It’s interesting to see SEC go after a CISO, yes he was at the helm but can’t the one to patch systems… yes they had an ongoing attack but disclosing that to shareholders is a sensitive affair… they were also a technology provider to the US government. I honestly think that is what got them the teeth of the SEC.
They weren't charged for having deficiencies, they were charged for knowing about their deficiencies and lying about them:
> SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.
CISOs are still often not considered C-suite, and rarely get called to boardrooms.
Commensurating with the new risks for a CISO, a seat in the C-suite, E&O coverage, and nice parachute are the minimum CISOs should get.
Edit: I understand that in this case there were false statements made. That still does not remove the new risk for other CISOs to be dragged into quagmires they were not responsible for (see regulation discrepancies between various US, UK, or EU departments).
