On November 20, 2025, the Securities and Exchange Commission voluntarily dismissed its remaining claims against SolarWinds Corporation and its Chief Information Security Officer Timothy G. Brown โ with prejudice โ ending a two-year enforcement saga that had produced the first-ever SEC action targeting an individual CISO for cybersecurity disclosure failures.
The dismissal came after a U.S. District Judge had already dismissed most of the SECโs claims in July 2024, finding that the Commission had not adequately pled securities fraud for the bulk of its allegations. The SEC, rather than appeal, chose to walk away from the remaining claims.
For public company compliance teams and security executives who have been watching the SolarWinds case as the bellwether for SEC cybersecurity enforcement, the dismissal carries a message โ but it is not the message that many are drawing from it. The SECโs cybersecurity disclosure rules remain in force. The enforcement agency remains active. What changed is the theory of liability the SEC will pursue, and the threshold of conduct it will treat as enforcement-worthy.
Understanding that shift is the most important thing compliance teams can do with the SolarWinds dismissal.
What the SolarWinds Case Was
In October 2023, the SEC filed a complaint against SolarWinds Corporation and Timothy Brown, its CISO, alleging that SolarWinds had misled investors about its cybersecurity practices in the period leading up to the SUNBURST attack โ one of the largest and most damaging supply chain cyberattacks in history, in which Russian intelligence services compromised SolarWindsโ software build process and used the resulting backdoor to penetrate hundreds of U.S. government agencies and private sector organizations.
The SECโs core allegations:
Misleading public disclosures. SolarWindsโ public-facing statements about its security practices โ including its security statement, SEC filings, and marketing materials โ described robust security controls that the SEC alleged did not actually exist. The companyโs actual security posture was materially weaker than represented.
Individual CISO liability. The SEC named Timothy Brown personally, alleging that as CISO he was aware of the companyโs security deficiencies and nevertheless allowed misleading public statements to go unchallenged. This was the first time the SEC had named an individual CISO in a securities enforcement action related to cybersecurity disclosures.
Accounting controls fraud. The SEC also alleged that SolarWinds had failed to maintain internal controls over financial reporting in ways that related to its cybersecurity deficiencies โ an unusual use of the accounting controls provisions of the securities laws in a cybersecurity context.
What the Court Held
In July 2024, the District Court dismissed most of the SECโs claims. The court found that many of the alleged misstatements were either not materially misleading or were statements of opinion and aspiration rather than actionable representations of fact. The accounting controls claims were also significantly reduced.
The court did allow some claims to proceed โ specifically those tied to specific, factual representations about security controls that the SEC had adequately pled were false.
The SECโs decision to dismiss the remaining claims rather than litigate forward reflected a judgment, under the new leadership of Chair Paul Atkins (confirmed April 2025), that the remaining viable theories were not worth pursuing.
The Disclosure Rules: What Remains in Force
The SolarWinds dismissal did not affect the cybersecurity disclosure rules that produced the case. Those rules remain operative.
Form 8-K Item 1.05: Material Incident Disclosure
Public companies must disclose material cybersecurity incidents within four business days of determining that an incident is material. The disclosure must describe:
- The nature, scope, and timing of the incident
- The material impact or reasonably likely material impact on the company
Materiality is determined under the same standard that applies to financial disclosures โ whether a reasonable investor would consider the information significant in making an investment decision. Companies retain judgment in making materiality determinations, but the SEC has made clear that deliberate delay of the materiality determination to avoid or delay disclosure triggers additional violations.
Law enforcement delay accommodation: the rules permit companies to delay an 8-K disclosure by up to 30 days if the Department of Justice notifies the SEC that disclosure would pose a substantial risk to national security or public safety.
Form 10-K Annual Disclosures
Public companies must include annual disclosures covering:
- Material cybersecurity risks โ the nature and extent of the companyโs exposure to cybersecurity risks that could materially affect the company
- Risk management and strategy โ how the company assesses, identifies, and manages material cybersecurity risks
- Governance โ board oversight of cybersecurity risk and managementโs role in assessing and managing material risks
The 10-K disclosures are designed to give investors a baseline understanding of the companyโs cybersecurity posture โ not a detailed technical assessment, but a genuine characterization of the companyโs approach to cyber risk.
What Counts as โMaterialโ
The materiality question is where most public company compliance complexity lives. The SEC has not provided a bright-line definition of material cybersecurity incident, and companies retain judgment in making that determination.
What the SEC has signaled through enforcement activity and guidance: materiality is not a technical question about the severity of the attack. It is a business question about the impact on the companyโs operations, financial condition, customer relationships, and competitive position. A ransomware attack that takes a critical production system offline for 48 hours is likely material. A data breach affecting a small, non-sensitive subset of customer data may not be. A sophisticated intrusion that is discovered and contained before any data exfiltration may or may not be material depending on the sensitivity of what was accessed.
Companies that have not developed a documented materiality assessment framework โ with clear criteria and a decision process โ are in a weaker position both to make accurate timeliness calls and to defend those calls in an enforcement or litigation context.
What Changed: The SECโs Enforcement Posture Under Chair Atkins
Paul Atkins was confirmed as SEC Chair in April 2025, replacing Gary Gensler. Atkins has historically favored a more targeted, fraud-focused approach to securities enforcement, and the shift in SEC cybersecurity enforcement posture under his leadership reflects that orientation.
The SEC has signaled, through public statements and through the SolarWinds dismissal, that its cybersecurity enforcement focus in 2026 is on fraudulent disclosure โ affirmative misrepresentation and deliberate concealment โ rather than on disclosure judgment calls and nuanced characterization disputes.
