On November 20, 2025, the Securities and Exchange Commission voluntarily dismissed its remaining claims against SolarWinds Corporation and its Chief Information Security Officer Timothy G. Brown — with prejudice — ending a two-year enforcement saga that had produced the first-ever SEC action targeting an individual CISO for cybersecurity disclosure failures.

The security industry exhaled. LinkedIn filled with commentary about regulatory overreach. The consensus read was that the SEC had attempted to hold CISOs personally liable for institutional failures and had been turned back. A win for the profession. A correction of an aggressive enforcement theory.

That reading is partially correct and dangerously incomplete.

What the Dismissal Actually Said

The case against Brown began to unravel in July 2024, when U.S. District Judge Paul Engelmayer dismissed most of the SEC's claims. The court found that the Commission had not adequately pled securities fraud for the bulk of its allegations, and that the SEC's theory — that cybersecurity deficiencies violated Exchange Act accounting controls provisions — exceeded its statutory authority.

The November 2025 dismissal closed the case. But the court's reasoning established a specific principle, not a broad one: the SEC cannot pursue individual CISOs for disclosure characterizations they did not personally approve, or that were not clearly and knowingly false.

What the dismissal does not mean: CISOs who personally sign off on SEC filings containing affirmative misrepresentations about security programs they know to be deficient occupy a categorically different risk position. The SolarWinds dismissal narrowed the theory of liability. It did not eliminate it.

The Enforcement Posture That Remains

In February 2025 — three months after the SolarWinds dismissal — the SEC established the Cyber and Emerging Technologies Unit, absorbing and replacing the prior Crypto Assets and Cyber Unit. The formation of a dedicated enforcement unit signals that cybersecurity enforcement remains an active institutional priority, even as the specific theory of individual CISO liability has narrowed.

Under Chair Paul Atkins, confirmed in April 2025, the SEC has shifted toward a fraud-focused enforcement posture — targeting affirmative misrepresentation and deliberate concealment rather than judgment calls about disclosure characterization. The standard is higher than under Gensler. It is not zero.

A company that makes a documented, good-faith materiality determination and discloses accurate information is less exposed than before. A company that describes its security controls as "robust" in an SEC filing while the CISO privately knows those controls are materially deficient is in a different category — and the SolarWinds ruling does nothing to protect them.

Where the Real Risk Lives

The SolarWinds litigation focused on individual CISO liability. But the broader legal exposure for organizations under the SEC's cybersecurity framework is institutional, not personal — and it has not diminished.

Companies must describe their cybersecurity risk management processes accurately in annual Form 10-K filings. They must disclose material incidents within four business days. The enforcement actions settled to date — totaling over $8 million in penalties — were against organizations, not individuals. And the evidentiary standard for organizational liability is lower than for individual criminal or fraud liability.

$8M+
in SEC enforcement penalties settled against organizations
4
business days to file after materiality determination
2025
SEC established dedicated Cyber Enforcement Unit

There is also a layer of exposure that the SEC framework does not govern: securities litigation. Companies that suffer material breaches and whose prior disclosures characterized their security posture optimistically face class action risk independent of SEC enforcement. The SolarWinds dismissal does not affect that exposure. Plaintiff attorneys reading the same 10-K filings with hindsight from a breach will apply different standards than the ones the court applied to the SEC's novel legal theory.

The Practical Implication

The SolarWinds case was important less for its outcome than for what it demonstrated about the environment CISOs now operate in. For the first time, an individual security executive faced personal federal liability for institutional security failures. The fact that the case was ultimately dismissed does not erase the two years of personal legal exposure Timothy Brown experienced, the reputational damage, or the cost.

The practical lesson is not "the SEC backed down, we're safe." The practical lesson is that the scrutiny is real, the standard for honest disclosure is demanding, and the only defensible position is one where security claims made in regulatory filings are grounded in current, tested, validated data — not in the output of last year's pen test and a well-designed compliance program.

The question every CISO should be able to answer: If a breach occurs tomorrow, and regulators or plaintiff attorneys review our last three Form 10-K filings describing our security posture, will those descriptions be accurate against the actual state of our environment? If the honest answer is uncertain, the gap between the description and the reality is a legal exposure — regardless of what happened in the SolarWinds case.

The ruling narrowed the theory. It did not change the stakes. The organizations building continuous, validated security programs are not just doing better security. They are building the evidentiary foundation that makes their regulatory disclosures defensible — before, during, and after an incident.

See what continuous testing finds in your environment.

Tadpole deploys autonomous agents that simulate real adversaries — 24/7, across your entire attack surface.

Request early access →