SEC to Drop Controversial SolarWinds Cyberattack Lawsuit

The US Securities and Exchange Commission will drop its landmark lawsuit against SolarWinds Corp. that accused the company of covering up internal problems ahead of a massive cyberattack.

The SEC, the software company and its top information security official jointly asked a federal court in Manhattan to end the case, according to an agreement filed on Thursday. The agency and Solarwinds in July said they had reached an agreement to settle the allegations.

The agency said the decision to seek dismissal is “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.” A SolarWinds spokesperson said the company was “clearly delighted” with the dismissal.

The move ends a controversial case for the SEC, which faced criticism from Wall Street and beyond that its allegations against SolarWinds went far afield of the agency’s typical enforcement remit. SolarWinds also slammedthe agency, accusing the SEC of twisting facts to expand its regulatory turf to cybersecurity.

The SEC sued the Texas-based firm in October 2023, saying it blindsided investors by downplaying the risks leading up to a data breach that affected hundreds of public companies and several federal agencies. The regulator alleged securities fraud and controls violationsand also accused the company’s chief information officer, Timothy Brown, of breaking securities laws by minimizing the hack. It was the first time the SEC sued a computer security executive for a cybersecurity-related issue.

The SEC at the time said the firm failed to maintain adequate controls and shared general, hypothetical risks about cyber threats in its financial statements when serious problems were ramping up behind the scenes.

A federal judge in July 2024 dealt the agency a major blow by dismissing much of the SEC’s lawsuit against the firm, including some claims against Brown. The judge also dismissed allegations that the firm violated decades-old accounting rules in connection with the hack.

Although Solarwinds disclosed the hack in December 2020, Russian state-sponsored hackers breached the company’s networks as early as January 2019, according to investigations into the attack. When customers installed an update to a popular piece of SolarWinds software, they inadvertently opened a digital door that let hackers sneak into their networks.

The SEC alleged that SolarWinds and Brown were warned of weak cybersecurity within the company, but that they painted a rosier picture to investors. The agency said that the company and Brown were regularly alerted to security deficiencies, with Brown writing in an internal presentation in 2018 that the “current state of security leaves us in a very vulnerable state for our critical assets.”

To contact the reporter on this story:
Nicola M White in Washington at nicwhite@bloomberg.net

To contact the editors responsible for this story:
Megan Howard at mhoward70@bloomberg.net

Anthony Aarons

© 2025 Bloomberg L.P. All rights reserved. Used with permission.