SEC Seeks Dismissal of Cybersecurity Disclosure Case Against SolarWinds and its Chief Information Security Officer

The SEC announced that it was seeking dismissal of the federal court action against SolarWinds Corp. and its now chief information security officer, in which the SEC had alleged in 2023 that the company and its security officer had violated U.S. securities laws by making misleading disclosures about cybersecurity vulnerabilities prior to the 2020 Sunburst attack.[1] The SEC, SolarWinds and its chief information security officer have filed a joint motion to dismiss the case with prejudice.  This case received widespread attention for, among other things, seeking liability of the then Vice President of Security and Architecture for the company’s SEC disclosures and challenging the company’s internal controls on the basis of insufficient cybersecurity controls.

Case Background

The SEC initially brought an enforcement action in 2023 against SolarWinds Corp. and its vice president, Timothy Brown, in the U.S. District Court for the Southern District of New York, alleging misleading disclosures about cybersecurity vulnerabilities prior to the 2020 Sunburst attack.  The case received widespread attention, not least because it was the first case brought seeking to make a chief information security officer liable for disclosure in his company’s SEC filings. 

In July 2024, Southern District Judge Paul Engelmayer dismissed most of the SEC’s claims, but the judge allowed significant fraud-based charges to proceed against both the company and the individual. The language of the court’s 2024 order was interpreted by some as signaling that the remaining claims had merit, prompting speculation that the parties would seek a settlement on the narrower fact pattern.  The ruling also left only the possibility of resolving the matter on a fraud basis as the lesser claims were dismissed.

Initially, the SEC appeared committed to pursuing the case – early in the Trump Administration, the SEC stated its intent to take the remaining fraud claims to trial. On July 2, 2025, SolarWinds, Brown, and the SEC informed the court that they had reached a settlement in principle, with plans to finalize and file by September 12, 2025. Then on September 2, 2025, Margaret Ryan assumed the role of Enforcement Director at the SEC. Two months later, in November 2025, the SEC, together with SolarWinds and Brown, filed for voluntary dismissal of the entire case.

Was Settlement Contemplated?

Notwithstanding the dismissal of this case, several facts suggest that a settlement among the SEC, SolarWinds and Brown was contemplated—and may even have been presented to the Commission or at least considered for calendaring—but was ultimately abandoned after the SEC leadership change:

• Timing of Leadership Change: Margaret Ryan’s appointment as Enforcement Director at the SEC coincided with the period when settlement terms in this case were expected to be finalized.
• Direct Involvement: Ms. Ryan personally signed the dismissal filing as counsel of record, not the prior litigation team—a highly unusual step for a routine resolution.
• Public Position: The SEC had previously indicated it would proceed to trial, even earlier in this administration, making the reversal striking.
• Settlement Indication and Delay: The parties told the court in July 2025 that they had reached a settlement agreement, yet dismissal occurred only in November, well beyond the court’s September deadline.
• Fee Waiver: SolarWinds and Brown agreed not to seek attorney fees in exchange for dismissal, suggesting that concessions were made to end the litigation.

Taken together, these factors strongly suggest that a substantive settlement was negotiated during this administration but abandoned after Ms. Ryan became director of the SEC’s enforcement division. Any such settlement would likely have been significant as it could only have been a settlement involving fraud charges given the dismissal of all other charges.  Such a result could have had major consequences for both SolarWinds and its CISO—potentially involving a “neither admit nor deny” resolution of the non-scienter fraud provision and possibly financial penalties.

The SEC’s decision to dismiss rather than pursue trial or finalize settlement could reflect either or both (1) a strategic shift in enforcement priorities under current leadership or (2) a view that companies had not received sufficient notice for this type of case to proceed.  The dismissal order arguably reinforces this interpretation, stating the action was dismissed “in the exercise of [the SEC’s] discretion” and “does not necessarily reflect the Commission’s position on any other case.” This language also cautions against reading the decision as a retreat from cybersecurity enforcement.

Takeaways for Public Companies - Continued Enforcement Risk

Despite the dismissal of this case, we believe public companies should remain careful in their cybersecurity disclosures as SEC enforcement risk in this area remains:

• Cybersecurity Rule and Enforcement Focus: The SEC’s cybersecurity disclosure rule remains in effect. The Division of Enforcement’s recent transformation of the Crypto Assets Unit into the Cyber and Emerging Technologies Unit underscores continued focus on cyber-related disclosures and governance.
• Front-Page Risk: A major cybersecurity event causing significant investor harm and receiving widespread public attention could trigger enforcement—even under current leadership—due to reputational and investor protection concerns.
• Five-Year Statute of Limitations: Securities fraud claims remain actionable for five years, meaning similar cases could still be pursued. The SolarWinds conduct occurred during the first Trump Administration, yet litigation extended well into the Biden era.
• Consistency of Company Disclosure.  Companies should seek to make external communications surrounding cybersecurity consistent with disclosure in the SEC filings.  In the Solarwinds case the SEC looks not just at the Form 10-K and 10-Q disclosure but also at the company’s public Security Statement as well as the CISO’s public statements.
• Robust Internal Controls: To mitigate litigation risk, companies need to implement comprehensive policies for cybersecurity event prevention, detection, remediation, and timely disclosure.
• Cyber Hygiene: Companies also need to promote strong cyber hygiene practices across the organization to reduce vulnerabilities and ensure compliance with SEC requirements.