A U.S. District Court for the Southern District of New York granted, in large part, a motion by SolarWinds and its CISO to dismiss the fraud and internal controls charges brought against them by the SEC in the aftermath of a compromise of the company’s software product that was disclosed in December 2020. The court allowed only the subset of claims alleging that the “Security Statement” on the company’s website was materially false to survive. The case is the first in which the SEC has charged a CISO individually in connection with alleged cybersecurity violations and the first in which it has charged scienter-based securities fraud in connection with a cybersecurity breach. The case also represents a rare instance in which a company has challenged the SEC’s expansive reading of its authority to charge a violation of the Exchange Act’s “internal accounting controls” provision based on an alleged failure of any corporate controls, not limited to accounting controls. The court’s opinion has significant implications for public companies as they assess their cybersecurity risk management, governance and disclosure practices, and beyond the cybersecurity context in its finding that the SEC is not authorized to charge internal accounting controls violations that are not specifically tied to financial accounting controls.