[co-author: Hans Griesbach]
Holland & Knight continues its SECond Opinions Blog Summer Series featuring posts written and researched by the associates from our Securities Enforcement Defense Team. This update comes from Dallas Summer Associate Hans Griesbach, who is joining us from SMU Dedman School of Law as a rising 3L.
In a significant turn of events on July 2, 2025, the SEC, SolarWinds Corp. and its Chief Information Security Officer (CISO), Timothy Brown, announced through a joint letter to the U.S. District Court for the Southern District of New York that they have reached a settlement in principle to resolve all of the remaining claims in the SEC's pending case, signaling the likely conclusion of a high-profile legal battle that has been raging since 2023.
Per the parties' request, Judge Paul A. Engelmayer agreed to stay the case while the SEC seeks approval of the proposed settlement from the SEC Commissioners. The agreement pauses all pending deadlines in the case and sets a Sept. 12, 2025, deadline for the parties to finalize and submit the settlement paperwork.
Background
The case stems from the 2020 cyberattack on SolarWinds' Orion platform, which was infiltrated by Russian state-linked hackers and led to a consequential supply chain breach. The attack compromised thousands of organizations, including major U.S. government agencies and private companies, and prompted a sweeping reassessment of software supply chain security.
The SEC's lawsuit, filed in October 2023, accused SolarWinds and its CISO of misleading investors by overstating the company's cybersecurity posture and failing to disclose known vulnerabilities. The SEC alleged that from the time of SolarWinds' IPO in 2018 through the public disclosure of the breach in December 2020, the company concealed critical information about its security risks and incidents.
In July 2024, Judge Engelmayer dismissed many of the SEC's claims, citing the Commission's reliance on "hindsight and speculation." Though some allegations – particularly those concerning misrepresentations about access controls – were allowed to proceed, the ruling significantly narrowed the scope of the case.
Settlement
Though the terms of the settlement remain confidential and the SEC has declined to comment, SolarWinds stated it is eager to move forward without the distraction of ongoing litigation. The decision to settle highlights the SEC's evolving enforcement posture under Chair Paul Atkins, who was sworn in April 21, 2025. It is no secret that the SEC under Chair Atkins is more crypto-friendly, and the settlement appears to signal that this SEC may be more restrained in bringing enforcement actions over cybersecurity breaches as well.
Final settlement terms may provide some clues as to whether the SEC is retreating from its more aggressive stance on cybersecurity disclosures. Notably, the agency has not rescinded its 2023 rule requiring public companies to disclose material cybersecurity incidents in periodic filings. Time will tell if the settlement was simply the result of the parties' shared desire to end the litigation or if the SEC's new priorities under Chair Atkins played a role in helping the parties reach a compromise.
The SECond Opinions Blog will continue to monitor this case and provide updates. If you need additional information on this topic – or any topic related to securities enforcement or investigations – please contact the authors or other members of Holland & Knight's Securities Enforcement Defense Team.
For extensive analysis of the SolarWinds case, check out the blog's prior coverage:
- A Word from the Ghost of Holiday Future: SEC Active in Cybersecurity and AI Actions, Dec. 18, 2024
- Undeterred by the SolarWinds Storm: SEC Charges Victims of Compromised Software, Oct. 31, 2024
- Court in SolarWinds Case Blows Down SEC's Cyber Enforcement Authority, July 24, 2024
- SEC Cyber Enforcement Update: Which Way Are the SolarWinds Blowing?, July 8, 2024
- Winds of Change: SEC's SolarWinds Lawsuit Signals Hotter Cybersecurity Enforcement, Nov. 6, 2023
