Not registered? Create an Account
Forgot your password? Reset Password
By Viktoria Bakos | July 2025
What used to be a shared organizational problem is now a personal liability.
The SEC’s case against Timothy Brown, the CISO of SolarWinds, marked the first time a cybersecurity executive—not a CEO or CFO—was targeted for securities fraud tied to cybersecurity misstatements (U.S. Securities and Exchange Commission, 2023). The move signaled a seismic shift in how digital risk is regulated—and who is held responsible when governance fails.
This isn’t just about technical controls anymore. It’s about truth, disclosure, and leadership integrity in the cybersecurity era.
The SEC charged Brown with knowingly downplaying internal reports of vulnerabilities and misleading investors through incomplete or false disclosures. This wasn’t about failure to patch a system. It was about what was said (or not said) to investors, regulators, and the public.
In July 2024, the court partially dismissed some claims—mostly marketing-related language—but allowed the case to move forward on charges involving misstatements about internal access controls (Holland & Knight, 2025). By July 2025, a settlement in principle was reached. But the message was already clear:
Cybersecurity misstatements are now securities law violations.
This case didn’t just rattle one executive—it sent a chill across the entire cybersecurity leadership space.
Executive hesitation: CISOs are now weighing legal risk before accepting roles. Without clear protections, insurance coverage, and board-level access, many security leaders may walk away.
Governance misalignment: When cybersecurity reports are buried, downplayed, or spun, the liability doesn’t stop at legal—it undermines the company’s entire risk posture.
Key lesson: If your internal findings and your public disclosures don’t match, you’re not managing risk—you’re creating it.
To minimize exposure and meet this new governance standard, organizations must embed cybersecurity into their core risk management fabric.
Here’s what that looks like:
The Brown case reminds us: cybersecurity governance isn’t a checklist. It’s a leadership standard.
Companies that treat security as a tech-only problem—rather than a governance and legal risk—are falling behind. Disclosure is no longer a technicality. It’s a fiduciary duty.
Boards, CISOs, and compliance leaders must now ask:
We’re inviting professionals to join the discussion:
What protections should CISOs demand post-Brown?
How do you ensure disclosure aligns with actual risk?
Is cybersecurity leadership being set up to fail—or are we finally getting the attention the role deserves?
Tag your team. Share your protocols. Let’s push this conversation toward smarter, safer, and more sustainable governance.
Gibson Dunn. (2024, January 29). U.S. cybersecurity and data privacy review and outlook — 2024. https://www.gibsondunn.com/wp-content/uploads/2024/01/us-cybersecurity-and-data-privacy-outlook-and-review-2024.pdf
Holland & Knight. (2025, July 3). The dust settles in SEC’s cybersecurity lawsuit against SolarWinds CISO. https://www.hklaw.com/en/insights/publications/2025/07/settlement-alert-the-dust-settles-in-secs-cybersecurity-lawsuit
U.S. Securities and Exchange Commission. (2023, October 31). SolarWinds Corporation and Timothy G. Brown. https://www.sec.gov/litigation/litreleases/lr-25887
