On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”

The case followed the “Sunburst” cybersecurity incident, during which nation-state actors infiltrated a large number of public company and government computer systems by compromising SolarWinds’ Orion software platform.  The joint stipulation to dismiss comes months after the parties informed the court that they had reached an agreement to settle the matter. In their July 2, 2025 letter, the parties requested that the upcoming litigation schedule be indefinitely postponed while the parties finalized the settlement paperwork, including review and approval by the SEC’s Commissioners. [Case 1:23-cv-09518-PAE, Dkt. 193]. The court granted three extensions of time to file the settlement paperwork in September and October. [Dkt. 196, 198, 200].

The Joint Stipulation to Dismiss, signed by the SEC Director of the Division of Enforcement, Margaret A. Ryan, states that the “Commission believes dismissal of the case is appropriate” in the “exercise of its discretion,” and in light of the order granting in part and denying in part the Defendants’ motion to dismiss.

On July 18, 2024, U.S. District Court Judge for the Southern District of New York, Paul Engelmayer, had narrowed the case to its securities fraud claims, which were based on the company’s statements about cybersecurity posted on its website prior to the incident. The court rejected the SEC’s claim that gaps in SolarWinds’ cybersecurity controls amounted to violations of internal accounting controls provisions of the Securities Exchange Act of 1934, as well as the SEC’s claim that SolarWinds had inadequate disclosure controls and procedures. We covered the decision in our Client Alert: Court Narrows SolarWinds Case to Company’s Pre-Cyberincident Voluntary Disclosures.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Emily Pehrsson Emily Pehrsson

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings.

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings. Emily also counsels clients on topics such as cyber incident response, compliance with state and federal privacy and cybersecurity regulations, and government investigations. She routinely advises on complex national security and financial privacy regulatory frameworks.

In addition to her regular practice, Emily maintains a pro bono practice counseling small and nonprofit clients on privacy and cybersecurity, supporting domestic violence survivors, and handling criminal matters.

Read more about Emily PehrssonEmail
Show more Show less
Photo of Jess Gonzalez Valenzuela Jess Gonzalez Valenzuela

Jess Gonzalez Valenzuela (they/them and she/her) is an associate in the firm’s San Francisco office, specializing in the Data Privacy and Cybersecurity Practice Group. Jess assists clients with cybersecurity issues such as incident response, risk management, internal investigations, and regulatory compliance. Additionally, Jess…

Jess Gonzalez Valenzuela (they/them and she/her) is an associate in the firm’s San Francisco office, specializing in the Data Privacy and Cybersecurity Practice Group. Jess assists clients with cybersecurity issues such as incident response, risk management, internal investigations, and regulatory compliance. Additionally, Jess supports clients navigating complex data privacy challenges by offering regulatory compliance guidance tailored to specific business practices. Jess is also a member of the E-Discovery, AI, and Information Governance Practice Group and maintains an active pro bono practice.

Jess is committed to Diversity, Equity, and Inclusion (DEI) initiatives within the legal field. They are a member of Covington’s LGBTQ+ and Latino Firm Resource Groups, and serve as is co-lead for the First Generation Professionals Network and Disability and Neurodiversity Network in the San Francisco office.

Read more about Jess Gonzalez ValenzuelaEmail
Show more Show less