On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”

The case followed the “Sunburst” cybersecurity incident, during which nation-state actors infiltrated a large number of public company and government computer systems by compromising SolarWinds’ Orion software platform.  The joint stipulation to dismiss comes months after the parties informed the court that they had reached an agreement to settle the matter. In their July 2, 2025 letter, the parties requested that the upcoming litigation schedule be indefinitely postponed while the parties finalized the settlement paperwork, including review and approval by the SEC’s Commissioners. [Case 1:23-cv-09518-PAE, Dkt. 193]. The court granted three extensions of time to file the settlement paperwork in September and October. [Dkt. 196, 198, 200].

The Joint Stipulation to Dismiss, signed by the SEC Director of the Division of Enforcement, Margaret A. Ryan, states that the “Commission believes dismissal of the case is appropriate” in the “exercise of its discretion,” and in light of the order granting in part and denying in part the Defendants’ motion to dismiss.

On July 18, 2024, U.S. District Court Judge for the Southern District of New York, Paul Engelmayer, had narrowed the case to its securities fraud claims, which were based on the company’s statements about cybersecurity posted on its website prior to the incident. The court rejected the SEC’s claim that gaps in SolarWinds’ cybersecurity controls amounted to violations of internal accounting controls provisions of the Securities Exchange Act of 1934, as well as the SEC’s claim that SolarWinds had inadequate disclosure controls and procedures. We covered the decision in our Client Alert: Court Narrows SolarWinds Case to Company’s Pre-Cyberincident Voluntary Disclosures.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Emily Pehrsson Emily Pehrsson

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings.

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings. Emily also counsels clients on topics such as cyber incident response, compliance with state and federal privacy and cybersecurity regulations, and government investigations. She routinely advises on complex national security and financial privacy regulatory frameworks.

In addition to her regular practice, Emily maintains a pro bono practice counseling small and nonprofit clients on privacy and cybersecurity, supporting domestic violence survivors, and handling criminal matters.

Read more about Emily PehrssonEmail
Show more Show less
Photo of Jess Gonzalez Valenzuela Jess Gonzalez Valenzuela

Jess Gonzalez Valenzuela (they/them and she/her) is an associate in the firm’s San Francisco office, specializing in the Data Privacy and Cybersecurity Practice Group. Jess assists clients with cybersecurity issues such as incident response, risk management, internal investigations, and regulatory compliance. Additionally, Jess…

Jess Gonzalez Valenzuela (they/them and she/her) is an associate in the firm’s San Francisco office, specializing in the Data Privacy and Cybersecurity Practice Group. Jess assists clients with cybersecurity issues such as incident response, risk management, internal investigations, and regulatory compliance. Additionally, Jess supports clients navigating complex data privacy challenges by offering regulatory compliance guidance tailored to specific business practices. Jess is also a member of the E-Discovery, AI, and Information Governance Practice Group and maintains an active pro bono practice.

Jess is committed to Diversity, Equity, and Inclusion (DEI) initiatives within the legal field. They are a member of Covington’s LGBTQ+ and Latino Firm Resource Groups, and serve as is co-lead for the First Generation Professionals Network and Disability and Neurodiversity Network in the San Francisco office.

Read more about Jess Gonzalez ValenzuelaEmail
Show more Show less