Where CISO liability really lives now

The dismissal, and the tempting wrong conclusion

On 20 November 2025, the U.S. Securities and Exchange Commission dismissed its closely watched enforcement action against SolarWinds Corporation and its Chief Information Security Officer, Timothy G. Brown — and it did so with prejudice, meaning the agency cannot refile the same claims (Perkins Coie). For security leaders who had watched that case with dread, the temptation is obvious: read the dismissal as the end of personal CISO liability and the deflation of cyber-disclosure risk generally.

That is the wrong conclusion. The federal-enforcement posture did soften — legal commentators describe the move as part of a “back to basics” approach (Perkins Coie). But the underlying liability climate did not change. The exposures that should actually drive a security and disclosure program were never built on the theory the SEC just abandoned — so for most companies, the practical playbook barely moves.

The verified record: what was dismissed, and what was not

The SolarWinds matter was a genuine first. It was the first time the SEC brought securities-fraud claims based on cybersecurity disclosures against both a company and an individual executive (Perkins Coie). The agency had alleged that SolarWinds and Brown made misleading statements about the company’s cybersecurity practices before the SUNBURST supply-chain attack, and that subsequent disclosures understated the incident’s impact.

A with-prejudice dismissal forecloses a specific thing: the SEC re-litigating these particular fraud and accounting-controls claims, on these facts, against these defendants. Perkins Coie reads the move as part of a broader “back to basics” retreat from novel CISO-liability theories — language echoed across the legal-analysis commentary (Perkins Coie). The Harvard Law School Forum on Corporate Governance similarly frames it as the SEC narrowing one enforcement avenue, focusing going forward on “egregious misstatements and material misrepresentations” rather than expansive disclosure-deficiency theories (Harvard Law School Forum).

What the dismissal does not do is equally important. It does not repeal any disclosure rule, it does not bind other regulators, and it does not neutralize private litigation. Those are three separate channels of exposure — and all three are still open.

Channel 1: The standing duty hasn’t moved

The Form 8-K Item 1.05 disclosure obligation survived the dismissal completely untouched. The rule generally requires a public company to disclose a material cybersecurity incident within four business days of determining that the incident is material — and the materiality determination itself must be made “without unreasonable delay” after discovery (SEC small-business compliance guide; Goodwin). The clock is tied to the materiality call, not to discovery — which means the materiality-determination process is the real control surface.

Note one structural subtlety that defensive programs should plan for: if a company files an incident under Item 8.01 (other events) because it is immaterial or undetermined, and later concludes the incident is material, the four-business-day Item 1.05 clock starts from that later determination (Goodwin). A softer SEC enforcement posture does not change these mechanics. The rule is the rule.

Channel 2: Your own disclosures are future Exhibit A

Even where the SEC steps back, the disclosures a company has already made do not disappear — they become evidence. Perkins Coie is explicit that a company’s own cyber statements “can be leveraged by private litigants in connection with allegations of fraud and misrepresentation” (Perkins Coie). The Harvard Forum reinforces the point, noting that “private litigation remains active” and that securities class actions “are common following high-profile cyber incidents” (Harvard Law School Forum).

The practical implication is uncomfortable but clarifying: every 8-K, every risk factor, every reassuring public statement about security posture is a potential exhibit in private litigation after an incident. Plaintiffs do not need the SEC’s novel theory; they work from the company’s own words measured against what later turned out to be true. Federal enforcement mood has no bearing on that exposure.

Channel 3: State regulators, sector regulators, and continued SEC interest

The third channel is the regulators the SEC’s retreat does not speak for. The Harvard Forum cautions that the dismissal “does not mean that other regulators will follow suit,” and that “sector-specific regulators and state regulators … have been increasingly active in cyber enforcement” (Harvard Law School Forum).

The SEC itself has not exited the field, either. Cooley reports that the agency’s Cyber and Emerging Technologies Unit is tasked with combating “public issuer fraudulent disclosure relating to cybersecurity,” and that the SEC will “continue to police material cybersecurity misrepresentations and omissions that led to investor harm” (Cooley). The shift, on Cooley’s reading, is toward clear-cut material misstatements rather than away from cyber entirely. (Descriptions of the unit’s mandate and the SEC’s forward posture are as reported by these legal-analysis sources, not independently confirmed here against an SEC litigation release, which could not be fetched directly; the characterization is consistent across Perkins Coie, Harvard, and Cooley.)

