The Securities and Exchange Commission on Thursday said it was dropping a landmark civil fraud case against SolarWinds and Tim Brown, the company’s chief information security officer. 

The SEC sued SolarWinds in 2023, alleging the company failed to disclose known security risks to investors in the run-up to a major supply-chain attack in which Russian government hackers infected the company’s Orion software with malware. 

The commission’s suit alleged that SolarWinds and Brown knew of specific shortcomings in the company’s cybersecurity program but never informed investors. In its complaint, the agency accused the company and Brown of committing fraud and internal control failures. 

But on Thursday, the SEC and the defendants filed a joint stipulation to dismiss the case with prejudice. The dismissal does not necessarily have any implications for other cases, the SEC said.

A wide range of government agencies and businesses use SolarWinds’ Orion platform, allowing Russia to gain extensive access to the company’s customers after penetrating their networks through the infected code.

The SEC’s case against SolarWinds suffered a major blow in 2024, when a federal judge dismissed most of the claims, including all of those related to events after the December 2020 disclosure of the attack and claims related to internal accounting and disclosure controls.

SolarWinds said it was “clearly delighted” with the SEC’s decision to drop its lawsuit, which the company described as a vast overreach by the commission.

“We fought with conviction, arguing that the facts demonstrated our team acted appropriately, [and] this outcome is a welcome vindication of that position,” a spokesperson for SolarWinds told Cybersecurity Dive. “We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”

The SEC declined to comment beyond its court filing and press release related to the case.