CISOs Relieved By Dismissal of SEC SolarWinds Charges

CISOs are breathing easier after the July dismissal of a Securities and Exchange Commission lawsuit against SolarWinds. Shane Snider, reporting in InformationWeek, notes that the SEC SolarWinds charges included alleged misstatements by Chief Information Security Officer Timothy Brown. In a release accompanying the complaint, the SEC claimed that the company and Brown ignored repeated red flags.

It also alleged that SolarWinds and its CISO failed to disclose that the vulnerability was shared by other customers, including two cybersecurity firms and one federal agency. The company overstated its cybersecurity practices and understated its own vulnerabilities.

US District Judge Paul Engelmayer dismissed most of the charges, including all claims against the company and Brown over his statements about the attack. Engelmayer said the charges were based on “hindsight and speculation.”

Joe Sullivan, security consultant and former Uber CSO indicted after a 2016 breach and sentenced to three years probation, said the ruling is a good sign for CISOs and other IT leaders feeling legal heat after cyberattacks. “The court recognized that it is really hard to articulate the impact of a security incident while it is unfolding, and with incomplete information, especially when an attack may have been done by a nation-state,” he said.

Gadi Evron, CEO at Knostic and former CISO, told InformationWeek that CISOs worldwide were holding their breath before the dismissal, and the ruling will have a far-reaching effect on the CISO community.

Evron said many CISOs considered leaving the role after seeing their colleague, Tim Brown, held accountable with little to no evidence. “It felt that we’re all under siege, even targeted,” he said. “Justice is served, and now we as a community have work to do.”