SolarWinds CISO says security execs are ‘nervous’ about individual liability for data breaches 

SolarWinds’ top cybersecurity executive said chief information security officers are increasingly grappling with how to do their jobs while avoiding individual legal liability for breaches that happen on their watch.

Tim Brown, now CISO at SolarWinds, was a vice president and the highest-ranking security official at the company when hackers working on behalf of the Russian Foreign Intelligence Service (SVR) compromised the build environment used to push software updates for Orion, an IT management solution widely used in government and industry. The resulting incident let attackers infiltrate at least nine federal agencies and 100 companies.

SolarWinds was sued by shareholders alleging cybersecurity negligence and insider trading related to the hack, while a Securities and Exchange Commission lawsuit sought to hold Brown individually liable for making false or misleading public statements about the strength of SolarWinds’ cybersecurity.

Speaking Friday at the CyberLawCon Conference in Arlington, Va., Brown said the fallout from his case has left many CISOs in a state of uncertainty about the legal landscape they’re navigating.

CISOs are “nervous about liability, they’re nervous about how to take appropriate approaches to security within their organization,” Brown said.

Brown landed in legal hot water with investors and the SEC largely due to public statements — made in SEC filings and during media and podcast interviews prior to the hack — that regulators said misrepresented and exaggerated SolarWinds’ cybersecurity strength.

A New York district judge dismissed much of the SEC’s lawsuit in 2024 and characterized the comments made by Brown and other SolarWinds executives about their security in media interviews and SEC filings as “non-actionable corporate puffery.”

However, the court upheld charges that SolarWinds and Brown misled customers about their cybersecurity posture in a “Security Statement” posted on the company’s website, and that Brown, as the top security official, was aware of internal information inconsistent with claims on SolarWinds’ website.

Other security executives, he said, are reevaluating how they publicly discuss their cybersecurity programs. He also noted that holding individuals liable for breaches can distract or hinder CISOs in effectively managing the aftermath of cyberattacks.

“Even in my experience, there was a period of time where we were going through [our hack] and we start saying, ‘Well, can I expose this deficiency? Can I work on this thing that needs to get improved? How do I say this the right way that doesn’t make me liable?’” Brown said. “So all those questions start going through people’s heads during this time, and that’s one of the worst things that can occur. That 20% of my brain, for a period of time, got spent on thinking about liability as opposed to thinking about protecting the company.”

In a survey released by cybersecurity vendor BlackFog last December, 7 out of 10 CISOs said reports of executives being held individually liable for data breaches has negatively affected their opinion of the job.

But some cybersecurity advocates, policymakers and investors have complained that absent some form of legal liability, top executives will always prioritize decisions that lead to short-term profit over longer-term investments in cybersecurity.

To wit, the same BlackFog survey found that nearly half of CISOs agreed with the statement that individual liability would improve accountability and transparency from cyber professionals. That number is even higher in the U.S. (55%) where Brown and others, like Uber CISO Joe Sullivan, have faced civil and criminal liability while overseeing security at their companies.

Asked by CyberScoop how the media and cybersecurity advocates should evaluate company executives’ public statements about their cybersecurity posture, especially considering Brown’s case, Michael Adams, Zoom’s CISO, said that while shielding CISOs from individual liability may help them“sleep a little bit better at night,” it shouldn’t be their primary concern.

“On the one hand, having indemnification is very comforting,” he said. “On the other hand, if you’re a CISO and you’re sitting around worrying about indemnification on a regular basis, you’re probably missing something else you should be paying attention to.”

While Adams said there’s still a role for CISOs to ensure their company is seen as secure and trusted with the public, “that has to be based on facts” and subject to appropriate resourcing and accountability.

For his part, Brown did not strictly express support for indemnification of CISOs around security incidents, but suggested security executives need more clarity about how to operate in their roles effectively without undue risk of criminal and civil penalties.

“One of the important things we need to do is when we look at this, it’s not so much reducing liability for the CISO community,” Brown said. “It’s about, how do we make sure that the things that we have in place allow us to do our job in the most effective way possible, without the disruption of legal or regulatory actions?”