EXECUTIVE SUMMARY:
In a landmark case, a judge dismissed most of the charges against the SolarWinds software company and its CISO, Timothy Brown.
On July 18th, U.S. District Judge Paul Engelmayer stated that the majority of government charges against SolarWinds “impermissibly rely on hindsight and speculation.”
The singular SEC allegation that the judge considered credible concerns the failure of controls embedded in SolarWinds products.
For its part, SolarWinds has consistently maintained that the SEC’s allegations were fundamentally flawed, outside of its area of expertise, and a ‘trick’ designed to allow for a rewrite of the law.
Why it matters
For some time, the SEC has pursued new policies intended to hold businesses accountable for cyber security practices; an understandable and reasonable objective.
In this instance, the SEC said that claims made to investors in regards to cyber security practices had been misleading and false – across a three year period.
The SEC’s indictment also mentioned falsified reports on internal controls, incomplete disclosure of the cyber attack, negligence around “red flags” and existing risks, and more.
But what caught the attention of many in the cyber security community was that, in an unprecedented maneuver, the SEC aimed to hold CISO Timothy Brown personally liable.
This case has been closely watched among cyber security professionals and was widely seen as precedent-setting for future potential software supply chain attack events.
Timothy Brown’s clearance
In the end, the court ruling does not hold CISO Timothy Brown personally liable for the breach.
“Holding CISOs personally liable, especially those CISOs that do not hold a position on the executive committee, is deeply flawed and would have set a precedent that would be counterproductive and weaken the security posture of organizations,” says Fred Kwong, Ph.D, vice president and CISO of DeVry University.
Despite the fact that this court ruling may loosen some CISO constraints, “you need to be honest about your security posture,” says Kwong.
The remaining claim against the company, which will be scrutinized further in court, indicates that there is a basis on which to conclude that CISOs do have certain disclosure obligations under the federal securities laws.
Further details
The SolarWinds incident, as its come to be known, has cost SolarWinds tens of millions of dollars. In 2023, the company settled a shareholder lawsuit to the tune of $26 million.
A spokesperson for SolarWinds has stated that the company is “pleased” with Judge Engelmayer’s decision to dismiss most of the SEC’s claims. The company plans to demonstrate why the remaining claim is “factually inaccurate” at the next opportunity.
For expert insights into and analyses of the SolarWinds case, please see CyberTalk.org’s past coverage. Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.
