On November 20, 2025, the U.S. Securities and Exchange Commission (SEC) filed a joint stipulation with SolarWinds Corp. and its chief information security officer (CISO), Timothy Brown, to dismiss with prejudice the commission’s remaining claims in its high-profile cybersecurity enforcement action. This dismissal follows the court’s July 2024 ruling, which threw out most of the SEC’s allegations but allowed a narrow slice of securities fraud claims related to certain cybersecurity disclosures to proceed against Brown.

As the SEC’s litigation release makes clear, the SEC sought dismissal "in the exercise of its discretion" and emphasized that the decision "does not necessarily reflect the Commission’s position on any other case." In other words, this outcome should not be read by companies as a full retreat from the agency’s recent focus on cybersecurity disclosures, internal controls, or executive-level accountability.

Companies should continue exercising caution on cybersecurity disclosure requirements and ensure that internal risk assessments and external statements are aligned. It is still critical for CISOs and other leaders to remain vigilant regarding communications, disclosures, and cybersecurity reviews.

How the SEC’s Voluntary Dismissal Alters the Post-Motion Landscape

The SolarWinds case marked a landmark moment: It was the SEC’s first cybersecurity enforcement action against a corporate executive, and its first use of intentional fraud charges in a cybersecurity disclosure case.

After the dismissal, SolarWinds released a statement expressing hope that it would ease a "chilling effect" on companies and their CISOs, according to news reports. SolarWinds and others argued that the SEC’s case against Brown would discourage fulsome cybersecurity reporting and documentation by information security leaders nationally.

In the stipulation, the SEC states that "in the exercise of its discretion," dismissal of the SolarWinds litigation was "appropriate" following the court’s July decision, without providing further clarifying details. The dismissal covers all conduct alleged in the amended complaint through the date of the filing.

Notably, the SEC did not explain why it chose to dismiss the case beyond citing its discretion. The absence of detail leaves open questions about whether the decision reflects evidentiary concerns, resource allocation, or other internal factors. This lack of transparency underscores the need for companies to avoid assuming any broader policy shift or a lack of willingness to pursue officers and directors for security failures.

Implications and Takeaways for Companies

The SEC’s decision does not signal a retreat from its aggressive stance on cybersecurity disclosures and executive accountability. Companies should consider the following going forward:

1. The SEC remains focused on cybersecurity disclosures and executive accountability.

The commission’s express disclaimer suggests it intends to continue bringing cases against companies and individuals where it sees gaps between internal cybersecurity awareness and external statements to investors. Companies should continue to prioritize risk assessments and security reviews. The SEC’s final rule from 2023 includes a number of requirements for companies around cybersecurity incident disclosures.

2. Public-facing security statements remain high-risk and highly scrutinized.

As emphasized in our prior alert, statements made in security policies, websites, and public filings continue to be treated as materially significant by both courts and regulators.

3. Internal communications must align with external disclosures.

The surviving claims in SolarWinds were tied directly to internal emails and assessments. Even though those claims will not be litigated, it remains an important reminder to be thoughtful and accurate in both formal and informal written communications.

4. Expect continued uncertainty in enforcement strategy.

The SEC’s decision to dismiss without explanation highlights that enforcement priorities may shift case by case. Companies should not interpret this outcome as reducing the risk of future actions, especially where internal and external cybersecurity narratives diverge.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.