Client Login
SolarWinds SEC Data Breach Lawsuit

Case Closed: SEC Stops SolarWinds Data Breach Lawsuit

24 November 2025

By Jack Grogan-Fenn

The US Securities and Exchange Commission (SEC) has announced that it is ceasing its high-profile lawsuit against software company SolarWinds five years after an infamous data breach.

SolarWinds fell victim to a significant data breach in 2020, which permitted hackers to gain access to sensitive information from thousands of organisations, including several US government departments. The lawsuit had alleged that the Texas-based tech firm had deliberately concealed internal issues ahead of the cyberattack and made the company particularly vulnerable to the strike.

Key Client Takeaways:

SEC Drops SolarWinds Lawsuit

  • The US SEC has officially ended its lawsuit against SolarWinds Corporation and its Chief Information Security Officer, Timothy Brown, following a long-running saga related to a controversial 2020 data breach.

Industry and Legal Implications

  • The SEC’s case against SolarWinds courted criticism for potentially expanding the commission’s regulatory reach into cybersecurity. A federal judge had already dismissed significant portions of the lawsuit in 2024, damaging the SEC’s case.

Minerva Analytics’ Cybersecurity Efforts

  • In the light of rising cybersecurity risks, Minerva Analytics has introduced enhanced research and voting guidelines to assess corporate disclosures against global standards like the OECD AI Principles and G7 Hiroshima AI Process to address investor expectations for robust governance and transparency related to cybersecurity.

The US SEC jointly filed a joint stipulation with defendants SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy Brown, to dismiss, with prejudice, the Commission’s ongoing civil enforcement action. The SEC and SolarWinds had announced in July they had reached an agreement to settle the allegations. It was reported that a SolarWinds spokesperson had said the company was “clearly delighted” with the SEC’s dismissal decision. The agreement was reached just a month after SEC had urged a New York federal judge case against SolarWinds to trial, arguing that the company had hidden its “pervasively poor cybersecurity practices” from investors ahead of the data breach.

SolarWinds and Brown were charged by the SEC in 2023 for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The complaint alleged that, from at least its October 2018 initial public offering through at least its December 2020 announcement, that SolarWinds was the target of a massive, nearly two-year long cyberattack, dubbed ‘Sunburst’ and that SolarWinds and Brown had defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks. SolarWinds disclosed the hack in December 2020, but according to investigations into the attack Russian state-sponsored hackers had breached the company’s networks as early as January 2019.

The SEC had faced criticism from Wall Street and other quarters that its allegations against SolarWinds went beyond of the agency’s typical enforcement remit. SolarWinds also branded the commission’s lawsuit as being “fundamentally flawed – legally and factually”, accusing it of “twisting the facts in an attempt to expand its regulatory footprint in the cybersecurity space”. In July 2024, a federal judge dismissed much of the SEC’s lawsuit against SolarWinds in a major blow to the case, including some claims against Brown. The judge also dismissed allegations that the firm violated decades-old accounting rules in connection with the hack.

“With the US Securities and Exchange Commission dropping its case against both SolarWinds and our CISO, Tim Brown, we close an era that challenged our company, our team, and our principles,” said Sudhakar Ramakrishna, President and CEO at SolarWinds, in a statement. “We emerge stronger, more secure, and better prepared than ever for what lies ahead. […] We said from the beginning — and demonstrated during the litigation — the claims were unfounded, and we are happy the SEC has finally decided to abandon them.”

Last year, the SEC charged and imposed penalties totalling U$7 million on four companies for making misleading disclosures linked to the 2019 SolarWinds data breach, as reported by Minerva Analytics. The companies were all victims of a cybersecurity breach of SolarWinds’ software, which the SEC said was one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector. According to the commission, each company committed different violations that negligently downplayed and minimised the impact of the breaches.

Cybersecurity concerns are growing globally amid the rising prevalence of and reliance on technologies, including AI, which can increase data breach and other risks. Last month, the UK’s Labour Government sent a letter to FTSE 350 companies warning about “hostile” cyber activity which is becoming “more intense, frequent and sophisticated” and called on them to act to help address this risk, as

Responding to this rising risk, Minerva Analytics rolled out additional research and voting guidelines to evaluate corporate disclosures against globally recognised cyber governance standards such as the OECD AI Principles and the G7 Hiroshima AI Process at the start of peak season 2025. These new guidelines supplemented Minerva’s existing cyber governance questions first adopted in 2016, offering investors a robust lens through which to assess board readiness with a clear focus on governance and disclosure quality, particularly in key regulatory disclosures such as annual reports and cyber security risk disclosures.

Last week, the SEC announced the controversial decision to not respond to company ‘no action’ requests to exclude shareholder proposals during the 2026 proxy season, as reported by Minerva Analytics. This move risks handing unprecedented discretion to corporate management and threatens to sideline investor voices on key environmental and social issues. Minerva Analytics will release a more detailed briefing later this week exclusively for clients on the implications of the SEC’s decision and how it could trigger a further evolution in the landscape of shareholder rights. Contact us by email at hello@minerva.info for more information on this client briefing and other benefits being a Minerva client offers.

Minerva’s blog focuses on the latest developments in ESG investing and stewardship.

Minerva is a global provider of sustainable stewardship solutions with over 25 years of expertise. Minerva empowers investors by providing essential tools, including ESG research and data, enabling them to navigate the intricate landscape of stewardship and proxy voting, whilst ensuring their decisions are well-informed and aligned with sustainable principles.

You can read more of our articles by clicking here.

Last Updated: 24 November 2025

Copyright © 2025 Minerva Analytics - All Rights Reserved

Data Protection Policy | Cookie Policy | Privacy Policy | Website Terms Of Use