By Gaurav Lalsinghani, J.D. Candidate, 2025
No one wants to be left holding the bag after a break-in, but for chief information security officers (CISOs), the risk of liability is ever-present. Tasked with overseeing a firm’s cybersecurity posture, CISOs stand on the front lines of a corporation’s digital defense. They are responsible for overseeing an organization’s data protection measures, risk management strategies, overall security infrastructure, among other critical responsibilities. As a result, they’re the first in the line of fire when cyber threats materialize.
However, a recent decision from the U.S. District Court for the Southern District of New York suggests that CISOs might be outside of point-blank range. On July 18, 2024, Judge Paul Englemayer dismissed most of the Securities and Exchange Commission (SEC)’s landmark cyber enforcement case against SolarWinds Corp. and its CISO, Timothy Brown, suggesting a potential narrowing of the Commission’s authority to pursue personal liability for CISOs in cybersecurity incidents.
SEC’s Allegations and the SolarWinds Incident
The SEC’s complaint against SolarWinds and Brown stemmed from the high-profile 2020 SUNBURST cyberattack, which targeted SolarWinds’ Orion product and compromised the data of thousands of customers, including government agencies (Departments of Treasury, State, Homeland Security) and large corporations (Microsoft, CISCO, Deloitte).
The SUNBURST incident exposed vulnerabilities in SolarWinds’ cybersecurity practices, drawing significant regulatory and public scrutiny. In October 2023, the SEC filed a complaint alleging that SolarWinds and Brown had failed to establish adequate cybersecurity measures before and after the SUNBURST attack.
According to the Commission, SolarWinds’ cybersecurity controls were insufficiently robust to detect, prevent, or mitigate sophisticated cyber threats, leaving its Orion software exposed to infiltration. This lack of preparedness, the SEC argued, stemmed from critical lapses in the company’s security practices. The SEC further claimed that, even after the SUNBURST attack, SolarWinds and Brown failed to adequately address or improve upon these security measures, resulting in continued vulnerabilities. The SEC argued that these deficiencies not only exposed the company to security risks but also undermined its internal accounting controls, leading to material misstatements to investors.
The Court’s Ruling on Internal Accounting Controls
A key aspect of the court’s decision was its dismissal of the SEC’s internal accounting controls claim against SolarWinds and Brown. The court rejected the SEC’s attempt to interpret financial reporting requirements expansively to encompass cybersecurity practices. Judge Engelmayer noted that although “cybersecurity may bear on [an organization’s] financial outcomes,” the internal accounting controls provision “is [primarily] directed to financial oversight.”
The Surviving Charges: Security Misstatements and Misrepresentation
Despite dismissing the internal accounting controls claim, the court did allow the SEC’s claims regarding misleading statements on the company’s public “Security Statement” to proceed. The SEC argued that SolarWinds had falsely portrayed its cybersecurity practices as robust and industry-compliant despite internal documentation indicating otherwise. Shortly after joining, Brown himself had flagged the organization’s “[c]urrent state of security” as “very vulnerable.” Yet externally, he asserted that SolarWinds “place[d] a premium on the security of its products” and signed off on statements touting the company’s “sound security processes, procedures, and standards.”
The court correctly held that these discrepancies were actionable under Section 10(b) of the Exchange Act and Rule 10b-5, both of which prohibit false or misleading statements in connection with the purchase or sale of securities.
Looking Forward
While the court’s decision offered a partial victory for SolarWinds and Brown, it left key issues on the extent of CISO liability unresolved. Questions about the scope of liability, particularly regarding when misrepresentations or omissions related to cybersecurity practices can trigger personal accountability, remain. Although the court’s decision focused on Brown’s role in approving public statements, it remains unclear, for example, how far a CISO’s responsibility extends for cybersecurity failures, especially when internal knowledge may be disconnected from external communications.
As regulatory focus on cybersecurity grows, CISOs may continue to face increasing scrutiny under both securities law and potential new regulatory frameworks. By focusing on prompt 8-K incident disclosures, negotiating risk-transfer provisions with third-party providers, and investing in extensive cyber insurance policies, CISOs can better position themselves to answer the call of corporate accountability.