SolarWinds Heads To SEC Settlement Over Sunburst Cyberattack

SolarWinds and the SEC have to provide the court with a written status report on Sept. 12 if the settlement has not been reached by then.

A federal district judge signed off on a request by SolarWinds and the U.S. Securities and Exchange Commission to pause ongoing litigation over how the cybersecurity vendor disclosed risks before the 2020 cyberattack as the two near a settlement agreement.

Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York commended lawyers for Austin, Texas-based SolarWinds, Chief Information Security Officer Tim Brown and the SEC for getting close to a settlement to resolve the case, which had oral arguments scheduled for July 22, according to a court filing Wednesday.

SolarWinds and the SEC have to provide the court with a written status report on Sept. 12 if the settlement has not been reached by then. Terms of the settlement were not laid out in the filing.

SolarWinds SEC Lawsuit

A SolarWinds spokesperson said in a statement that the settlement “is subject to approval by the Commission, and we cannot therefore discuss the terms at this time. We are pleased with the potential resolution and happy to focus on driving our business forward without distraction.”

An SEC spokesperson declined to comment beyond public filings. CRN has also reached out to Brown and the attorneys involved in the case for comment.

The settlement comes weeks after private equity firm Turn/River Capital closed on its $4.4 billion purchase of SolarWinds, ending the vendor’s time as a publicly traded company. The deal closed on April 16.

Attorneys representing the government, company and Brown said in a joint filing that they “have reached a settlement in principle that would completely resolve this litigation.”

SEC commissioners still need to approve the settlement. Pausing the lawsuit gives all the parties time to finalize the settlement, according to the filing.

The SEC first charged SolarWinds and Brown with fraud and internal control failures in October 2023. The case was severely gutted in July 2024 by Engelmayer, who dismissed the SEC’s claims of securities fraud and false filings based on SolarWinds’ statements and filings prior to the Sunburst disclosures with the exception of SEC claims of securities fraud based specifically on its security statement.

The judge also dismissed all of the SEC’s post-Sunburst claims as well as claims relating to SolarWinds’ internal accounting and disclosure controls and procedures. At the time, SolarWinds told CRN in an email it was confident in getting the final claim dismissed.

The case stems from the 2020 launch of the Sunburst malware attack. That incident became one of the most significant cyberattacks in history, resulting in nearly 18,000 of SolarWinds’ customers, including the U.S. government, receiving a compromised software update. However, SolarWinds later said fewer than 100 customers, including at least nine MSPs, were actually hacked as a result of the attack.