After five years of legal contention, the United States Securities and Exchange Commission (SEC) has dropped its high-profile lawsuit against SolarWinds and its Chief Information Security Officer (CISO). The SEC had alleged that the company misled investors by failing to disclose cybersecurity weaknesses that contributed to the sprawling 2020 SUNBURST supply chain attack. The decision to abandon the case marks a notable development in one of the most scrutinized cybersecurity incidents in recent memory.
SEC Files and Then Walks Back from Civil Charges
The federal agency initially accused SolarWinds of downplaying known cybersecurity issues that culminated in the sophisticated intrusion discovered in December 2020. The SUNBURST attack involved compromised Orion monitoring software updates, which were delivered to over 18,000 customers, including numerous U.S. government agencies and Fortune 500 companies.
The SEC’s complaint had alleged that SolarWinds, along with its CISO, failed to properly inform shareholders and the public about known risks and that its public statements were materially misleading. However, without an official explanation, the SEC has now terminated its pursuit of legal action—a move that SolarWinds welcomed.
SolarWinds expressed satisfaction with the outcome, stating that it was “clearly delighted” to see the matter come to a close. The case had raised significant concerns in the information security (infosec) community over the liability of CISOs and disclosure expectations for cybersecurity risks.
Case Context: SUNBURST and Its Aftermath
The SUNBURST campaign remains one of the most complex and impactful supply chain attacks in cybersecurity history. Orchestrated by state-sponsored threat actors—widely attributed to Russia’s APT29 (Cozy Bear)—the campaign leveraged a backdoor in Orion software distributed by SolarWinds. The malware gave access to sensitive internal networks and evaded detection for months.
The repercussions of SUNBURST triggered increased federal scrutiny and reassessment of software supply chain security policies. The incident’s exposure led to high-level hearings, new executive orders on software assurance, and industry-wide calls for better software development lifecycle (SDLC) practices.
Security experts have since debated the right balance between transparency, liability, and investor communications when it comes to disclosing cybersecurity posture or breaches.
Broader Implications for CISOs and Liability Exposure
Besides potentially damaging the organization’s reputation, the SEC’s case had stirred significant concern across the community of information security professionals. The agency’s decision to name a CISO individually in civil proceedings showcased an evolving approach toward corporate governance and accountability under securities law.
Critics argued that excessive pressure on security executives could discourage information sharing or even deter talented individuals from assuming CISO roles. Others insisted on the importance of holding decision-makers accountable when known security flaws are poorly communicated or go unaddressed.
The dismissal may clarify, at least temporarily, the limits of regulatory enforcement in these complex areas. However, experts caution that the SEC’s regulatory intent remains aligned with ensuring cybersecurity risks are understood as material factors in public disclosures.
Looking Forward: Security Disclosures Still Under Scrutiny
While the SolarWinds lawsuit has ended, disclosure obligations related to cybersecurity remain central to the SEC’s enforcement agenda. In August 2023, the agency finalized new rules requiring public companies to report material cybersecurity incidents within four business days and to describe their risk management practices in annual filings.
Such measures reflect sustained momentum towards enhancing investors’ visibility into cyber risk exposure and organizational preparedness. Companies are now compelled to treat cybersecurity not only as an IT concern but as a corporate governance and investor relations issue.
The SolarWinds case may stand as a cautionary tale but also as a potential signal of shifting regulatory focus—from headline-making enforcement to structural change through compliance mandates.
Legal Closure but Lingering Questions
The SEC’s decision to withdraw its lawsuit against SolarWinds and its CISO may bring some relief to cybersecurity leaders wary of individual legal risks. But it does little to settle existing ambiguity around acceptable disclosure practices, particularly in the face of evolving threats like nation-state supply chain attacks.
As regulatory expectations continue to progress, security leaders and corporate boards alike must remain vigilant. Navigating the intersection of cybersecurity risk and public reporting will require clarity, documentation, and proactive cybersecurity governance in the years ahead.
