The Securities and Exchange Commission’s (SEC) case against SolarWinds and its chief information security officer (CISO), Timothy Brown, ended abruptly on November 20, 2025, when the SEC agreed to dismiss its remaining claims against SolarWinds with prejudice.

The outcome caps a long-running and closely watched legal dispute that began with sweeping fraud and controls allegations tied to SolarWinds’ statements about its cybersecurity practices and its disclosures following the breach of its flagship Orion software platform in 2020.

The dismissal comes amid a broader recalibration of enforcement priorities in the new administration, including the SEC’s announcement earlier this year that it will focus on public issuer “fraudulent disclosure” relating to cybersecurity—signaling a pivot away from actions based on more nuanced allegations of disclosure deficiencies. The SEC’s decision to abandon the SolarWinds case altogether is the most pointed example yet of that shift.

The SEC’s dismissal may bring a sigh of relief to many companies and CISOs who were concerned about the chilling effect the case could have on the work of security teams to proactively identify vulnerabilities and gaps in cyber programs.

However, public companies must still proceed carefully when making public statements about their security programs. In the wake of a cyber incident, any number of federal, state, or international regulators, as well as courts and litigants, may scrutinize and seize upon a company’s cybersecurity disclosures as evidence of negligence or worse. This includes the SEC, which, in late 2023, issued new requirements for companies to disclose material cyber risks and incidents to investors. Accordingly, effective governance around drafting and vetting cybersecurity statements and disclosures remains critical.