The U.S. Securities and Exchange Commission’s closely watched lawsuit against software maker SolarWinds (“SolarWinds” or the “Company”) and its cybersecurity chief, Tim Brown, ended with a whimper last month when the Commission filed a joint stipulation seeking to voluntary dismiss the case with prejudice, preventing the charges from being refiled. The dismissal marks the end of a yearslong saga that raised sweeping questions about cybersecurity obligations, corporate disclosure, and personal liability of senior cybersecurity executives.
The case arose out of a devastating hack of SolarWinds software that affected U.S. government agencies, critical infrastructure entities, and private sector organizations. The hack, which was disclosed in late 2020, is believed to have been conducted by Russian intelligence agencies. In 2023, the SEC sued SolarWinds and its chief information security officer (“CISO”), alleging that the company’s cybersecurity disclosures before and after the hack defrauded investors by not disclosing allegedly known risks and vulnerabilities.
When filed, the case marked a potential turning point for cybersecurity regulation. It was the first instance in which the SEC pursued charges against a CISO personally under securities fraud statutes. The move unnerved security executives, who feared that they could be personally liable for internal vulnerabilities or imperfect risk management.
The joint stipulation dismissing the lawsuit followed an earlier ruling on a motion to dismiss that had gutted most of the SEC’s allegations, leaving only a narrow set of claims tied to online statements the Company had made, and Brown had approved, about its security practices before the attack.
The filing describes the Commission’s decision as an “exercise of its discretion” that “does not necessarily reflect [its] position on any other case.” The Commission does not cite new evidence or shift in policy, raising the specter that this particular case was too risky to pursue further.
The court’s earlier ruling—and the SEC’s quiet retreat—provide some measure of relief to companies and CISOs concerned that any cybersecurity incident could trigger a federal enforcement action. Yet the case stops short of providing a definitive signal as to how far the SEC might go in policing cybersecurity disclosures. Accordingly, because cybersecurity disclosures remain an SEC enforcement priority, and have increasingly become a focus of state regulators, companies should confirm that their disclosures include complete and accurate information about their cybersecurity policies and procedures.
