All Charges Dropped in the SEC’s Cybersecurity Suit Against SolarWinds

After two years of legal tension and industry-wide concern, the U.S. Securities and Exchange Commission (SEC) has officially dismissed its high-profile case against SolarWinds Corporation and its Chief Information Security Officer, Tim Brown. The litigation stemmed from the now-infamous 2020 Sunburst cyberattack, in which Russian-linked hackers infiltrated SolarWinds’ Orion software and used it as a launchpad to breach multiple U.S. federal agencies and private sector entities.

The SEC’s move to dismiss the case “with prejudice”, meaning it cannot be refiled, comes months after a federal judge tossed out most of the Commission’s claims, including those concerning delayed disclosures and broad assertions of misleading security posture.

Though one claim was initially allowed to proceed, the full case has now been closed, offering closure to what has become one of the most closely watched cybersecurity enforcement actions in U.S. history.

Why It Matters: The case became a litmus test for how far regulators might go in holding individual cybersecurity leaders personally accountable for breaches and disclosures. Its dismissal may ease fears among CISOs about bearing the full legal burden for systemic failures, and signals a likely recalibration of enforcement priorities in cyber risk regulation.

• SEC Formally Ends Legal Pursuit: The SEC filed a joint motion with SolarWinds and CISO Tim Brown to dismiss the case with prejudice, marking a definitive end to the enforcement effort. While no explanation was given for the withdrawal, the decision underscores the regulatory retreat from what had been one of the most ambitious attempts to hold a security executive personally liable for a breach. The SEC had previously argued that SolarWinds and Brown misled investors by overstating their cybersecurity capabilities and underreporting known vulnerabilities, claims that had already been largely dismantled in court.

• Earlier Court Ruling Undermined SEC’s Case: In a pivotal 107-page decision in mid-2023, U.S. District Judge Paul Engelmayer dismissed the majority of the SEC’s claims, citing insufficient evidence and an overreliance on hindsight. He found that most of the alleged disclosure failures were not clearly actionable under existing securities law. The only claim that survived, a statement about SolarWinds’ Orion platform security made prior to the breach, was allowed to move forward, but will now go unchallenged.

• Relief for CISOs Amid Liability Concerns: The lawsuit had a chilling effect across the cybersecurity community, especially among CISOs concerned about being held personally responsible for company-wide breaches. Tim Brown, who had previously spoken out at CyberLawCon about the anxiety the case created for security professionals, characterized the dismissal as a vindication. Industry leaders have echoed this sentiment, hoping the outcome resets the conversation around executive liability and encourages transparency rather than legal defensiveness.

• Sunburst’s Legal Legacy Still Ongoing: While SolarWinds and Brown are no longer facing SEC action, the broader fallout from the 2020 Sunburst breach continues to reshape the enterprise. Earlier this year, the SEC fined four cybersecurity firms, Unisys, Check Point, Avaya, and Mimecast, for allegedly minimizing the impact of Sunburst-related incidents in their disclosures. These fines, totaling several million dollars, show that while individual liability may be on the decline, organizational transparency is still under intense scrutiny. The case against SolarWinds may be over, but its implications for how companies report cyber risk are likely to endure.

Go Deeper -> US SEC dismisses case against SolarWinds, top security officer – Reuters

SEC drops case against SolarWinds tied to monumental breach – CyberScoop

Feds Take Unprecedented Action Against CISO in SolarWinds Case – The National CIO Review

SolarWinds CISO Speaks Out on Security Liability – The National CIO Review