The US Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, Tim Brown.
The case goes back to 2023, when the SEC claimed that the company had defrauded investors by misleading them about a cyberattack lasting nearly two years.
The Sunburst attack saw around 18,000 organizations infected with malware, including Microsoft, Intel, FireEye, and Cisco, and several US government departments. The SEC alleged, the company should have seen it coming, with an in-house engineer having warned of serious security issues in 2018. SolarWinds overstated its cybersecurity practices and understated known risks, or failed to disclose them at all, the SEC said.
"Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information," said Gurbir S. Grewal, director of the SEC's Division of Enforcement, at the time.
However, the SEC had a major knockback with the case last year, after a US District Court judge dismissed most of the charges. Judge Paul Engelmayer of the Southern District of New York said the claims "impermissibly rely on hindsight and speculation".
The case has now been dropped altogether, as the SEC said it had taken the decision "in the exercise of its discretion" and that it did not necessarily reflect the Commission's position on any other case.
"For obvious reasons, the SEC did not want to take a risk in this highly publicized and closely watched case, instead preserving its resources for upcoming lawsuits where it can prevail in court with certainty," said Ilia Kolochenko, CEO at ImmuniWeb and vice chair of the American Bar Association's Information Security Committee.
"In sum, one should be prepared for new legal actions by the SEC that may lead to major victories of the federal agency."
There was potential for the case to be a turning point in the cybersecurity industry. A moment that could have set a precedent for the liability of individual executives in the event of a cyber incident.
However, according to Kolochenko, cybersecurity professionals and executives shouldn't get the idea that the risk of personal liability for data breaches has vanished.
"While the 2025 federal enforcement policy in the US is rather innovation and technology friendly, it does not mean that, for example, the FTC or FCC will turn a blind eye to major data protection violations by private corporations," he said.
"The SEC has likewise made it crystal clear that it will not stop exercising its policing rights, while being much better prepared after its SolarWinds experience."
He added that there's always the possibility of private lawsuits from aggrieved investors or even victims of data breaches: "In sum, cybersecurity community should stay prudent and vigilant; the new litigation era is just starting."
In a blog post, SolarWinds CEO Sudhakar Ramakrishna welcomed the SEC's decision and defended the company's actions.
"We chose to confront the attack with radical transparency, urgency, collaboration, humility, and a strong commitment to doing the right thing for our customers and the broader community," he said.
"We said from the beginning – and demonstrated during the litigation – the claims were unfounded, and we are happy the SEC has finally decided to abandon them. We stood firmly with our CISO, Tim Brown, and this decision affirms our belief that our team acted with integrity throughout."
-
Simulating attacks: how to use tabletop exercises in incident responseIn-depth What types of tabletop exercises are available and how can you use them in your business?
-
Asus ExpertBook P3 (PM3606) reviewReviews A brilliant big-screen business laptop with some foibles and one minor weakness – for all-day productivity, it's hard to beat
