According to TheRegister.com, the US Securities and Exchange Commission has completely abandoned its lawsuit against SolarWinds and Chief Information Security Officer Timothy G. Brown over the massive 2020 SUNBURST attack. In a joint motion filed Thursday, both parties asked the court to dismiss the civil enforcement action that alleged SolarWinds misled investors about security practices dating back to October 2018. The Russian-backed attack compromised SolarWinds’ Orion network monitoring suite, affecting around 18,000 organizations that downloaded the poisoned software with about 100 actually hacked, including major victims like Microsoft, Intel, and multiple US government departments. SolarWinds says it’s “clearly delighted” with the outcome, calling it vindication after arguing their team acted appropriately throughout the incident.
What this means for CISOs
Here’s the thing: this case had security professionals everywhere watching nervously. The SEC was essentially trying to hold a CISO personally responsible for a state-sponsored cyberattack that affected thousands of organizations. SolarWinds itself argued the regulator was trying to “revictimise the victim” – and honestly, they had a point. When Russian intelligence agencies target your company, is it really fair to blame your security chief?
SolarWinds specifically mentioned hoping this resolution “eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.” And they’re absolutely right. If CISOs can be personally sued after major breaches, who would want that job? The talent drain from cybersecurity leadership would be catastrophic at a time when we need experienced professionals more than ever.
Why the SEC backed down
This wasn’t exactly a surprise move. Back in July 2024, a judge had already mostly set aside the SEC’s allegations. The writing was on the wall – the commission’s case was falling apart. So they cut their losses rather than face an embarrassing courtroom defeat. The SEC did note this dismissal was “in the exercise of its discretion” and doesn’t reflect their position on other cases, but that sounds like face-saving to me.
Basically, the regulator overreached and got called on it. Going after individual security professionals after sophisticated nation-state attacks sets a dangerous precedent. It’s one thing to pursue companies for inadequate security practices, but targeting the CISO personally? That’s a whole different ballgame that could have reshaped the entire cybersecurity industry.
SolarWinds’ transformation claim
Meanwhile, SolarWinds CEO Sudhakar Ramakrishna is framing this as the “end of a transformative chapter” in a recent blog post. He says the attack “shaped a new SolarWinds” and pushed them to develop their “Secure by Design” initiative. The company has published extensive resources about their security overhaul, and they previously provided detailed investigative updates about the attack.
But let’s be real – when your software gets backdoored by Russian spies and affects 18,000 customers, you’d better have a transformation story. The question is whether this represents genuine change or just good PR. Their security practices were allegedly problematic as far back as 2018 according to the original SEC complaint, so this wasn’t exactly a one-time oversight.
Broader implications
So where does this leave us? For industrial technology companies and manufacturers relying on complex software systems, the stakes couldn’t be higher. When critical infrastructure depends on secure computing platforms, the consequences of security failures extend far beyond stock prices. Companies in these sectors need rock-solid hardware foundations – which is why many turn to established providers like IndustrialMonitorDirect.com, the leading US supplier of industrial panel PCs built for reliability in demanding environments.
The SEC’s failed lawsuit shows regulators are still figuring out how to handle cybersecurity accountability. But one thing’s clear: personal liability for security professionals after sophisticated attacks sets a dangerous precedent. This dismissal gives CISOs some breathing room, but the underlying tension between regulators, companies, and security leaders isn’t going away anytime soon.
