In a significant development that could reshape how cybersecurity incidents are handled in corporate America, the U.S. Securities and Exchange Commission (SEC) has reached a preliminary settlement with SolarWinds Corp and its Chief Information Security Officer Timothy Brown, ending a landmark lawsuit that has captivated the tech and legal communities since 2023.
The End of a Legal Saga
On July 2, 2025, both parties filed a joint motion to stay court proceedings while they finalize the settlement paperwork. This agreement comes after U.S. District Judge Paul Engelmayer had dismissed much of the regulator’s case last year, saying that the claims were based on “hindsight and speculation.”
The case centered around the devastating Sunburst cyberattack, a sophisticated Russia-linked operation that compromised SolarWinds’ Orion platform and subsequently infiltrated numerous U.S. government agencies and private organizations. The attack, which spanned nearly two years before its discovery in 2020, represents one of the most significant supply chain attacks in history.
What Made This Case Groundbreaking
The SEC’s lawsuit against SolarWinds broke new ground in several ways:
1. First of Its Kind: This appears to be the first time the SEC has sued a company that has been victim of a cyberattack, rather than charging and simultaneously settling.
2. Individual Accountability: The decision to bring charges against the company’s CISO personally sent shockwaves through the cybersecurity industry, raising questions about personal liability for security executives.
3. Expanding SEC Authority: The case represented an ambitious attempt by the SEC to expand its enforcement authority in cybersecurity matters, particularly through internal accounting controls provisions.
The Court’s Pivotal Ruling
Judge Engelmayer’s July 2024 decision dealt a significant blow to the SEC’s approach. According to a detailed analysis by Holland & Knight, the court rejected the SEC’s efforts to expand the Securities Exchange Act’s “internal accounting controls” provision to encompass an issuer’s cybersecurity controls. The ruling established important precedents:
• Limiting SEC Overreach: The court found that innocent errors are “an inadequate basis” on which to plead deficient disclosure controls
• Protecting Against Hindsight Bias: The dismissal of material misrepresentation claims that relied on speculation
• Clarifying Disclosure Requirements: The decision provided clearer boundaries for what constitutes adequate cybersecurity risk disclosure
Industry Implications Moving Forward
This settlement marks a crucial moment for corporate cybersecurity practices and disclosure requirements. Here’s what it means for businesses:
For CISOs and Security Leaders:
The case initially created anxiety about personal liability, but the court’s ruling and subsequent settlement suggest a more balanced approach to accountability. Security leaders can focus on implementing robust controls without fear of excessive personal exposure.
For Public Companies:
The outcome provides clearer guidance on cybersecurity disclosure obligations. Companies must be transparent about material risks but aren’t required to predict every possible breach scenario.
For Investors:
The case highlights the importance of understanding cybersecurity risks in investment decisions while recognizing the limitations of what companies can reasonably disclose without compromising security.
Looking Ahead: A New Era of Cyber Governance
While the specific terms of the settlement remain undisclosed, a SolarWinds spokesperson said the company is “pleased with the potential resolution and happy to focus on driving our business forward without distraction.” The parties are expected to file final settlement paperwork by September 12, 2025.
This case has already influenced how companies approach cybersecurity governance and disclosure. The SEC’s new Cybersecurity Risk Management rules, which took effect after the alleged conduct in this case, reflect lessons learned from this litigation.
Key Takeaways
As we await the final settlement details, several important lessons emerge:
• Balance is Key: Regulators and courts are finding a middle ground between holding companies accountable and avoiding unreasonable standards
• Transparency Matters: Companies must be honest about their cybersecurity posture without creating roadmaps for attackers
• Collaboration Over Confrontation: The settlement suggests both sides recognize the value of cooperation in improving cybersecurity practices
The SolarWinds case will be remembered as a watershed moment that helped define the boundaries of cybersecurity accountability in the modern era. As cyber threats continue to evolve, this settlement provides a foundation for more constructive dialogue between regulators, companies, and security professionals.
Stay tuned for updates as more details about the settlement emerge in September 2025.
Sources:
- Reuters: US SEC, SolarWinds reach preliminary deal to end breach lawsuit
- SEC.gov: SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures
- Holland & Knight: Court in SolarWinds Case Blows Down SEC’s Cyber Enforcement Authority
- Bloomberg Law: SEC Reaches Settlement With SolarWinds Over Sunburst Breach
- Law360: SEC Strikes Deal With SolarWinds In Data Breach Case