top of page
Search

SEC Drops Case Against SolarWinds After Years of Cybersecurity Scrutiny

  • Nov 21, 2025
  • 2 min read

Key Findings


  • The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer Timothy G. Brown.

  • The SEC alleged in 2023 that SolarWinds and Brown had misled investors about the security practices that led to the 2020 supply chain attack, which was attributed to a Russian state-sponsored threat actor.

  • However, in July 2024, many of these allegations were thrown out by the U.S. District Court for the Southern District of New York (SDNY), stating they "impermissibly rely on hindsight and speculation."

  • The SEC also charged other companies, including Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the SolarWinds hack.

  • The latest development marks the end of an era that challenged SolarWinds, and the company's CEO, Sudhakar Ramakrishna, emphasized that they "emerge stronger, more secure, and better prepared than ever for what lies ahead."


Background


The 2020 SolarWinds supply chain attack, which compromised at least nine federal agencies and hundreds of companies, was one of the most significant cybersecurity incidents in recent history. The attack was attributed to a Russian state-sponsored threat actor known as APT29.


In October 2023, the SEC accused SolarWinds and its CISO Timothy G. Brown of "fraud and internal control failures," alleging that the company had defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks.


Dismissal of Allegations


In July 2024, the U.S. District Court for the Southern District of New York (SDNY) threw out many of the SEC's allegations, stating that they "impermissibly rely on hindsight and speculation." The court found that the SEC's claims did not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack.


SEC's Broader Cybersecurity Enforcement


The SEC also charged other companies, including Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the SolarWinds hack. This suggested a broader effort by the SEC to hold companies accountable for their cybersecurity practices and disclosures.


SolarWinds' Response and Outlook


SolarWinds CEO Sudhakar Ramakrishna welcomed the SEC's decision to drop the case, stating that it marks the end of an era that challenged the company. He emphasized that SolarWinds "emerge[s] stronger, more secure, and better prepared than ever for what lies ahead."


Sources


  • https://thehackernews.com/2025/11/sec-drops-solarwinds-case-after-years.html

  • https://cyberscoop.com/sec-drops-case-against-solarwinds-tied-to-monumental-breach/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page