CISO Sentinel

SEC Blinks: SolarWinds Case Dismissed. Are CISOs Off the Hook?

The SEC dropped its landmark case against SolarWinds and its CISO, but don't pop the champagne just yet. The era of CISO liability is far from over; it's just getting more complicated.

Federal courthouse columns and scales of justice, representing SEC v. SolarWinds dismissal and CISO legal liability

Marcus Webb·Apr 22, 2026·4 min

The news dropped like a bombshell in the CISO community: the SEC was dismissing its case against SolarWinds and its CISO, Timothy G. Brown. After a two-year legal battle that had every security executive sweating, the agency blinked. The landmark lawsuit, the first of its kind to target a CISO for fraud over cyber disclosures, was over. With prejudice. They can't bring it back.

A collective sigh of relief echoed through Slack channels and private email threads. But let's be clear: this isn't a get-out-of-jail-free card. The dismissal signals a recalibration, not a retreat. The SEC is likely shifting its focus from second-guessing security decisions in hindsight to enforcing its new, much clearer cyber disclosure rules. The bar for suing a CISO for fraud may be higher, but the regulatory pressure is not going away—it's intensifying.

While the direct threat from the SEC in this specific manner may have receded, the war is far from over. The dismissal doesn't erase the threat of private litigation. Class-action lawsuits and derivative suits are still very much on the table following a major breach. And the patchwork of state-level AI and privacy laws creates a minefield of compliance challenges. The job just got more complex. This case was a wake-up call, and the dismissal doesn't change that. It just redefines the battlefield.