Covington and Burling writes:
On November 20, 2025, the Securities and Exchange Commission (“SEC”) announced that it was voluntarily dismissing the case it brought against SolarWinds Corp. (“SolarWinds”) and its information security officer, Timothy Brown, regarding the company’s security practices and related statements in connection with the “Sunburst” cybersecurity incident. The SEC stated in a brief release that its decision to dismiss with prejudice the case against SolarWinds and Mr. Brown was “in the exercise of its discretion” and “does not necessarily reflect the Commission’s position on any other case.”
The case followed the “Sunburst” cybersecurity incident, during which nation-state actors infiltrated a large number of public company and government computer systems by compromising SolarWinds’ Orion software platform. The joint stipulation to dismiss comes months after the parties informed the court that they had reached an agreement to settle the matter. In their July 2, 2025 letter, the parties requested that the upcoming litigation schedule be indefinitely postponed while the parties finalized the settlement paperwork, including review and approval by the SEC’s Commissioners. [Case 1:23-cv-09518-PAE, Dkt. 193]. The court granted three extensions of time to file the settlement paperwork in September and October. [Dkt. 196, 198, 200].
The Joint Stipulation to Dismiss, signed by the SEC Director of the Division of Enforcement, Margaret A. Ryan, states that the “Commission believes dismissal of the case is appropriate” in the “exercise of its discretion,” and in light of the order granting in part and denying in part the Defendants’ motion to dismiss.
Read more at Inside Privacy.
