The U.S. Securities and Exchange Commission (SEC) has abandoned a lawsuit against SolarWinds and its chief information security officer, alleging the company misled investors about security practices that led to a 2020 supply chain attack.
In a joint complaint filed on November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case.
The SEC said its decision to dismiss “does not necessarily reflect the Commission’s position with respect to other cases.”
SolarWinds and Brown were charged by the SEC in October 2023 with “fraud and failing internal controls” alleging that the companies overstated their cybersecurity practices and misled investors by underestimating or failing to disclose known risks.
The agency also said that both SolarWinds and Braun ignored “repeated red flags” and failed to adequately protect their assets, ultimately leading to the supply chain breaches that were discovered in late 2020. The attack is believed to be the work of a Russian state-sponsored threat actor known as APT29.
“Mr. Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities, but failed to resolve the issues and, at times, did not sufficiently raise the issues internally,” the SEC alleged at the time.
However, in July 2024, many of these claims were dismissed by the US District Court for the Southern District of New York (SDNY), which stated that “these claims do not plausibly allege practical flaws in the company’s reporting on cybersecurity hacks” and that “reliance on hindsight and speculation cannot be tolerated.”
The SEC also accused Avaya, Check Point, Mimecast, and Unisys of making “materially misleading disclosures” related to the massive cyberattack that stemmed from the SolarWinds hack.
SolarWinds CEO Sudhakar Ramakrishna said in a statement that the development marks the end of a challenging era for the company, stressing that “we are stronger, safer and better prepared than ever for what lies ahead.”
Source link
