COMMENTARY: News last week that the SEC dismissed its case against SolarWinds and its CISO, Tim Brown, seemingly was met with an audible sigh of relief across the cybersecurity community.For years, security leaders have watched this case with a pit in their stomachs, wondering if they, too, could wind up personally targeted for their companies being victims of sophisticated nation-state attacks.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]On the surface, this looks like a total victory: The regulator walked away. The charges were dropped. No one will go to jail. But for those who think this outcome represents a shield for the rest of the industry, think again.
I don't think of the dismissal as a legal precedent: it’s more a warning shot. And while the smoke clears, we need to understand what was actually "won"—and more important, what was "lost" along the way.
The high cost of "winning"
If we call this a "win," it ignores the collateral damage left behind. Yes, the SEC dropped the case, and neither Tim Brown nor any top managers faced prosecution—a specter that has haunted the CISO community since the conviction of Joe Sullivan at Uber. But avoiding a criminal or civil action is a low bar for success.Consider the tangible costs. SolarWinds has already paid $26 million to settle a shareholder class-action lawsuit related to the breach. That’s real money lost, not to mention the incalculable millions spent on legal defense, crisis communications, and remediation.Then there’s the reputational damage. The company’s name was the subject of poor cyber risk management for several years, becoming a shorthand for supply chain security failure. Trust, once lost, is expensive to buy back.
The most significant cost may have been human. Tim Brown, a respected professional doing a near-impossible job, was personally victimized. He has spoken publicly about the physical toll, noting that he lost 25 pounds in 30 days and suffered a heart attack because of the sheer stress of the investigation and the breach response. He lived for years with the threat that he could be held personally, legally, and financially liable for a malicious attack executed against his company by the Russian government.We are happy for Tim and empathize with him, as the process itself was the punishment. If that’s what "winning" looks like, the industry cannot afford many more such victories.
Why it’s a "warning shot"
Complacency now becomes the biggest danger. There’s a risk that boards and executives will look at this dismissal and conclude that the SEC’s aggressive posture on cyber enforcement was a bluff. They might think they can go back to soft-pedaling cyber risk in their filings, or treat security as a purely technical issue rather than a material business risk.That would be a colossal mistake.We all must understand why this case ended the way it did. The SEC’s case against SolarWinds was built on the legal landscape that existed before the new SEC cyber incident disclosure rules came into effect. The judge dismissed many of the claims because they relied on hindsight—judging 2020 decisions by 2024 standards.The game has since changed. Today’s SEC cyber incident disclosures are much stricter. They demand that “material” incidents get reported within four days. They also require detailed annual descriptions of cybersecurity strategy, governance, and risk management.If a similar breach happened today, under the existing rules, the enforcement action would look very different. The SEC didn't lose the argument that CISOs can be liable; they simply hit a wall on the specific facts and timing of this specific case. The next administration, or even the current one in a different context, may not take such a lenient approach.And that’s only one regulatory body, the one here in the U.S. There are more than 200 regulations globally with unique rules and triggers for enforcement actions in breach cases. The regulatory wheels turn slowly, but they grind exceedingly fine.
The lesson: radical transparency
So, what’s the practical takeaway for the CISOs who watched Tim Brown’s ordeal with horror? It isn’t that CISOs are now safe. It’s that CISOs must now fully show their work.Today, simply having an incident response plan does not cut it.In this new era, teams must now prove that that they have sound governance in place. They must also demonstrate that when a risk was identified, it was documented, communicated to leadership, and acted upon. Security teams need to show that the company's disclosure committee had the correct data at the right time to make “materiality” decisions.Transparency has now become the minimum price of survival. Companies that attempt to obscure the severity of an incident, or hide behind vague "security statements" are kidding themselves.Moving forward, it’s best to think of the SolarWinds dismissal as a reprieve, not a pardon. It’s a signal that while the regulators might have overreached on this specific case, they are watching closely. The rules have changed, the standards are unforgiving, and the next CISO in the crosshairs might not have the same luck.While the community can indeed breathe a sigh of relief, we also must use this reprieve to prepare for the next onslaught, because it’s coming.Andy Lunsford, co-founder and CEO, BreachRxSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The attack exploits vulnerabilities in iOS 16, specifically CVE-2025-43300 within the ImageIO framework and potentially CVE-2025-55177, to gain unauthorized access to WhatsApp sessions.
