The U.S. Securities and Exchange Commission (SEC) has formally abandoned its high-profile lawsuit against the technology company SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown. The case, originally filed in October 2023, alleged that the company had misled investors regarding its cybersecurity practices leading up to the massive 2020 supply chain attack. This significant development was marked by a joint motion for voluntary dismissal filed by the SEC, SolarWinds, and Brown on November 20, 2025, asking the court to end the proceedings.
The initial complaint from the SEC accused both SolarWinds and Brown of “fraud and internal control failures,” asserting that the company had defrauded investors by both overstating its security posture and failing to adequately disclose known risks and vulnerabilities. Specifically, the agency claimed that both the company and Brown ignored multiple “repeated red flags” concerning cybersecurity issues, ultimately resulting in the widespread supply chain compromise. This devastating attack was later publicly attributed to a sophisticated Russian state-sponsored threat actor known as APT29.
Central to the SEC’s case were allegations concerning Brown’s role, with the agency asserting that he “was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.” However, the strength of the SEC’s case was severely diminished in July 2024 when the U.S. District Court for the Southern District of New York (SDNY) threw out many of these specific allegations. The court ruled that the complaints did not “plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and were deemed to “impermissibly rely on hindsight and speculation.”
Despite the dismissal of many claims, the SEC proceeded with the case until the recent joint motion for dismissal. Notably, the agency issued a cautionary statement that its decision to seek dismissal of the SolarWinds action “does not necessarily reflect the Commission’s position on any other case.” Following the initial SolarWinds breach, the SEC had also brought charges against other major companies—including Avaya, Check Point, Mimecast, and Unisys—for making “materially misleading disclosures” that stemmed from the same large-scale cyber attack.
Following the news of the lawsuit’s conclusion, SolarWinds CEO Sudhakar Ramakrishna issued a statement welcoming the outcome. Ramakrishna emphasized that the dismissal marks the definitive end of an era that presented significant challenges for the organization. He concluded by stressing that the company has now emerged from the ordeal “stronger, more secure, and better prepared than ever for what lies ahead,” effectively closing the book on the long-running regulatory and legal scrutiny related to the 2020 breach.
Reference:
