SEC Ends Legal Battle Against SolarWinds After Prolonged Cybersecurity Investigation

The U.S. Securities and Exchange Commission (SEC) has formally withdrawn its lawsuit against SolarWinds and the company’s chief information security officer, bringing an end to a high-profile case that centered on allegations the firm misled investors about its security posture prior to the major 2020 supply chain breach.

A joint motion submitted on November 20, 2025, by the SEC, SolarWinds, and CISO Timothy G. Brown requested the court to voluntarily dismiss the action. In the filing, the SEC noted that its choice to abandon the litigation “does not necessarily reflect the Commission’s position on any other case.”

The original complaint, filed in October 2023, accused SolarWinds and Brown of “fraud and internal control failures,” asserting that the company had overstated the strength of its cybersecurity measures and either downplayed or failed to disclose known vulnerabilities and risks.

The regulator argued that both the company and its security executive ignored “repeated red flags” and did not adequately safeguard corporate systems, ultimately allowing the supply chain attack discovered in late 2020. That intrusion was attributed to the Russian state-backed group APT29.

According to the SEC’s earlier claims, “Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.”

However, the case began to unravel in July 2024, when the U.S. District Court for the Southern District of New York ruled that many of the allegations “do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.”

Following the partial dismissal, the SEC broadened its enforcement activity by pursuing Avaya, Check Point, Mimecast, and Unisys, charging them with making “materially misleading disclosures” related to the widespread cyber attack that originated from the SolarWinds breach.

Responding to the latest development, SolarWinds CEO Sudhakar Ramakrishna issued a statement saying the conclusion of the case represents the end of a difficult chapter for the company. He stressed that “we emerge stronger, more secure, and better prepared than ever for what lies ahead.”

By fLEXI tEAM