Litigation,
Standards, Regulations & Compliance
Major Legal Proceedings Conclude as Judge Dismisses SEC’s Cyber Fraud Claims Against SolarWinds
In a significant legal development, the U.S. Securities and Exchange Commission (SEC) has dropped its remaining allegations against SolarWinds and its Chief Information Security Officer, Tim Brown. This conclusion ends a prominent lawsuit initially focused on claims that SolarWinds concealed cybersecurity vulnerabilities prior to a major Russian cyberattack.
This dismissal was formalized in a Thursday court filing, wherein the SEC and the defendants requested the court to conclude the case with prejudice. This lawsuit stemmed from the 2020 espionage operation linked to Russia, which raised alarms within the cybersecurity community as the SEC adopted a more aggressive stance in enforcing cyber regulations in 2023. The SEC’s original complaint was substantially weakened when U.S. District Judge Paul Engelmayer ruled against many of the SEC’s arguments in 2024, particularly those related to events that occurred following public acknowledgment of the breach.
Brown, notably one of the few CISOs to face personal allegations in a securities fraud case associated with a cyber incident, expressed relief regarding the outcome through a LinkedIn post, stating, “We did nothing wrong and fought relentlessly over the last three years to prove that.” SolarWinds also expressed satisfaction with the dismissal, highlighting the support it received from various stakeholders throughout the legal proceedings.
The SEC’s allegations suggested that SolarWinds maintained an overly optimistic narrative about its security posture while there were internal assessments indicating flaws in access controls and other security practices. The agency aimed to demonstrate that this misrepresentation misled investors regarding the company’s cybersecurity risks prior to the incident being made public.
This case became a focal point for discussions among security leaders, many of whom cautioned that the SEC’s approach risked extending securities law interpretations beyond traditional boundaries. The agency’s direct targeting of individual executives, coupled with its reliance on internal control provisions, positioned the SEC to potentially hold senior executives accountable for operational gaps typically viewed as outside of securities law’s financial scope.
Ilia Kolochenko, CEO of the cybersecurity firm ImmuniWeb, noted that the SEC likely aimed to conserve resources by exiting this high-profile case rather than risking further complications. He admonished security leaders against assuming that personal liability risks for data breaches had diminished, indicating that regulatory scrutiny might persist under various agencies even in a seemingly more favorable federal climate.
Analysts point to a shift in leadership dynamics at the SEC influencing its enforcement posture. Previously aggressive under the Biden administration’s Democratic majority, the SEC’s regulatory approach has become more cautious following recent changes. Observers of the SEC anticipate that the agency may focus on narrower, disclosure-based cases instead of pursuing expansive interpretations of securities regulations in the context of cybersecurity.