Personal-liability reality check

It is fair to say the specific individual-executive theory the SEC tested against the SolarWinds CISO lost — that is the verified takeaway. It is not fair to extrapolate that individual exposure has broadly evaporated. The verified record establishes only that this SEC theory, on these facts, ended with prejudice. Any broader “executives are personally safe now” framing goes beyond what the record supports; this article does not cite cases or figures to quantify residual personal risk because none were verified. The prudent posture: treat D&O coverage and indemnification arrangements as unchanged in importance. The dismissal of one theory in one case is not a reason to relax personal-risk protections.

The playbook that barely changes

If your program was designed for the climate rather than the weather, very little about Monday morning should change. The durable controls are the same ones that were prudent before the dismissal:

• Documented, time-stamped materiality process. Build a defensible record of when an incident was discovered, who assessed materiality, what they considered, and when the determination was made. The Item 1.05 four-business-day clock runs from that determination, so the artifact that proves the determination was made “without unreasonable delay” is among the most valuable defensive documents you can hold.
• Disclosure controls and committee discipline. Route cyber-incident facts through the same disclosure-controls machinery used for other material events, with a standing cross-functional group (security, legal, finance, investor relations) empowered to make and document the call.
• Treat every disclosure as evidence. Review 8-Ks, risk factors, and public security statements for accuracy and defensibility before they go out — because private plaintiffs will read them later.
• Structured board engagement on a fixed cadence. Keep cyber-disclosure oversight on the calendar rather than treating the dismissal as license to ease up.

Bottom line, and a 90-day checklist

The November 2025 dismissal is a change in federal-enforcement weather, not in the underlying liability climate. The Item 1.05 materiality clock survives, your own disclosures remain future evidence, and state and sector regulators — plus a still-interested SEC — remain in the field.

Next 90 days:

1. Pressure-test the materiality-determination process. Confirm a written, time-stamped procedure exists and that someone owns the four-business-day clock from the moment a determination is made.
2. Run a tabletop on the 8.01-to-1.05 path. Rehearse the scenario where an incident is first disclosed as immaterial and later reassessed, so the second clock is not missed.
3. Audit existing public cyber statements. Read current risk factors and security claims as a plaintiff would; correct anything that overstates posture.
4. Re-confirm D&O and indemnification. Verify coverage scope and indemnification for officers — including the CISO — is intact and current.
5. Lock board cadence. Put cyber-disclosure oversight on a fixed recurring agenda with documented minutes.

If the dismissal tempts your organization to stand down, that is the one genuine new risk it created.

---

Sources

• Perkins Coie, SEC Dismisses Cyber Disclosure Case Against SolarWinds and CISO — https://perkinscoie.com/insights/update/sec-dismisses-cyber-disclosure-case-against-solarwinds-and-ciso
• Harvard Law School Forum on Corporate Governance, SolarWinds Dismissed: What the SEC’s U-Turn Signals for Cyber Enforcement (7 Dec 2025) — https://corpgov.law.harvard.edu/2025/12/07/solarwinds-dismissed-what-the-secs-u-turn-signals-for-cyber-enforcement/
• Cooley, SEC + Public Companies Enforcement: FY 2025 Review and What to Expect in 2026 (23 Dec 2025) — https://investigations.cooley.com/2025/12/23/sec-public-companies-enforcement-fy-2025-review-and-what-to-expect-in-2026/
• SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (small-business compliance guide) — https://www.sec.gov/resources-small-businesses/small-business-compliance-guides/cybersecurity-risk-management-strategy-governance-incident-disclosure
• Goodwin, SEC Staff Makes Clear That Cybersecurity Incident Disclosures Under Item 1.05 of Form 8-K Should Be Limited to Material Cybersecurity Incidents — https://www.goodwinlaw.com/en/insights/publications/2024/05/alerts-practices-pca-sec-staff-makes-clear-that-cybersecurity-incident