The SEC Backs Down in Landmark Cybersecurity Enforcement Case Against SolarWinds and Its CISO

Last week, the SEC agreed to voluntarily dismiss its high-profile case against SolarWinds Corporation (“SolarWinds” or the “Company”) and its Chief Information Security Officer (“CISO”), which has been pending for over two years in federal court. In late 2020, certain SolarWinds customers discovered that nation state threat actors had accessed the Company’s systems and inserted malicious code into its Orion software platform (the “SUNBURST attack”). In a departure from its previous cybersecurity enforcement strategy, which focused largely on disclosure controls and negligence-based violations, the SEC alleged that SolarWinds and its CISO committed scienter‑based securities fraud by allegedly lying about the Company’s cyber practices and risks, including about “multiple successful intrusions against Orion,” which the SEC characterized as the Company’s “crown jewel.” This marked the first time that the SEC sued an individual defendant in connection with a cybersecurity incident, surprising public company CISOs nationwide. The SEC now appears to be walking away from this aggressive cyber enforcement strategy. Though the joint stipulation emphasizes that the SEC’s decision to dismiss this case does not reflect its views in other matters, this dismissal may indicate a reduced appetite by the SEC to pursue scienter-based securities fraud claims based on cybersecurity-related public statements in security whitepapers and other materials that are not likely to be material to investors.

As discussed in our July 2024 client alert, Judge Engelmayer of the Southern District of New York had previously dismissed nearly all of the SEC’s claims against SolarWinds arising from the Company’s Forms 8-K disclosing the SUNBURST attack, cybersecurity risk disclosures in its annual and other SEC filings, and its internal accounting controls. What remained were narrow claims against SolarWinds and its CISO centered on allegedly materially misleading statements regarding access controls and password protocols in the Company’s “Security Statement,” a technical document for customers that was posted on the Company’s website. To prevail at trial, the SEC would have needed to show that SolarWinds and its CISO acted knowingly, recklessly, or negligently to deceive investors and potential investors through the Security Statement—a particularly high hurdle given that the CISO did not draft the Security Statement and the Company published it for customers (not investors) nearly a year before its IPO, when no public investors yet existed. In April 2025, SolarWinds moved for summary judgment, which the SEC opposed. In July 2025, the parties notified the court that they had reached a settlement pending approval by the SEC Commissioners.

Although it can be difficult to use one voluntary dismissal to predict the agency’s future cyber enforcement strategy, the conclusion of the much-watched SolarWinds litigation is notable. Last year’s motion to dismiss decision narrowed the SEC’s lawsuit to claims centered on a technical, customer-facing, pre-IPO Security Statement, which the defendants argued was not the type of information that was significant to investors. The SEC’s quick voluntary dismissal of those narrowed claims just a few months after summary judgment briefing suggests that the agency may think twice before bringing cybersecurity-related securities fraud cases absent a material misstatement in an SEC filing or some other type of document that commonly contains important information for investors and potential investors.