- Key insight: The SEC dismissed its case against SolarWinds and its top cybersecurity officer "with prejudice," meaning the charges cannot be refiled, formally ending years of litigation over the 2020 Sunburst attack.
- What's at stake: Industry leaders feared the SEC's strategy would "weaponize" honest internal risk assessments, discouraging CISOs from documenting vulnerabilities for fear of future liability.
- Expert quote: SolarWinds CEO Sudhakar Ramakrishna stated the dismissal closes a challenging era and affirms the company's stance that their team "acted with integrity throughout."
Overview bullets generated by AI with editorial review
The Securities and Exchange Commission on Thursday formally dismissed its high-profile civil enforcement action against technology vendor SolarWinds and its chief information security officer, Timothy G. Brown.
The agency had accused the company and Brown of defrauding investors by engaging in a scheme to conceal, through public statements, what the commission called the software company's "long-standing, pervasive, systemic, and material cybersecurity deficiencies."
The dismissal ends a protracted legal battle over cybersecurity disclosures and internal controls related to the infamous 2020 Sunburst hack. It also marks the end of a potentially precedent-setting case that had rattled cybersecurity leaders by raising concerns nationwide about executive liability stemming from routine internal security assessments.
Sudhakar Ramakrishna, CEO of SolarWinds, said on Thursday the dismissal closed "an era that challenged our company, our team and our principles."
Ramakrishna noted that the company emerged "stronger, more secure, and better prepared" and affirmed the company's long-held stance: "We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout."
For his part, Brown, who has remained SolarWinds's CISO, said in
The Sunburst event
The enforcement action centered on the Sunburst event, an attack widely believed to have been conducted by state-sponsored hackers in Russia.
The attack compromised SolarWinds' Orion software platform, a flagship product that accounted for 45% of the company's revenue in 2020.
The compromise occurred after the threat actors gained initial access to SolarWinds' internal systems, exploiting a previously known weakness in the corporate virtual private network using stolen credentials and an unmanaged device in January 2019.
They then inserted non-malicious "test code" into Orion software builds in November 2019. Seeing this code went undetected, they began inserting malicious code in February 2020.
SolarWinds unknowingly distributed three compromised Orion software builds containing the Sunburst backdoor between March and June 2020.
Original estimates indicated that up to 18,000 customers across the globe downloaded the infected software. In 2022, SolarWinds said the actual number of customers affected by Sunburst was less than 100.
The threat actors utilized the Sunburst attack to conduct secondary attacks on these roughly 100 high-value customers, including U.S. government agencies, critical infrastructure entities, and private sector organizations, for the primary purpose of espionage.
The attack was first publicly revealed on December 13, 2020, after FireEye, a cybersecurity firm and SolarWinds customer, detected an intrusion into its own systems and subsequently found evidence that attackers used a backdoor in SolarWinds Orion.
FireEye informed SolarWinds of the compromise on December 12, 2020. That same day, SolarWinds' CEO was notified by an executive at FireEye. Upon learning of the breach, SolarWinds immediately began notifying Orion customers, asking them to upgrade to a patched version of the software immediately.
Security teams and vendors in the financial services sector spent the end of December 2020 conducting around-the-clock surveillance to ensure no payment networks had been breached.
Prior to the compromise, Brown had repeatedly raised internal alarms about the company's cybersecurity standing. For instance, Brown wrote in an October 2018 internal presentation that SolarWinds' "current state of security leaves us in a very vulnerable state for our critical assets."
At the time, Brown had been the head of security for SolarWinds, originally under the title of vice president of security and architecture.
The SEC sought to hold Brown responsible for what it asserted were misleading claims the company made in a public-facing security statement on its website. That statement included specifics about the company's software development lifecycle and related policies.
The SEC also sought to hold Brown responsible for public statements he made directly, whether in blog posts citing his name and podcast episodes published by SolarWinds, that touted the company's cybersecurity practices.
SolarWinds promoted Brown to chief information security officer (or CISO) shortly after Sunburst, in January 2021. Although Brown had already been the head of cybersecurity for the company, the promotion created a new executive position at the company.
Relatedly, Sudhakar Ramakrishna took over as CEO of SolarWinds on January 4, 2021. He had previously been scheduled to join the board and assume the CEO role from his predecessor, who had announced his imminent retirement months before.
