Privacy & Information Security Law Blog

On November 20, 2025, the U.S. Securities and Exchange Commission (“SEC”) issued a brief announcement that it filed a joint stipulation with defendants SolarWinds Corporation and its Chief Information Security Officer (“CISO”) to dismiss, with prejudice, the SEC’s ongoing civil enforcement action against them. Thus ends the SEC’s highly controversial and widely criticized case against a public company and its CISO over a series of cybersecurity incidents likely initiated by a nation-state actor.

As we previously reported, in October 2023, the SEC sued software developer SolarWinds and its former CISO, alleging that SolarWinds misled investors about a series of heavily publicized cyber attacks that targeted the company, culminating in the December 2020 Sunburst malware attack. In addition to alleging securities fraud and violations of SEC reporting provisions, the SEC also alleged that SolarWinds violated Sarbanes-Oxley Act internal control provisions. In July 2024, the judge in the case dismissed most of the SEC’s claims. In July 2025, the SEC and the defendants then jointly petitioned the judge for a stay pending final settlement, which required the approval of the SEC’s four commissioners. It appears that this approval has now been obtained.

The “with prejudice” condition of the joint stipulation means the SEC cannot bring similar claims against the defendants arising out of this incident and related circumstances. The joint stipulation also notes that the SEC’s decision to seek dismissal is “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.” Interestingly, the joint stipulation provides that the defendants relinquished the right to seek reimbursement of attorney’s fees or other fees, expenses or costs associated with their defense.

With the change in presidential administrations and shift in enforcement priorities at the SEC, we do not expect the SEC to pursue similar cybersecurity enforcement cases in the near term. Nevertheless, the statute of limitations on most securities claims is five years, and a future administration may take a different view on SEC cybersecurity enforcement. The settlement does not impact the ability of private plaintiffs to bring securities claims. Companies should therefore continue to remain vigilant about their potential SEC reporting obligations whenever a cybersecurity incident occurs.