A US judge has dismissed most of the Securities and Exchange Commission (SEC) lawsuit against SolarWinds, stating that the claims were based on “hindsight and speculation.” The lawsuit accused SolarWinds of concealing security weaknesses before and after a cyberattack linked to Russia. The judge also dismissed claims against the chief information security officer, Tim Brown. The SEC case, filed last October, was the first to target a company that fell victim to a cyberattack without a simultaneous settlement.
Why do we care?
The ruling is seen as a positive development for CISOs and IT leaders facing legal scrutiny after cyberattacks.
Except I’ll counter-argue that it shows a stunning lack of responsibility in our current legal framework. Even a layperson knows solarwinds123 highlights a problem. And so far, there’s no responsibility assumed by the vendor, which results in millions of dollars of damage paid for by customers and providers. And in this case, the US Taxpayer directly.
Disclosure, I’m a SolarWinds shareholder… so I know the journey here. The stock plummets upon notice of the breach, and after 18 months of purgatory, begins the climb upward. And customers still run their Orion products.
I see it instead as a vision of the future… of Crowdstrike. There won’t be a mass exodus. There will be no individual consequences for leadership in the software companies who made the mistake.
So what’s the advice? Zig while others Zag. Your question isn’t about replacing Crowdstrike, or being lucky that you didn’t run it. How can you both simplify systems… and push vendors to take responsibility for their part in the chain?