The SEC's case and industry opposition
The SEC filed its enforcement action against SolarWinds and Brown in October 2023, alleging fraud and internal control failures.
Gurbir Grewal, director of the SEC's division of enforcement at the time, alleged that for years, SolarWinds and Brown ignored "repeated red flags" about cyber risks. He contended they instead "engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."
The SEC also claimed that Brown was aware the public statements about the company's strong security posture were fraudulent.
The alleged misstatements spanned several areas, including claims that SolarWinds followed the NIST Cybersecurity Framework, used a secure development lifecycle, had strong password protection and maintained good access controls.
The SEC identified Brown as the "owner" or "approver" of the misleading security statement on the company's website.
The lawsuit prompted an unusual intervention, including from the financial industry. Thirty current and former CISOs, including those of City National Bank of Florida and Axis Capital, filed a brief in their personal capacities opposing the action.
These CISOs argued that holding executives like Brown liable for alleged "inadequacies" in public filings was "counterproductive" because these disclosures are "not typically" the responsibility of CISOs.
They warned that the SEC's attempt to "weaponize" Brown's candid internal risk evaluations threatened to "chill internal discussions and candid self-assessments."
Furthermore, the CISOs asserted that liability under these theories "empowers threat actors, chills internal communications about cyber-threats, exacerbates the already severe shortage of cybersecurity professionals, and deters collaboration between the private sector and the government."
Brown's attorneys, meanwhile, argued in a motion to dismiss that the agency's targeting of Brown was "not only unwarranted but inexplicable" because he simply did his job, and "did it well."
Path to dismissal
The SEC's case began to unravel with significant rulings prior to the final dismissal. In July 2024, a Southern District of New York court dismissed much of the SEC's case.
Paul Engelmayer, a judge for the Southern District of New York, dismissed claims related to certain public statements by Brown, calling them "non-actionable corporate puffery." In other words, they were mere marketing.
The court also rejected a legal theory the SEC had offered in its attempt to prosecute the case. Engelmayer found that the law for "internal accounting controls" refers specifically to financial accounting and does not broadly encompass "every internal system a public company uses to guard against unauthorized access to its assets."
However, the judge sustained key claims related to the security statement posted on SolarWinds' website, finding that its representations regarding access controls and password protection were arguably "materially misleading by a wide margin."
Judge Engelmayer ruled that Brown could indeed be tried for his role, noting that Brown was "primarily responsible for creating and approving" the statement.
Despite these sustained claims, the parties reached a settlement in principle by July 2025, requesting a stay in litigation. On Thursday, the SEC officially filed a joint stipulation to dismiss the civil enforcement action against both SolarWinds and Brown "in the exercise of its discretion."
The SEC dismissed the case with prejudice, meaning that it cannot be re-introduced.
Lessons for financial institutions
The entire Sunburst saga and the eventual dismissal hold several critical lessons for bankers and their security teams.
Chilling effect avoided: The decision to drop the case may alleviate the threat of litigation chilling internal communications.
CISOs are now less likely to "refrain from candid communication for fear that an internal email or presentation intended to improve cybersecurity measures will be taken out of context by the SEC to claim that a CISO deliberately misled investors," as the brief filed by supporting CISOs had warned.
Some individual liability risk remains: While the case was dismissed, the court's rulings indicated that executives — especially those overseeing security and architecture, can face individual liability for misstatements and omissions, particularly concerning specific claims made in security statements, even if they do not directly sign SEC filings.
Perfect hindsight is not the standard: The court's dismissal of claims regarding the sufficiency of post-incident disclosures also reinforces that these disclosures will not be judged with perfect hindsight.
A company with proper disclosure procedures in place that makes a "lengthy, detailed, appropriately caveated" statement following a cybersecurity incident can expect to defeat legal claims against such a disclosure being insufficient or misleading,
Press relations matter: After the Sunburst attack, in a highly anticipated 2021 interview at cybersecurity conference RSAC, CEO Ramakrishna said one of the biggest things he would have done differently after Sunburst was have a stronger media presence.
"SolarWinds historically has kept to itself, focusing on customers, focusing on itself internally," he said. "And if I thought about one area where we were not fully prepared, unlike some companies that have armies of PR people just managing the message, and, in many cases, neutralizing it. We were not prepared."
