2020 SolarWinds case dismissed by SEC; industry offers mixed reaction

Security pros have mixed opinions on the Nov. 20 ruling by the Securities and Exchange Commission (SEC) to dismiss the government’s case against SolarWinds and Tim Brown, the company’s chief information security officer (CISO).

In dismissing the case, the SEC said its decision was in the “exercise of its discretion” and does not necessarily reflect the SEC’s position on any other case. The SEC had already dismissed many of the claims against SolarWinds in July 2024, saying they “impermissibly” relied on hindsight and speculation.

Industry professionals generally felt that the SEC dropped the case because the government based its prosecution on Sarbanes-Oxley (SOX) reporting standards that didn’t apply to the 2020 SolarWinds incident, in which the Russian Foreign Intelligence Service breached the company’s network management software causing a massive supply chain incident.

While industry experts were happy to see Brown absolved, they were concerned that the SEC still offered no clarity on what it considers a "material breach."

“Seems that the case was deemed weak because the SEC relied too heavily on hindsight, and you can't prosecute someone for not predicting a nation-state supply chain attack,” said Denis Calderone, chief operating officer at Suzu Labs. “But the dismissal doesn't answer the fundamental question: what cybersecurity risks are material and must be disclosed to investors?

Calderone added that CISOs shouldn’t breathe any easier because they're still operating without clear standards.

“The industry needed a ruling that defined appropriate disclosure, not a dismissal that leaves everything ambiguous,” said Calderone. “Now we're back to guessing what constitutes fraud, versus reasonable risk communication.”

Andy Lunsford, CEO of BreachRx and a former corporate litigator who focused on data breach and privacy law, warned not to be fooled while the wheels of enforcement may turn slowly: the next wave of regulatory crackdowns could hit with a new administration in place — and they may impose much stricter standards.

“Companies that are complacent today could find themselves blindsided tomorrow,” said Lunsford. “For CISOs and security leaders, the lesson is blunt: document everything, follow your plans, and escalate responsibly — or risk being the next headline. This settlement isn’t a get-out-of-jail-free card. It’s a stark reminder that robust governance and radical transparency are now the minimum price of survival in cybersecurity. The rules have changed, and the regulators are watching."

Trey Ford,  chief strategy and trust officer at Bugcrowd, added that he’s a firm believer that when there’s an incident, the CEO and CISO should stand side-by-side. However, when looking at the SolarWinds case, it's Tim Brown’s name attached to it and not the CEOs.

“Seeing the charges dropped by the SEC marks the end of CISOs taking on the role of the 'chief scapegoat officer,'” said Ford. “Ultimately, the CISO does not have sole authority and autonomy over messaging, patching, hardening, or other foundational defensive measures in the company. What CISOs do is manage risk and inform tradeoffs for the risk committee. When incidents happen, the CISO marshals the response. This move by the SEC is a signal underscoring the maturity of the CISO role and its function in the business.”

Server password: 'solarwinds123'

While the industry was generally accepting of the dismissal, Ted Miracco, chief executive officer of Approov, had some harsh words for the SEC.

Miracco pointed out that the evidence showed that SolarWinds and Brown were repeatedly warned by their own engineers. He said the most egregious example of negligence was the revelation that a critical file server was secured with the password "solarwinds123."

While SolarWinds executives attempted to blame this on an intern, Miracco said the password was exposed on a public GitHub repository for over a year.

“This is not a sophisticated failure: it’s a failure of the most basic security hygiene, indicative of a culture that viewed security as an afterthought,” said Miracco. “The SEC’s decision to voluntarily dismiss its lawsuit against SolarWinds represents a failure of regulatory courage and a dangerous retreat from the principle of corporate accountability. By abandoning the case, the SEC has tacitly endorsed a system where companies can prioritize shareholder value over the security of their clients, even if those clients include the Department of Homeland Security and the Pentagon.”

Keep in mind that SolarWinds has already paid out $26 million as part of class-action settlement with investors. A federal judge granted final approval of the agreement in July 2023 and the company has said all payments have been executed.

Bottom line: $26 million is slightly under 1% of SolarWinds’ current $3.2 billion market cap.

In a statement on yesterday’s dismissal, a spokesperson for SolarWinds offered the following statement:

“We are clearly delighted with the dismissal of the case against SolarWinds and our CISO, Tim Brown. We fought with conviction, arguing that the facts demonstrated our team acted appropriately — this outcome is a welcome vindication of that position. We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”