SEC Dismisses Remaining SolarWinds Claims
While timely and accurate disclosure of material cybersecurity events remains paramount, the SEC's retreat from its aggressive SolarWinds case may signal a recalibrated enforcement approach in these cases.
On November 20, 2025, the U.S. Securities and Exchange Commission ("SEC") asked the U.S. District Court for the Southern District of New York to dismiss with prejudice what remained of its case against SolarWinds and former chief information security officer Timothy Brown, arising from the major cyberattack SolarWinds disclosed in 2020.
When filed in October 2023, the case alarmed in-house gatekeepers because it charged Brown with securities fraud based partly on his responsibility for the technical content and accuracy of the company's cybersecurity risk disclosures. The SEC alleged that Brown's internal risk assessments conflicted with these disclosures. But many viewed the case as punishing Brown for doing his job and feared it would chill candid internal assessments of cybersecurity risk.
The SEC also claimed that SolarWind's allegedly deficient cybersecurity controls violated its statutory obligation to maintain internal accounting controls. This novel theory stretched "accounting controls" to encompass an issuer's operational controls, an approach SEC Commissioners Peirce and Uyeda sharply criticized in another case.
In July 2024, the court dismissed most of the SEC's case, including what it called the "untenable" internal accounting controls claim, leaving only a narrow set of charges concerning pre-incident representations about access controls, password policies, and cybersecurity practices.
The SEC offered no reason for seeking to dismiss the remaining claims beyond an "exercise of discretion" that "does not necessarily reflect [its] position on any other case." The agency may simply have reassessed the likelihood of prevailing on these claims or of obtaining meaningful relief for increasingly aged conduct. But this shift also could reflect a recalibrated approach to cybersecurity enforcement more consistent with this administration's distaste for "victimizing the victim," something Commissioners Peirce and Uyeda previously criticized as "Monday morning quarterbacking."
Despite this outcome, cybersecurity disclosure remains an SEC priority. Earlier this year, the SEC repurposed its cryptocurrency enforcement unit to focus on "public issuer fraudulent disclosures relating to cybersecurity," and the SEC's Division of Examinations highlighted cybersecurity resilience in its 2026 exam priorities for financial services firms. And the SEC's 2023 cybersecurity incident disclosure rule for public companies remains in force. Accordingly, issuers should confirm that their disclosure controls and procedures capture complete and current information about the company's cybersecurity posture to permit timely and accurate disclosure of material cyber incidents.
