On November 20, 2025, the U.S. Securities and Exchange Commission (SEC) and SolarWinds Corp. (SolarWinds), along with SolarWinds' Chief Information Security Officer (CISO) Timothy Brown, submitted a joint stipulation to the United States District Court for the Southern District of New York, formally agreeing to dismiss the SEC's enforcement action with prejudice as to all conduct alleged through the date of the stipulation. This marks the official conclusion of the litigation that began in October 2023, following allegations that SolarWinds and its CISO misled investors regarding cybersecurity vulnerabilities and the company's response to the 2020 "Sunburst" breach.
The stipulation follows the court's July 2024 order, which dismissed the majority of the SEC's claims but allowed a securities fraud claim based on SolarWinds' "Security Statement" to proceed. In April 2025, SolarWinds and Brown moved for summary judgment on the remaining claim, and the SEC filed its opposition in June. While the parties had reached a preliminary settlement in summer 2025, the joint stipulation now confirms that the litigation will be dismissed with prejudice, and that neither party will admit wrongdoing or recover costs or fees. The defendants also released any claims against the SEC and its personnel arising from or relating to the litigation, including investigative steps taken prior to its commencement.
This resolution comes at a time of notable change in SEC enforcement activity. On November 19, 2025, Cornerstone Research released a report finding a 30% decline in the number of SEC enforcement actions initiated against public companies and their subsidiaries over the last two fiscal years,1with 56 actions in 2025 compared to 80 actions in 2024. Importantly, 52 of the actions in 2025 occurred during the final months of the Biden administration. There were four actions initiated under the Trump administration, which represents the lowest level of enforcement action under an incoming administration since fiscal year 2012. The low level of enforcement action makes it harder to discern a meaningful pattern in the agency's approach to enforcement under the current administration.
Key Takeaways
- The SEC's action against SolarWinds was a landmark case, marking the agency's first cybersecurity enforcement action to include fraud claims and to name an executive officer as a defendant.
- The litigation was shaped by new SEC rules requiring more robust disclosure of material cybersecurity incidents and risk management practices.
- The court's July 2024 order significantly narrowed the scope of the case, ultimately leaving only one claim to proceed and signaling judicial restraint in expanding regulatory reach.
- The joint stipulation brings the matter to a close, with both sides agreeing to dismiss the case and release related claims, but without any admission of wrongdoing or recovery of costs.
- Recent data from Cornerstone Research highlights a sharp decline in the number of SEC enforcement actions against public companies, particularly under the current administration, making it difficult to identify any clear trends or priorities in the agency's approach to enforcement going forward.
Winston's Capital Markets & Securities Law Watch will continue to monitor developments in SEC cybersecurity enforcement and provide updates as warranted.
Footnote
1. The federal government's fiscal year begins on October 1 of each year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