What this means in practice:
A company that makes a good-faith materiality determination and discloses what it believes to be accurate information is less exposed than under the prior enforcement posture. The SEC under Gensler was willing to second-guess the substance of security program characterizations โ arguing that statements like โwe have robust security controlsโ were misleading when the actual controls were weak. That theory did not survive well in court, and the SEC is signaling it will not pursue it as aggressively.
A company that knowingly makes false statements about its security posture, or deliberately delays the materiality determination to avoid disclosure, faces significant exposure. The SEC dismissed the nuanced SolarWinds claims but did not abandon the cybersecurity disclosure rules. A company that knows it has been materially breached and delays disclosure, or that affirmatively misrepresents its security controls in public filings, is still within the scope of active SEC enforcement.
CISO personal liability has not gone to zero, but the exposure has narrowed. The SolarWinds dismissal does not mean the SEC will never pursue individual CISOs again. It means the SEC will not pursue individual CISOs for disclosure characterizations they did not personally approve or that were not clearly, knowingly false. CISOs who sign off on SEC filings containing affirmative misrepresentations about security programs they know to be deficient remain in a different risk category.
The Cyber and Emerging Technologies Unit
In February 2025, the SEC established a new enforcement unit: the Cyber and Emerging Technologies Unit (CETU), which absorbed and replaced the prior Crypto Assets and Cyber Unit.
CETUโs mandate includes:
- Cybersecurity disclosure enforcement
- Fraud involving emerging technologies, including AI
- Market manipulation and fraud in digital asset markets
CETUโs formation in early 2025 signals that cybersecurity enforcement remains an active SEC priority even as the specific theory of liability has narrowed under Chair Atkins. The unitโs existence means the SEC has dedicated resources and investigative capacity specifically focused on cybersecurity and emerging technology issues.
Between December 2023 and early 2025, 54 public companies filed 80 Form 8-K disclosures under Item 1.05 relating to cybersecurity incidents. The SEC has settled multiple enforcement actions involving cybersecurity disclosure issues for a combined total exceeding $8 million in penalties. CETU will continue producing enforcement activity in this area.
What the Banking Industry Petition Signals
In May 2025, banking associations petitioned the SEC to rescind the Item 1.05 disclosure rule. The petition argued that the 4-business-day deadline creates operational problems for companies still in the process of assessing and containing an incident, that it produces disclosures before companies have adequate information to characterize the incident accurately, and that coordination with law enforcement requires flexibility that the rule does not adequately provide.
The petition has not produced a rule change. The 4-business-day requirement remains in force. But the petition signals that there is organized opposition to the current rule structure and that the question of whether โ and in what form โ these rules will survive the Atkins SEC is genuinely open.
For compliance planning purposes: the disclosure rules are current law and must be treated as such. But the regulatory environment around these rules is evolving, and compliance teams should monitor SEC rulemaking activity through 2026.
Practical Compliance Guidance for Public Companies
The post-SolarWinds environment requires public companies to recalibrate their cybersecurity disclosure compliance programs around the actual enforcement posture, not around anxiety produced by the original 2023 complaint.
Document your materiality determination process. Develop a written framework for how your company determines whether a cybersecurity incident is material. The framework should identify criteria, decision-makers, escalation pathways, and documentation requirements. When an incident occurs, run it through the framework and document the outcome. If you determine the incident is not material, document why. This documentation is your defense if the SEC later questions your disclosure timing.
Treat the 4-business-day clock as hard. The materiality determination may take time, but once you determine materiality, the 4-business-day clock starts. Build incident response workflows that explicitly track the materiality determination date and trigger the 8-K preparation process immediately upon that determination.
Audit your annual 10-K disclosures for accuracy. The SECโs enforcement theory under Atkins focuses on fraudulent misrepresentation. Review your 10-K cybersecurity disclosures against your actual security program. If your disclosures describe a risk management approach, governance structure, or set of controls that do not actually exist as described, that gap is enforcement exposure.
CISO sign-off requires documented due diligence. CISOs who are asked to review or contribute to SEC cybersecurity disclosures should document their review process. If a disclosure does not accurately represent the companyโs security posture, the CISOโs awareness of that inaccuracy creates personal exposure. Establish an internal process for CISO review that creates a record of what was verified and when.
Engage CETU on law enforcement coordination. If you experience a significant incident where law enforcement is involved, understand the mechanism for requesting a delay in 8-K disclosure. The law enforcement accommodation is available but not automatic โ it requires DOJ notification to the SEC and applies for a limited period.
The SolarWinds dismissal is not a green light. It is a recalibration signal โ one that narrows the enforcement theory without eliminating the enforcement obligation. Public companies that maintain accurate disclosures, document their materiality determination processes, and build incident response workflows around the 4-business-day requirement are substantively less exposed than they were under the Gensler-era enforcement posture.
The infrastructure for cybersecurity disclosure compliance that the original rules required remains necessary. What the SolarWinds dismissal removes is the uncertainty that even well-intentioned disclosures based on good-faith judgments could produce individual CISO prosecution.
Sources: SEC Press Release (SolarWinds Dismissal, November 20, 2025); Perkins Coie (SEC Dismisses Cyber Disclosure Case Against SolarWinds and CISO); Harvard Corporate Governance (SolarWinds Dismissed: What the SECโs U-turn Signals for Cyber Enforcement); A&O Shearman (Solarwinds Dismissed); EY (SEC top five priorities in 2026); BlueRadius Cyber (SEC Cybersecurity Disclosure Rules: Mid-Market Impact Guide 2026); Morgan Lewis (Securities Enforcement Roundup November 2025); Akin Gump (Cybersecurity After SolarWinds). This article is provided for informational purposes only and does not constitute legal advice.
