In a closely watched case with broad implications for public companies and cybersecurity disclosures, SolarWinds Corporation has reached an agreement in principle with the U.S. Securities and Exchange Commission (SEC) to settle a high-profile enforcement action alleging securities fraud tied to a major cyberattack. The proposed settlement, which still requires formal approval from the SEC, prompted a federal judge in New York to pause all proceedings while the final terms are reviewed and finalized.
The deal marks a significant development in SEC v. Corp, et.al., Case No. 1:23-cv-09518, pending in the U.S. District Court for the Southern District of New York. The parties have agreed to provide the court with a status update by September 12th.
A First-of-its-kind Cybersecurity Enforcement Action
Filed in 2023, the SEC's lawsuit broke new ground on multiple fronts. It was the first enforcement action in which the agency alleged that a public company committed fraud by misrepresenting its cybersecurity practices in advance of a breach. It also marked the first time the SEC named a Chief Information Security Officer (CISO) as an individual defendant in such a case, signaling an evolving regulatory posture toward personal accountability in cybersecurity governance.
The suit stemmed from the widely publicized 2020 "Sunburst" cyberattack, in which threat actors- allegedly linked to the Russian government- exploited vulnerabilities in SolarWinds' Orion software platform. The breach affected numerous high-profile clients, including the U.S. Departments of Homeland Security, Treasury, and Commerce.
According to the SEC, SolarWinds failed to adequately disclose its known cybersecurity vulnerabilities to investors prior to attack and misrepresented the strength of its internal controls. The agency argued that a security statement on the company's website falsely conveyed that SolarWinds had implemented robust access controls and password protections, which were allegedly lacking at the time.
Litigation Developments and the Path for Settlement
While the court previously dismissed several of the SEC's claims, holding that some post-breach disclosures were not misleading because the company lacked full knowledge of the scope of the incident, one key claim survived. The court allowed the SEC to proceed on the allegation that SolarWinds misled the public through its online security statement.
SolarWinds filed a motion for summary judgment earlier this year, contending that discovery demonstrated its compliance with the policies reflected in its public statements. The SEC pushed back, arguing that SolarWinds was attempting to reframe evidence through hindsight and witness reinterpretations, and that internal documents revealed significant cybersecurity lapses.
The parties were preparing for oral arguments on the summary judgment motion when they informed the court they had reached a tentative settlement.
Key Takeaways for Public Companies
While the specific terms of the settlement have not yet been disclosed, this case offers several important lessons for public companies, boards of directors, and cybersecurity leadership:
- The SEC is signaling a willingness to bring enforcement actions when it believes a company's public statements on cybersecurity do not match internal realities.
- The decision to name SolarWinds' CISO as a defendant could indicate a trend toward personal liability for compliance failures in cybersecurity reporting.
- Even after a breach occurs, companies must ensure that statements to the public and regulators are accurate and based on verified facts- not assumptions or incomplete information.
- Internal communications, technical documentation, and policy implementation records may become critical in defending or undermining disclosure practices in litigation.
What's Next?
If approved, the settlement will conclude a novel and closely followed chapter in cybersecurity enforcement. Companies should monitor the outcome and any accompanying commentary from the SEC for further insight into how the agency expects firms to disclose and manage cybersecurity risks.
WSHB will continue to track this case and similar regulatory developments. Clients with questions about cybersecurity compliance, disclosure obligations, or executive risk exposure are encouraged to contact our Securities Litigation or Cybersecurity and Data Privacy teams.
