On July 18, 2024, the U.S. District Court for the Southern District of New York dismissed most of the claims brought by the Securities and Exchange Commission (the “Commission”) against SolarWinds Corp. and its Chief Information Security Officer in SEC v. SolarWinds Corp. et al. in connection with the SUNBURST attack. Among other things, the decision provides important perspective to the debate regarding whether controls associated with cybersecurity matters are covered by the internal accounting controls provisions of Section 13(b)(2)(B) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The court's dismissal in SolarWinds follows in sharp contrast to the Commission's June 18, 2024 settlement with R.R. Donnelley & Sons Company relating to cybersecurity incidents, including violations of Section 13(b)(2)(B) with regard to internal accounting controls, and Exchange Act Rule 13a-15(a) with regard to disclosure controls and procedures (“DCP”).