Governance, Risk and Compliance, Government Regulations, Industry Regulations, Leadership

What the dismissal of SolarWinds really means for CISOs

(Adobe Stock)

COMMENTARY: Chief Information Security Officers (CISOs) and their companies face unrelenting attacks by cybercriminals and nation-state actors. Over the past two years, they have also been navigating an evolving legal and regulatory landscape shaped by the U.S. Securities and Exchange Commission (SEC). The SEC’s decision Nov. 20 to dismiss its case against SolarWinds and its CISO marks an inflection point — one that clarifies the boundaries of the SEC’s authority without abandoning its overall role in cybersecurity oversight.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The takeaway from the SEC’s action is nuanced: the SEC is not retreating from cybersecurity enforcement, but it is narrowing how it applies that enforcement.

What has changed?

The SEC brought charges against SolarWinds and its CISO in 2023 for allegedly defrauding investors about the company’s cybersecurity practices before and after a major cyberattack. It was the first time the SEC charged an individual CISO, and the case raised concerns among cybersecurity professionals about personal liability. The case also raised questions about the SEC’s expansive interpretation of its authority. 


Related reading:


In 2024, a federal judge rejected a central part of the SEC’s argument: that its authority over internal accounting could be read broadly enough to encompass oversight of a company’s cybersecurity practices. Although one remaining claim survived the lower court’s decision — focused on a public statement about the company’s cybersecurity practices — the SEC ultimately dismissed the rest of the case last month. By dropping the remaining charges in this case, the SEC avoided having higher courts further narrow its oversight of cybersecurity, which seemed probable.

Although the SEC dropped this case, it doesn’t mark their withdrawal from cybersecurity oversight; instead, it marks a recalibration toward the areas where the SEC’s authority is clearest — disclosures and material statements to investors. 

A mixed message from the SEC

The SEC’s reversal, particularly in regard to the charges against an individual, was surely greeted by a sigh of relief, however brief, from CISOs. The SolarWinds dismissal does not change the fact that the SEC still intends to enforce its cybersecurity rules. Companies still remain exposed to enforcement if they misstate, omit, or materially mischaracterize cybersecurity risks or incidents. And public companies must still follow public disclosure rules that require them to: 

  • report material cybersecurity incidents within four business days;
  • provide detailed governance and risk management disclosures in their annual financial filings;
  • avoid making materially misleading statements about cybersecurity risks and practices. 

In fact, in recent months, the SEC has reinforced its commitment to cybersecurity oversight. In February 2025, the SEC launched the Cyber and Emerging Technologies Unit (CETU) — adding specialists focused on cyber, AI, crypto, and ransomware — showing that the SEC expects cyber issues to remain central to investor protection. 

What this means for CISOs

The changing landscape elevates the strategic role of the CISO while lowering the likelihood of individual enforcement actions based on internal cybersecurity decisions. The dismissal of the SolarWinds case clarifies that the SEC is most focused on accurate disclosures — not auditing the maturity of internal cybersecurity programs — making the CISO’s cross-organizational leadership even more essential. CISOs now play a central role in: 

  • ensuring public statements about cybersecurity risks are accurate and supported by internal documentation;
  • coordinating with general counsel and other internal teams on disclosures;
  • briefing boards on material cyber risk and governance structures; and
  • evaluating organizational cybersecurity to prevent incidents and subsequent disclosures.

This heightened visibility for cybersecurity has created new opportunities for companies to differentiate themselves. Collaboration across legal, technical, risk, and operational functions allows CISOs to showcase mature approaches to cyber governance. With more public attention on their practices, companies are adopting a broad array of offensive measures to identify and mitigate vulnerabilities before they can be exploited.



Importantly, the SolarWinds dismissal should not be seen as a reason to relax internal discipline. Rather, it clarifies where rigor matters most: around what companies say publicly and how well those statements reflect operational reality. Companies that maintain robust vulnerability management, continuously test incident-response plans, document governance decisions, and engage openly with the researcher community will be better positioned to avoid misalignment between internal practice and external statements — and to earn trust in the marketplace. 

By leaning into proactive, transparent cybersecurity practices, CISOs can not only reduce regulatory and operational risk, but also strengthen their company’s reputation and competitive standing. 

Ilona Cohen

Ilona Cohen is HackerOne’s Chief Legal and Policy Officer, where she manages the public policy portfolio, oversees all legal matters, and provides strategic leadership to the company. Cohen transitioned to the tech industry after serving in the Obama White House, first as a senior lawyer to President Obama and then as General Counsel of the White House Office of Management and Budget (OMB). At OMB, Ilona was an integral part of designing and implementing the Administration’s technology and cybersecurity initiatives. Cohen has a broad range of experience and has served in other senior roles in the tech industry, the Executive Branch, and the U.S. Senate. She started her legal career in private practice at the law firm WilmerHale.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds