The outcome caps a long-running and closely watched legal dispute that began with sweeping fraud and controls allegations tied to SolarWinds’ statements about its cybersecurity practices and its disclosures following the breach of its flagship Orion software platform in 2020. The dismissal comes amid a broader recalibration of enforcement priorities in the new administration, including the SEC’s announcement earlier this year that it will focus on public issuer “fraudulent disclosure” relating to cybersecurity—signaling a pivot away from actions based on more nuanced allegations of disclosure deficiencies. The SEC’s decision to abandon the SolarWinds case altogether is the most pointed example yet of that shift.
The SEC’s dismissal may bring a sigh of relief to many companies and CISOs who were concerned about the chilling effect the case could have on the work of security teams to proactively identify vulnerabilities and gaps in cyber programs. However, public companies must still proceed carefully when making public statements about their security programs. In the wake of a cyber incident, any number of federal, state, or international regulators, as well as courts and litigants, may scrutinize and seize upon a company’s cybersecurity disclosures as evidence of negligence or worse. This includes the SEC, which, in late 2023, issued new requirements for companies to disclose material cyber risks and incidents to investors. Accordingly, effective governance around drafting and vetting cybersecurity statements and disclosures remains critical.
I. Dispute Background
The SolarWinds lawsuit arose out of the 2020 supply-chain attack, widely attributed to the Russian Foreign Intelligence Service, in which the threat actors inserted malicious code into an Orion software update, allowing potential access to thousands of SolarWinds customers. Prior to and after its 2018 IPO, SolarWinds had published a “Security Statement” on its website describing its cybersecurity practices, including its password policies, access controls, secure development lifecycle practices, and use of the NIST Cybersecurity Framework. SolarWinds had also disclosed to investors that its systems were “vulnerable” to threats from nation-state actors. Once it discovered the attack in December 2020, SolarWinds filed a Form 8-K with the SEC and publicly disclosed the incident while continuing its investigation and remediation efforts.
In October 2023, the SEC brought an enforcement action against SolarWinds and Brown in federal court, alleging the defendants defrauded investors by overstating SolarWinds’ cybersecurity practices and understating known risks. First, the amended complaint alleged SolarWinds and Brown violated the Securities Act and Exchange Act by making materially false and misleading statements in the company’s Security Statement posted on its website, in SEC registration statements, in press releases, blog posts, and podcasts. Second, the complaint alleged that SolarWinds violated reporting provisions by filing materially misleading cybersecurity risk disclosures in pre-incident public filings, and by issuing an incomplete December 2020 Form 8-K in which SolarWinds presented its understanding of the attack. Third, the SEC alleged that SolarWinds failed to devise and maintain adequate internal accounting controls under Section 13(b)(2)(B) of the Exchange Act, and it further alleged that Brown aided and abetted these violations. Finally, the agency claimed SolarWinds violated the requirements under Rule 13a-15(a) to maintain proper disclosure controls and procedures to escalate incidents to management. This case marked the first time the SEC brought a cybersecurity enforcement action against an individual CISO, and the first time it asserted accounting control claims based on technical cybersecurity failings.
II. 2024 Partial Dismissal
On July 18, 2024, U.S. District Judge Paul A. Engelmayer of the Southern District of New York issued a 107 page opinion dismissing most of the SEC’s claims. The court rejected the claims alleging false and misleading statements made in press releases, blog posts, and podcasts, finding them to be only “non-actionable corporate puffery.” It also rejected the allegations concerning the post-incident disclosures, emphasizing that they must be read in context of an unfolding investigation and that the SEC’s arguments relied on the benefit of hindsight. The court dismissed the SEC’s novel internal accounting controls claims, holding that such controls are about assuring the integrity of the company’s financial transactions, not detecting or preventing cybersecurity deficiencies in source code or network environments. Finally, the court dismissed the Rule 13a 15(a) disclosure controls claim, finding that the existence of two misclassified incidents did not amount to “systemic deficiencies” in SolarWinds’ disclosure controls and procedures.
The only claims that were allowed to proceed concerned the representations in the website Security Statement about access controls and password protection policies. The court drew a line between “corporate puffery” and actionable statements and held that the Security Statement was publicly accessible and part of the “total mix of information” SolarWinds provided to the public, and that the SEC sufficiently pled SolarWinds’ practices materially diverged from its statements.
III. 2025 Summary Judgment Proceedings
Following the court’s 2024 ruling, SolarWinds and Brown moved for summary judgment in April 2025. Signaling another shift in SolarWinds’ favor, the SEC acknowledged in a Joint Statement of Undisputed Facts that, during the relevant period, SolarWinds did implement practices described in its Security Statement, including use of the NIST Cybersecurity Framework; role based access provisioning; enforcement of password complexity; and secure development lifecycle measures such as vulnerability testing, regression testing, penetration testing, and product security assessments.
IV. 2025 Settlement and Final Dismissal
On July 2, 2025, prior to any ruling on summary judgment, the SEC, SolarWinds, and Brown jointly notified Judge Engelmayer that they had reached a settlement in principle. The court stayed proceedings to allow the parties to finalize the settlement paperwork. The anticipated settlement, however, did not materialize. Instead, on November 20, 2025, the parties filed a Joint Stipulation to Dismiss, in which the SEC agreed to dismiss the remaining claims against SolarWinds and Brown with prejudice without any settlement conditions (other than a waiver of potential claims against the SEC and the United States arising from the litigation).
V. The Next Chapter: What to Take Away from SolarWinds
The dismissal indicates a shift in the SEC’s enforcement approach—one that narrows, but does not eliminate, risk for public companies. For now, it appears the Commission is moving toward a “back to basics” approach, focusing on egregious misstatements and material misrepresentations resulting in investor harm. Even as the SEC refocuses on more traditional fraud theories, companies remain exposed to liability and scrutiny across multiple fronts, including expanding and disparate regulatory regimes, as well as private litigation that mines public statements and incident reporting for inconsistencies or omissions.
1. Regulatory and litigation risk remains high
While the SEC may pare back enforcement, this does not mean that other regulators will follow suit. Sector-specific regulators and state regulators, for example, have been increasingly active in cyber enforcement and may fill the void. Global companies also face a growing array of international regulators that scrutinize cyber incidents with data privacy, critical infrastructure, and operational resilience impacts.
In addition to regulatory enforcement, private litigation remains active. Securities class actions are common following high profile cyber incidents, particularly when public disclosures are contested. Indeed, plaintiffs’ firms are quick to file derivative suits alleging oversight failures and consumer class actions under consumer protection laws are frequent when cyber incidents are made public.
Of course, courts and regulators evaluate these issues case by case. The record in SolarWinds turned on specific facts, many of which ended up more favorable to SolarWinds following discovery than the SEC had initially alleged. And while Judge Engelmayer agreed with several of SolarWinds’ key arguments related to its conduct and statements at issue, that is not to say that another court would reach the same outcome. One or two slightly different takes on the statements or actions that were in question could have swung the pendulum in the opposite direction.
Regardless of the outcome in this case, companies should continue to concentrate on the quality and accuracy of cybersecurity disclosures, the robustness of governance and controls supporting those disclosures, and the documentation that demonstrates reasonable, risk aligned practices. In particular, companies should ensure incident materiality determinations are well documented, cross channel communications are consistent, and governance processes tie public statements to verified technical facts.
2. Securities disclosure requirements have expanded
The disclosures at issue in SolarWinds took place before the SEC adopted its new rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (the “Cyber Rules”). Since December 2023, the Cyber Rules have imposed new requirements for timely Form 8 K reporting of material incidents and added detailed requirements for disclosures of cyber risk management and governance in annual reports. Companies should be diligent in ensuring that their disclosures and public statements made today are in line with what the company has put into place. Even if the SEC declines to bring an enforcement action based on alleged disclosure deficiencies where there is no investor harm, the new triggering requirements and the expanded disclosures under the Cyber Rules heighten the risk that those statements, or the failure to make those statements, will be used against companies by private litigants and other regulators.
3. Executives are not off the hook.
The SolarWinds case raised concerns that CISOs could be subject to a low bar for personal liability. With the dismissal, companies may wonder whether individual executive exposure for cyber failures remains a serious risk. While the threshold for individual CISO enforcement risk may now be higher in the securities context, senior leaders may still be targeted in cases involving alleged misrepresentations, negligence, or failures in oversight that result in consumer or market harm.
Indeed, the expectation environment for CISOs and other senior leaders continues to intensify. Regulators increasingly expect sophisticated boards and executive teams to focus not only on the existence of cybersecurity programs, but on their specificity, execution quality, and alignment with risk standards. This includes probing “ground truth” technical measures like vulnerability management, identity and access controls, incident response readiness, logging and monitoring sufficiency, and third party risk management—and assessing whether responsible individuals exercised appropriate oversight.
In short, while one case may reduce immediate headline risk, it may not meaningfully change the direction of the broader legal and regulatory landscape. Executives with cybersecurity oversight should continue to assume heightened scrutiny, ensure governance around risk prioritization and resourcing, and demonstrate reasonableness regarding technical controls and external statements.
4. Enforcement will vary by impact.
SEC enforcement is certainly not one-size-fits-all. Even given the SEC’s refocused priorities, enforcement could vary across companies and sectors. Factors such as inherent cyber risk, size, sophistication, and market impact may influence enforcement. Sectors that are more likely to suffer or inflict greater impact from significant operational disruptions, such as financial institutions, providers of pervasive technology services, or critical infrastructure, may be scrutinized more heavily. In other words, the greater the potential harm to shareholders or the market generally, the greater SEC scrutiny the company is likely to face.
5. Enforcement priorities could shift again.
Agency priorities often change from administration to administration, and the pendulum could swing back again. Companies should assume that shifts in enforcement emphasis are temporary and continue to anchor cyber governance in well-supported risk management practices that can withstand regulatory and judicial scrutiny.
VI. Final Takeaway
The SEC’s decision to dismiss its remaining claims against SolarWinds reflects a narrowing of one enforcement path but still leaves intact significant exposure possibilities, including more traditional securities actions, parallel regulatory regimes, and private litigation. The most durable mitigation is disciplined governance: aligning public statements with verified technical reality, document materiality and incident response judgments, and sustain reasonable, risk based controls. Those steps remain the foundation for withstanding scrutiny from investors, courts, and regulators—regardless of shifting enforcement cycles.
