The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack.
In a joint motion filed November 20, 2025, the SEC, along with SolarWinds and its CISO Timothy G. Brown, asked the court to voluntarily dismiss the case.
The SEC said its decision to seek dismissal “does not necessarily reflect the Commission’s position on any other case.”
SolarWinds and Brown were accused by the SEC in October 2023 of “fraud and internal control failures” and that the company defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks.
The agency also said both SolarWinds and Brown ignored “repeated red flags” and failed to adequately protect its assets, ultimately leading to the supply chain compromise that came to light in late 2020. The attack was attributed to a Russian state-sponsored threat actor known as APT29.
“Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company,” the SEC alleged at the time.
However, in July 2024, many of these allegations were thrown out by the U.S. District Court for the Southern District of New York (SDNY), stating “these do not plausibly plead actionable deficiencies in the company’s reporting of the cybersecurity hack” and that they “impermissibly rely on hindsight and speculation.”
Subsequently, the SEC also charged Avaya, Check Point, Mimecast, and Unisys for making “materially misleading disclosures” related to the large-scale cyber attack that stemmed from the SolarWinds hack.
In a statement, SolarWinds CEO Sudhakar Ramakrishna said the latest development marks the end of an era that challenged the company, and emphasized “we emerge stronger, more secure, and better prepared than ever for what lies ahead.”
