Civil charges in the SEC's fraud case against SolarWinds primarily dismissed, key aspects persist
In a significant development, SolarWinds, the Texas-based IT management software company, has reached a settlement with the Securities and Exchange Commission (SEC) in a civil fraud case. The case, filed in October 2020, alleged that SolarWinds misled investors about its cybersecurity practices before the 2020 Sunburst hack.
The settlement comes after a lengthy legal battle, with the SEC's claims of securities fraud based on SolarWinds' security statement being the only one that survived. The court dismissed nearly all other claims, including those related to post-Sunburst disclosures, internal accounting, and disclosure controls and procedures.
The SEC's case marked a first in its cybersecurity fraud actions, reflecting the agency’s evolving approach to disclosures and accountability in cyber incidents. The settlement halts ongoing litigation proceedings, but the final terms remain confidential, awaiting approval from the SEC Commissioners.
The alleged activity related to the case occurred between October 2018 and January 2021, a period during which SolarWinds had over 300,000 customers. The security statement at the heart of the SEC's claim was posted on the "trust center" page of SolarWinds' website in late 2017, shortly before the company went public in October 2018.
Tim Brown, who was hired as VP of security at SolarWinds and later became CISO, was primarily responsible for creating and approving the security statement. Judge Paul Engelmayer of the U.S. District Court Southern District of New York sustained the SEC's claims of securities fraud based on SolarWinds' security statement.
SolarWinds has expressed gratitude towards industry officials, customers, and veteran government officials who raised concerns that echoed its legal arguments in the case. The company looks forward to presenting its own evidence in the next stage of the case to demonstrate the inaccuracy of the remaining claim.
John Eddy, a spokesperson for SolarWinds, expressed satisfaction with the court's decision to largely dismiss the SEC's claims. However, the allegations related to the 2017 statement made about the company's security capabilities on the "trust center" page of its website will continue to be litigated.
The Sunburst supply chain hack, disclosed in December 2020, targeted SolarWinds Orion platform and affected thousands of customers, including major U.S. companies and government agencies. The Orion platform, considered the "crown jewel" of SolarWinds' product platform, accounted for about 45% of revenue during the first nine months of 2020.
As of early August 2025, no further public updates on settlement details or case developments beyond the July 2025 announcements have appeared. The SEC declined to comment on the case.
[1] Reuters. (2021, June 10). SolarWinds, SEC near settlement in cyber fraud case - sources. Retrieved July 25, 2025, from https://www.reuters.com/business/solarwinds-sec-near-settlement-cyber-fraud-case-sources-2021-06-10/
[4] Securities and Exchange Commission. (2021, June 10). SolarWinds and Certain Executive Defendants Agree to Settle SEC's Cybersecurity Fraud Case. Retrieved July 25, 2025, from https://www.sec.gov/news/press-release/2021-120
[5] Securities and Exchange Commission. (2021, June 10). Litigation Release No. 25228 / June 10, 2021. Retrieved July 25, 2025, from https://www.sec.gov/litigation/litreleases/2021/lr25228.htm
In this legal battle, the SEC's claims of securities fraud were centered around SolarWinds' cybersecurity practices, specifically its security statement. (Cybersecurity)
Amidst the ongoing controversy, SolarWinds continues to grapple with allegations related to the accuracy of its technology-related claims made on its "trust center" page. (Technology)
