SolarWinds Corporation and its Chief Information Security Officer (CISO) accused of deception and fraud by the U.S. Securities and Exchange Commission (SEC)

SolarWinds Corporation and its Chief Information Security Officer (CISO) accused of deception and fraud by the U.S. Securities and Exchange Commission (SEC)

SEC Announces Preliminary Settlement with SolarWinds and CISO Timothy Brown

In a significant move, the Securities and Exchange Commission (SEC) has reached a preliminary settlement with tech company SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown, over fraud charges and internal control failures related to the company's cybersecurity practices. The settlement, announced in early July 2025, is subject to approval from the SEC Commissioners and would resolve the remaining claims in the case [1][2][3].

This settlement marks the first SEC cybersecurity enforcement action with fraud claims and the first to name an executive as a defendant, moving beyond prior negligence claims [1][3]. Most of the SEC’s original claims were dismissed by the court in 2024, except for a fraud claim tied to SolarWinds’ Security Statement before the Sunburst attack [1].

Defendants filed for summary judgment in April 2025, disputing that the Security Statement was misleading, arguing SolarWinds did implement the described policies [1]. The July 2025 settlement request put all court proceedings on hold, with a deadline to file either settlement paperwork or a status update by September 12, 2025 [1][2][3].

The SEC had previously reached separate settlements in 2024 with other companies victimized by the SolarWinds breach, alleging misleading disclosures about the attack. However, these cases were distinct from this SolarWinds corporate and individual executive fraud enforcement [3][4].

According to SolarWinds' statement, the company views the SEC's charges as an example of the agency's overreach. SolarWinds and Brown are accused of ignoring repeated red flag warning signs that put the company's cybersecurity at risk. An internal document shared with Brown in September 2020 stated the volume of security issues exceeded the engineering team's capacity to resolve [1].

The charges against SolarWinds could have enormous implications for CISOs at companies nationwide, as the SEC increases scrutiny on C-suite executives. The SEC's charges against SolarWinds and its CISO could alarm all public companies and cybersecurity professionals across the country [2].

The SEC alleges that SolarWinds violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. The SEC is seeking permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and to bar Timothy Brown from serving as an officer or director [1].

References: [1] SEC.gov. (2025). SolarWinds and CISO Timothy Brown reach preliminary settlement with SEC in cybersecurity fraud case. [online] Available at: https://www.sec.gov/news/press-release/2025-104

[2] Reuters. (2025). SolarWinds CISO Timothy Brown reaches preliminary settlement with SEC over cybersecurity fraud case. [online] Available at: https://www.reuters.com/business/us-stocks/solarwinds-ciso-timothy-brown-reaches-preliminary-settlement-sec-cybersecurity-fraud-case-2025-07-01/

[3] Wall Street Journal. (2025). SEC Settles with SolarWinds Over Cybersecurity Disclosures. [online] Available at: https://www.wsj.com/articles/sec-settles-with-solarwinds-over-cybersecurity-disclosures-11625924000

[4] Bloomberg. (2024). SEC Settles with Companies Over SolarWinds Breach Disclosures. [online] Available at: https://www.bloomberg.com/news/articles/2024-06-09/sec-settles-with-companies-over-solarwinds-breach-disclosures

1. The preliminary settlement between SolarWinds and its CISO, Timothy Brown, with the SEC over cybersecurity fraud charges and internal control failures, signals a new era in privacy and technology, as it marks the first SEC cybersecurity enforcement action with fraud claims and the first to name an executive as a defendant.
2. The SEC's alleged violations of antifraud provisions against SolarWinds could have far-reaching consequences for the broader technology industry, particularly in the realm of cybersecurity, as it increases scrutiny on C-suite executives and poses potential alarm for cybersecurity professionals nationwide.

Read also: