SEC and SolarWinds Reach Settlement in Cybersecurity Case

On July 2, 2025, the U.S. Securities and Exchange Commission (SEC) reached a preliminary settlement with SolarWinds Corp. (SolarWinds) and its chief information security officer, Timothy Brown (Brown), aiming to resolve litigation related to claims that SolarWinds and Brown misled investors by concealing weaknesses in SolarWinds’ information technology software and cybersecurity practices. Following notification of the proposed deal, U.S. District Judge Paul A. Engelmayer of the United States District Court for the Southern District of New York agreed to pause proceedings while the SEC completes its review of the proposed settlement.

The SEC’s lawsuit against SolarWinds claimed that the software company misled investors by downplaying known vulnerabilities in its information technology systems, including in a “Security Statement” published on its website. These weaknesses left SolarWinds vulnerable to cyberattacks, including the 2020 “Sunburst” breach, in which hackers with ties to the Russian state accessed data from thousands of SolarWinds clients, including the U.S. Department of Homeland Security, the U.S. Department of Commerce, and the U.S. Department of the Treasury. The SEC claims that SolarWinds and Brown were aware of the flaws in the SolarWinds software, including issues with access control and password protection practices, but failed to disclose them to investors.  The SEC also claimed that SolarWinds misled the investing public by minimizing the scope and severity of the Sunburst attack, including by omitting that customers had previously reported similar malicious activity. 

At the time it was filed, the enforcement action against SolarWinds marked several “firsts” for the SEC. It was the agency’s first cybersecurity case to include claims of fraud, and the first time an executive (Brown) was named as a defendant in such a case. Until this point, the SEC’s cybersecurity enforcement had been limited to claims of negligence.

Last year, in a 107-page order, the court dismissed nearly all the SEC’s claims but allowed a securities fraud claim based on the company’s Security Statement to go forward.  Specifically, the Court dismissed claims based on post-Sunburst statements, as well as pre-Sunburst statements other than the Security Statement.  The Court also dismissed a first-of-its-kind claim tied to deficiencies in SolarWinds’ accounting control procedures stemming from its cybersecurity failures.

In April, Defendants moved for summary judgment on the remaining claim, arguing that the Security Statement was not misleading because, among other things, the company implemented the policies described in the Security Statement.  The SEC filed its opposition in June. 

The settlement, which comes while Defendants’ motion is pending, would dispose of what remains of the case.  The terms of the settlement are not yet known, as it is subject to the review and approval of the SEC’s Commissioners.  In their letter notifying the court of the settlement, the parties requested that: (i) all pending dates in the litigation be indefinitely stayed; (ii) oral argument scheduled for July 22, 2025 be indefinitely postponed; and (iii) the parties file paperwork or a joint status report by September 12, 2025.

Key Takeaways

• The enforcement action against SolarWinds marked the first time the SEC leveled fraud claims in a case related to cybersecurity disclosures. It also marked the first time an executive officer has been named as a defendant in a cybersecurity disclosure case.
• The enforcement action commenced shortly after the SEC adopted final rules requiring comprehensive disclosure of material cybersecurity incidents, as well as material information about cybersecurity risk management, strategy, and governance in periodic reports.
• The SEC’s decision to move forward with litigation against SolarWinds and Brown, combined with enhanced disclosure requirements and the case’s expected resolution through settlement, may signal the SEC’s future willingness to pursue enforcement actions related to cybersecurity disclosures that go beyond negligence and target individual corporate officers. However, given the change in administration, it is difficult to predict whether the SEC will continue pursuing similar enforcement actions going forward.
• In 2024, the United States District Court for the Southern District of New York dismissed all of the SEC’s original claims concerning statements made in SEC filings and public statements by SolarWinds and Brown after the Sunburst attack and most of the SEC’s claims concerning statements made in SEC filings and public statements predating the Sunburst attack. The sole surviving claims related to statements made in the Security Statement. These results suggest an effort by the court to prevent overreach by the SEC while still highlighting the importance of maintaining accurate and detailed cybersecurity disclosures.

Winston’s Capital Markets & Securities Law Watch will continue to monitor developments related to the settlement, and we will provide our readers with additional updates as they become available.

For more information, or if you have any questions, please contact the authors of this blog post or your regular Winston contacts.