On November 20, 2025, the Securities and Exchange Commission (SEC) dismissed its landmark enforcement action against SolarWinds Corp. and the company’s Chief Information Security Officer, Tim Brown. In 2023, the SEC’s enforcement action broke new ground as the first formal action by the Commission against a CISO and the first civil fraud action litigated by the SEC related to a public company’s cybersecurity disclosures.
Dismissing the action comes as somewhat of a surprise after the parties announced a pending settlement of the case earlier this year, following a decision partially granting SolarWinds’s motion to dismiss the SEC’s complaint.
Nearly five years after the initial cybersecurity incident impacting SolarWinds and certain of its customers, the SEC’s dismissal marks the end of a long chapter for the company. This dismissal also reflects a broader trend, with a recent report finding that SEC enforcement actions against public companies declined by 30% in fiscal year 2025 (and a significant majority of the enforcement actions filed in fiscal year 2025 were filed by the previous administration). Nevertheless, the SEC’s Division of Examination recently affirmed that reviewing cybersecurity practices by registered investment advisors and broker-dealers remains a priority for 2026, indicating that the Commission remains focused on protecting “investor information, records, and assets” that could be impacted in a cyber incident.
