SEC Charges Former SolarWinds CISO with Securities Fraud Over Breach Disclosures

The Securities and Exchange Commission has filed civil charges against Timothy Brown, the former Chief Information Security Officer of SolarWinds, alleging that he defrauded investors by overstating the company's cybersecurity practices while concealing known deficiencies.

The charges represent the first time the SEC has brought an enforcement action against an individual CISO for alleged securities violations related to cybersecurity disclosures.

According to the SEC's complaint, Brown allegedly knew about specific vulnerabilities and security control failures in the years leading up to the 2020 supply chain attack but made public statements and certified internal documents that painted a misleading picture of the company's security posture.

"Today's action sends a clear message to security professionals and public companies: cybersecurity disclosures matter, and we will hold individuals accountable for materially misleading statements," said SEC Chair Gary Gensler.

Brown's attorneys released a statement calling the charges "unfounded and unprecedented" and vowing to vigorously defend their client. "Mr. Brown worked tirelessly to improve SolarWinds' security posture and was himself a victim of this sophisticated nation-state attack," the statement read.

The cybersecurity community has reacted with concern about the implications for CISOs. "This creates a chilling effect," said Renee Guttmann, former CISO at Coca-Cola and current advisor to security executives. "CISOs may become less willing to take on the role or may be reluctant to document security issues internally."

The case highlights growing regulatory scrutiny of corporate cybersecurity disclosures following a series of high-profile breaches and the SEC's adoption of new cybersecurity disclosure rules in 2023.