On November 20, 2025, the Securities and Exchange Commission and defendants SolarWinds Corp. and Timothy G. Brown filed a joint stipulation to dismiss with prejudice the SEC’s civil enforcement action pending in the Southern District of New York. The SEC would dismiss all claims concerning the conduct alleged in the SEC’s Amended Complaint and includes broad waivers and releases by the defendants of any related claims against the SEC and its personnel. This follows a July 2, 2025 letter to the court that stated that the parties had reached a settlement in principle, and sought time “to finalize the paperwork for the settlement, and for the Commissioners to then consider and determine whether to approve the settlement.”  The stipulated dismissal does not address what may have changed, and why the matter ultimately resolved through a dismissal rather than a settlement. 

Procedural Posture and Disposition

The Commission filed suit on October 20, 2023, and filed an Amended Complaint on February 16, 2024. On July 18, 2024, the court granted the defendants’ motion to dismiss in part and denied it in part. That ruling dismissed SEC claims that statements made by SolarWinds regarding a significant cyber incident and its cybersecurity preparedness and risks had been misleading, and also dismissed SEC claims relating to SolarWinds’s internal accounting controls.  The stipulation cites that ruling and notes that, in light of the court’s decision and “in the exercise of its discretion,” the Commission determined that dismissal with prejudice is appropriate.

What the Dismissal Means—and What It Does Not

The SEC explicitly cautions that the decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.” But while not strictly precedential, the decision to dismiss such a high-profile enforcement action is very significant.  This case attracted worldwide attention when filed, particularly because it was the first time the SEC had named a cyber security professional as an individual defendant.  After its filing, many CISOs in the US thought differently about their potential personal liability in the event of a cyber incident.  It also led executive leadership and directors to prioritize corporate cyber regulatory issues. 

Among the reasons the SEC may have decided to dismiss this case now could include concern within the SEC that it could not prove its claims at trial.  Had the case proceeded to trial, the SEC would have had the burden to prove that a security statement SolarWinds published on its website concerning its cyber readiness and processes was fraudulent.  SolarWinds had publicly disclosed evidence it believed refuted the SEC claims, which may have influenced the SEC’s decision.  The dismissal could also indicate that current SEC leadership is now pursuing a different approach to cybersecurity enforcement more broadly.  Unfortunately, the dismissal stipulation was silent as to what motivated the the SEC’s decision, nor have any Commissioners publicly discussed it. 

Practical Implications for Public Companies and Executives

In our view, the dismissal is a consequential development for issuers, CISOs, and boards navigating cybersecurity risk oversight, disclosure obligations, and incident response. It reflects the real-world litigation risks and pleading challenges the government faces when advancing complex disclosure and internal controls theories in the cybersecurity context. It also illustrates that judicial scrutiny at the motion-to-dismiss stage can materially shape the trajectory and resolution of such actions.  For publicly traded companies, even if this dismissal indicates that that the risk of an SEC enforcement action based on claims relating to cyber risk or incident disclosures is lower, that does not necessarily reduce the likelihood or duration of an SEC investigation.

Although difficult to resist, public companies should not infer a relaxation of expectations. The SEC’s reservation of its broader enforcement posture suggests that the Commission will continue to calibrate cases based on the particular facts, law, and litigation posture that develop in court.  Also, a future administration may have a different cyber enforcement appetite, and have jurisdiction over decisions being made today.  Companies should continue to prioritize timely, accurate, and decision-useful disclosures; maintain robust escalation protocols between security teams and disclosure committees; and ensure that public statements about cybersecurity posture and risk oversight align with internal realities and board-level oversight. These are prudent governance measures irrespective of any single case outcome.

*David Hirsch led the Crypto Assets and Cyber Unit at the SEC at the time the SEC filed its suit against SolarWinds.  This alert is based only on publicly available information and litigation developments that occurred after he left the agency.