In Depth

The original lawsuit against SolarWinds, filed in October 2023 following the massive 2020 SUNBURST cyberattack, alleged that the company and its CISO misled investors about security practices and subsequently downplayed the incident’s scope. The case was a rare instance of the SEC directly targeting a CISO, sending chilling effects throughout the industry. The dismissal, stipulated by the SEC, SolarWinds, and the CISO without admission of wrongdoing, concluded this years-long legal battle. Although the SEC noted that the dismissal was an “exercise of its discretion” and does not necessarily reflect its position on any other case, it is nearly impossible not to interpret the decision as signaling an adjustment to the SEC’s approach to cybersecurity disclosures.

The dismissal follows a July 2024 ruling by a federal judge who dismissed most of the SolarWinds charges, including the novel application of the internal accounting controls statute to police non-financial cybersecurity controls. Current SEC Commissioners have criticized the overbroad use of the controls provision to meet every perceived disclosure failure.

Despite the dismissal, the SEC’s core cybersecurity disclosure rules on Forms 8-K and 10-K remain in effect. Companies should continue to assess the materiality of cybersecurity incidents and Form 8-K filing requirements within four business days, and they should continue to evaluate specific annual disclosures about risk management, governance, and management’s role and expertise.