The Securities and Exchange Commission is specifically naming SolarWinds Corp.'s chief information security officer in its lawsuit over the company's missteps before a massive software hack.

According to the SEC's October 30, 2023, securities fraud complaint, both SolarWinds and its CISO, Tim Brown, misled investors about the security of the company's software and oversight rigor in the years before the hack compromised nine federal agencies and around 100 other customers. The lawsuit, the first known SEC cybersecurity litigation naming a CISO, signals that those professionals must now anticipate facing legal exposure as they battle the constantly evolving threat landscape. Several agencies in recent years, including the Federal Trade Commission, have bolstered their cybersecurity regulations to require more executive-level oversight into breaches and more reporting about them.  

The SEC is asking a court to permanently prohibit SolarWinds's CISO from serving as an officer or director in publicly owned companies, and seeking civil penalties against him that could top $100,000.

With so much now personally at stake for individual CISOs, this type of enforcement trend could result in a reluctance to oversell a company's security posture, heightened whistleblowing activities, and additional private litigation any time company systems are compromised by sophisticated threat actors. It may also mean that CISOs will look to have individual protections against terminations related to their job performance, or different reporting structures, with more CISOs reporting directly to the CEO or Audit Committee of the Board of Directors.  

Click here to read the SEC's press release.