In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public statements about their cybersecurity program. This case, stemming from the SUNBURST attack, highlights the importance of detailed risk disclosures and accurate public-facing statements on cybersecurity.