The U.S. Securities and Exchange Commission (SEC) and SolarWinds Corp., along with its former Chief Information Security Officer (CISO) Timothy Brown, have agreed to settle a groundbreaking enforcement action alleging securities fraud tied to cybersecurity disclosures. Filed in October 2023, the lawsuit accused SolarWinds and Brown of misleading investors about the company’s cybersecurity posture leading up to its December 2020 “Sunburst” breach, and of downplaying critical vulnerabilities in public statements.
On July 22, 2025, the parties submitted a joint motion to indefinitely stay all proceedings and postpone oral argument originally scheduled that day. They also committed to submitting a joint status report by September 12, 2025, pending final SEC Commissioners’ approval.
This settlement marks a pivotal shift. The SEC has historically pursued cases involving cyber-related disclosures under negligence standards. However, this marks the first instance where the agency advanced fraud claims—alleging that SolarWinds and its CISO intentionally misled investors.
Moreover, it is the first time the SEC named an individual executive as a defendant in a cyber-disclosure case. This signals growing regulatory assertiveness, particularly under new mandatory cybersecurity disclosure rules adopted by the SEC in recent months.
In July 2024, federal Judge Paul Engelmayer dismissed the majority of the SEC’s claims, including assertions under internal accounting controls (Sarbanes-Oxley) and many allegations concerning public filings and statements. He ruled that only a limited set of fraud claims tied to a “Security Statement” on SolarWinds’s website had survived the motion to dismiss.
SolarWinds and Brown’s motion argued the statement was truthful and implemented by the company, prompting the SEC to file an opposition in June 2025. Rather than proceed to full trial, the parties opted to strike an accord before in-person argument.
The Sunburst campaign, uncovered in December 2020, was a sophisticated supply-chain attack attributed to Russian group APT29. It affected nearly 18,000 of SolarWinds’s 33,000 Orion software users, including key U.S. federal agencies.
In the wake of that breach, the SEC intensified scrutiny of public disclosures by issuers. From October 2023 to October 2024, the agency pursued multiple cases for misrepresented cyber incidents, settling with R.R. Donnelley, Mimecast, Avaya, Check Point, and Unisys—all based on negligence, not intentional fraud.
Read Also: https://jurisreview.com/supreme-court-upholds-key-provisions-in-landmark-environmental-case/
The SolarWinds case stands out: instead of negligence, it directly tackles false or misleading statements by the company and its CISO regarding cybersecurity preparedness—underscoring a regulatory belief that material misstatements in this domain can violate federal securities laws.
Corporate lawyers and compliance officials have hailed the settlement as a landmark precedent. One expert observed: “It establishes that cybersecurity risks aren’t just operational issues — they are potential securities law violations if not properly disclosed.”
Expect this to trigger a wave of reforms in risk governance, including stronger board-level cybersecurity oversight, enhanced disclosure practices covering not just incident reporting but also risk management frameworks, and tighter internal controls and incident-response readiness to ensure material cyber risks are escalated swiftly and communicated accurately.
With the stay in effect, no proceedings will continue until the SEC Commissioners vote on the settlement. The September 12, 2025 deadline will mark when final settlement terms are expected or, failing that, when parties will advise on next steps—potentially including trial resumption or renegotiation.
If approved, the settlement could include fines, corporate governance agreements, or monitoring. Details will shed light on the SEC’s future approach: will this become a blueprint for more fraud-based cyber enforcement?
Interestingly, Reuters reports the SEC, now under Republican leadership, is backing the settlement—a sign the regulatory focus on cyber risk may transcend partisan divides amid rising systemic threats.
The SolarWinds-SEC settlement marks a transformative moment in securities law enforcement. By escalating cybersecurity from the realm of compliance to potential fraud liability—especially for executives—the SEC is sending a clear message: investors must receive truthful, material information about cyberhealth. As the SEC Commissioners deliberate, pressure mounts on public companies to take material cyber risks seriously—at the board, policy, and governance levels.
