SEC v. SolarWinds Corp. (2023) — Cyber disclosure and internal controls (dismissed 2025)¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
The SEC charged SolarWinds and its chief information security officer with fraud and internal control failures relating to cybersecurity disclosures and known risks during and after the SUNBURST supply chain incident. The district court ruled on motions to dismiss in 2024. In November 2025, the SEC and defendants dismissed the civil action with prejudice under a joint stipulation (LR-26423).
Regulatory and Legal Outcomes¶
SEC enforcement (filed 2023)¶
SEC v. SolarWinds Corp. — complaint and amended pleadings in S.D.N.Y. (see complaint PDF).
Litigation milestones¶
- Jul. 18, 2024 — Opinion on motion to dismiss, 741 F. Supp. 3d 37.
- Nov. 20, 2025 — Joint stipulation of dismissal with prejudice; LR-26423.
Security Technical Summary¶
Summary¶
SUNBURST involved trojanized software updates to Orion, enabling actor access to downstream customer environments. The SEC’s narrative (alleged) ties internal security assessments and marketing to investor disclosures.
Engineering takeaways¶
- Secure build and signing pipelines; SBOM and supplier assurance.
- Align internal risk ratings with external statements under disclosure controls.
Understanding Regulatory and Court Orders¶
Understanding regulatory and court orders
| Document | Source | Key content |
|---|---|---|
| SEC complaint | SEC | Alleged fraud and controls failures |
| LR-26423 | SEC | Dismissal with prejudice (2025) |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers a board security brief to the Board Audit Committee. |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director prepares executive risk summary for CEO and leadership. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for program investment and remediation. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of program and compliance posture. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer maps controls to legal or regulatory requirements. |
| Controls -> Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo for oversight review. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal or regulatory use. | Security or legal prepares chronology for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal or audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts policy for CISO, Legal, and board review. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal directive on priority control requirements. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach or incident statement. | CISO drafts public statement for consumers and partners. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer explanation for affected users. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for external audiences. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0-30 / 30-60 / 60-90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
- Dec. 2020 — SUNBURST public disclosure cycle.
- Oct. 30, 2023 — SEC files complaint.
- Jul. 18, 2024 — 741 F. Supp. 3d 37 (motion to dismiss).
- Nov. 20, 2025 — Stipulation of dismissal; LR-26423.
References¶
Primary
Cited
- U.S. Securities and Exchange Commission. SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures, Oct. 30, 2023.
https://www.sec.gov/newsroom/press-releases/2023-227