The US Securities and Exchange Commission is set to drop its high-profile lawsuit against SolarWinds Corp., which alleged the company concealed critical internal issues before a sweeping cyberattack.
According to a filing on Thursday, the SEC, SolarWinds, and the company’s top information security executive jointly asked a federal court in Manhattan to bring the case to a close. Back in July, the agency and SolarWinds signaled they had already reached a deal to resolve the allegations—an agreement that now appears headed for the finish line.
The agency said it was moving to dismiss the case "in the exercise of its discretion," adding that the move "does not necessarily reflect the Commission’s position on any other case." A SolarWinds spokesperson said the company was "clearly delighted" by the decision—an outcome that seemed to lift a weight off its shoulders.
The move closes out a highly controversial chapter for the SEC, which had come under fire from Wall Street and others for pursuing allegations that critics said strayed far beyond the agency’s usual enforcement lane. SolarWinds, for its part, blasted the SEC as well—accusing the regulator of twisting the facts in an effort to stretch its authority into the cybersecurity arena.
The SEC sued the Texas-based company in October 2023, alleging it misled investors by downplaying the risks ahead of a sweeping data breach that compromised hundreds of public companies and multiple federal agencies. Regulators accused SolarWinds of securities fraud and internal controls failures—and charged its chief information security officer, Timothy Brown, with violating securities laws by minimizing the severity of the hack. It marked the first time the SEC had ever taken a computer security executive to court over a cybersecurity incident.
At the time, the SEC argued that the company failed to maintain adequate controls and offered only vague, hypothetical warnings about cyber risks in its financial filings—even as serious issues were quietly escalating behind the scenes.
In July 2024, a federal judge delivered a major setback to the agency by tossing out much of the SEC’s case against the company—including several claims targeting Brown. The court also rejected allegations that the firm had violated decades-old accounting rules in connection with the cyberattack.
Although SolarWinds revealed the breach in December 2020, investigations show that Russian state-sponsored hackers had infiltrated the company’s networks as early as January 2019. When customers installed an update to one of SolarWinds’ widely used software products, they unknowingly opened a digital door that allowed hackers to slip into their systems.
The SEC claimed that SolarWinds and Brown had been repeatedly warned about weak cybersecurity within the company but presented a far more reassuring picture to investors. According to the agency, the company and Brown were regularly flagged about security gaps, with Brown himself noting in a 2018 internal presentation that the "current state of security leaves us in a very vulnerable state for our critical assets."
Photo: The entrance sign at SolarWinds Corp. headquarters in Austin, Texas. Photo credit: Bronte Wittpenn/Bloomberg.
