SEC Dismisses Cyber Disclosure Case Against SolarWinds and CISO

Key Takeaways

• The SEC’s agreement with defendants to dismiss, with prejudice, its case against SolarWinds Corporation (SolarWinds) and its chief information security officer (CISO) signals a retreat from aggressive, novel enforcement theories in cybersecurity disclosure cases.
• Although technical cybersecurity violations without investor harm are less likely to result in enforcement action, the SEC’s dismissal “does not necessarily reflect” its position on any other case. Vigilance remains essential, and retail investor protection remains central.
• The materiality determination in cybersecurity incidents, along with ensuring adequate disclosures, continues to be a key regulatory focus. Public companies should maintain diligence in these areas.

The U.S. Securities and Exchange Commission announced on November 20, 2025, that it jointly stipulated with defendants to dismiss with prejudice its civil enforcement litigation against SolarWinds and its CISO, Securities and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown, No. 1:23-cv-09518-PAE (S.D.N.Y. filed Oct. 30, 2023). The case has been the subject of intense scrutiny and closely followed by public companies due to its potential far-reaching implications for companies responding to, investigating, and disclosing cyber risks. 

SolarWinds Cyberattack 

SolarWinds provides customers with IT management and monitoring software. In December 2020, SolarWinds discovered that its network monitoring tool, Orion Software Platform (Orion), had been compromised. Subsequent investigations by SolarWinds, the U.S. government, and other entities described the attack, known as SUNBURST, as a Russian supply-chain attack intended to target SolarWinds’s downstream customers. 

Russian intelligence operatives inserted compromised code into SolarWinds’s Orion software updates, which were subsequently released to SolarWinds’s customers. This enabled the operatives to exploit SolarWinds’s customers who had downloaded the updates. The U.S. government was one of approximately 18,000 customers that used the compromised software. Indeed, soon after the attack was discovered, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive calling for federal agencies to take immediate action to mitigate risks from the attack.

SolarWinds’s Response Timeline

• On December 12, 2020, SolarWinds’s CEO was advised by an executive at a cybersecurity company of security vulnerability in Orion.
• On December 13, 2020, SolarWinds asked customers via a post on X (formerly known as Twitter) to upgrade to a new version of Orion.
• On December 14, 2020, SolarWinds filed an 8-K announcing the cyberattack and its initiation of an investigation.
• On December 17, 2020, SolarWinds filed an 8-K disclosing additional details on the breach, including its response steps and the nature of the attack. 

The SEC’s Claims

On October 30, 2023, the SEC filed a complaint in the U.S. District Court for the Southern District of New York against SolarWinds and its CISO regarding the cyberattack. The SEC amended the complaint in February 2024. This was the first time that the SEC had brought claims for securities fraud and accounting control violations based on cybersecurity disclosures and cybersecurity enforcement claims against an individual. The SEC alleged that SolarWinds and its CISO issued misleading statements about the company’s cybersecurity practices before the attack and that the company’s subsequent 8-K disclosures were materially misleading concerning the impact of the attack.

The court dismissed most of the SEC’s claims in July 2024. The court concluded, however, that the SEC had adequately pled its claims that SolarWinds’s prior public representations about its cybersecurity practices and policies were materially misleading—against both SolarWinds and the CISO—under misrepresentation theories (Securities Exchange Act Section 10(b)/Rule 10b‑5 and Securities Act Section 17(a)). Before the SUNBURST attack, SolarWinds posted a “Security Statement” on its website.  The court held that the SEC had plausibly alleged that the Security Statement was false and misleading—at least as to access controls and password practices—and material. The court also found scienter adequately pled for the CISO (and imputed to SolarWinds). The SEC’s claim for scheme liability also survived because the CISO allegedly disseminated and promoted the Security Statement in addition to making the misstatements therein. 

The court found that SolarWinds’s other pre-attack public statements were nonactionable puffery, that the December 2020 8-Ks were not misleading, that internal accounting controls did not reach cybersecurity controls, and that the disclosure controls and procedures claims failed. The parties subsequently negotiated a settlement and joint stipulation, which the SEC announced with a press release on November 20, 2025. 

Impacts of SolarWinds Case and Dismissal

The SolarWinds litigation brought the concept of materiality as applied to cybersecurity incidents to the fore. Although the SEC brought the SolarWinds action on other grounds, the case highlighted the SEC’s July 2023 rules relating to cybersecurity-related disclosures for public companies. 

Moreover, in October 2024, the SEC charged four current and former public companies with making misleading disclosures regarding cybersecurity risks and intrusions related to the SolarWinds attack. Commissioners Hester Peirce and Mark Uyeda issued a dissenting statement in connection with the orders. At the time, their remarks were regarded as a bellwether, signaling anticipated shifts in SEC enforcement priorities if Donald Trump were to win the presidential election. 

The SEC’s recent dismissal of the SolarWinds case is consistent with the SEC’s “back to basics” approach to enforcement priorities. The case was unique because it directly targeted the CISO, expanded disclosure liability to include cybersecurity risk disclosures, and used internal communications as evidence that SolarWinds and the CISO were aware of cybersecurity weaknesses. As such, the case raised concerns regarding personal liability for CISOs and that cybersecurity risk disclosures would receive the same scrutiny as financial disclosures. 

Although the dismissal could be viewed as a “win” against what was considered a novel cybersecurity enforcement theory and corresponding liability, public companies should remain vigilant and continue to monitor regulatory updates and SEC enforcement actions/litigation in the cybersecurity space. Further, public companies should ensure accurate and complete cybersecurity disclosures, consistent with the SEC’s final rules, and maintain robust internal protocols for raising such incidents. While the current SEC seems unlikely to prioritize the enforcement of these rules, the disclosures themselves can be leveraged by private litigants in connection with allegations of fraud and misrepresentation.