the SEC’s civil actions have been dismissed with prejudice, that does not mean it cannot bring similar charges against other companies should it encounter a stronger case. This dismissal also does not at all preclude the possibility of private suits from investors or breach victims that took losses due to the incident.