Season's Greetings!In this first edition of Season's Readings, we review 2025's key developments in cybersecurity and artificial intelligence (AI), which continued as top priorities for the SEC amid new leadership and shifting strategies. Notably, a longstanding cybersecurity enforcement case involving SolarWinds ended unexpectedly. SolarWinds Lawsuit Voluntarily Dismissed In November, the SEC voluntarily dismissed with prejudice its enforcement action against SolarWinds and its chief information security officer (CISO). The SEC had filed suit in October 2023, accusing them of misleading investors by failing to disclose known cybersecurity vulnerabilities exploited in a Russian cyberattack. The SEC argued that these cybersecurity control deficiencies violated statutory internal accounting controls under securities laws. However, in July 2024, a federal judge dismissed most SEC claims, ruling that statutory accounting controls apply to financial reporting controls, not cybersecurity operational controls. Only one claim about a misleading "Security Statement" on SolarWinds’ website was allowed to proceed. After a leadership change at the SEC under a new administration, the parties agreed to settle and later jointly dismissed the case in November with no penalties, injunctions, or officer bars, marking a clear win for SolarWinds and its CISO, who called it a "vindication. " Cybersecurity Rulemaking and Enforcement Activity Despite withdrawing some proposed cybersecurity rules and dismissing the SolarWinds lawsuit, the SEC has maintained its focus on cybersecurity enforcement. In February 2025, it launched the Cyber and Emerging Technologies Unit (CETU), replacing the Crypto Assets and Cyber Unit. CETU consists of fraud specialists and attorneys from various SEC offices with a mission to combat cyber misconduct and protect retail investors from emerging technology fraud. This new unit signals continued cybersecurity emphasis while pulling back from cryptocurrency regulation, prioritizing fraud involving retail investors. AI Enforcement and Rulemaking While stepping back from cybersecurity rulemaking, parts of the SEC are advocating for improved AI disclosures. In June 2025, the SEC’s Investment Advisory Committee recommended issuing guidance to standardize how public companies disclose their use of AI.

They propose companies be required to: 1) define AI, 2) disclose board oversight of AI deployment, and 3) explain AI’s impact on business operations and consumer matters. However, it remains uncertain if the current SEC leadership will implement AI-specific disclosure rules or guidance given its general move away from rulemaking. AI Washing This recommendation responds in part to concerns over “AI washing, ” where companies exaggerate or misrepresent their AI capabilities. In 2025, the SEC’s Enforcement Division continued targeting such misconduct. For example, in January, the SEC settled with Presto Automation for misleading claims that its AI product Presto Voice eliminated need for human drive-thru order takers, when most orders still required human intervention. In April, the SEC filed a civil complaint against Albert Saniger, former CEO of startup Nate Inc. , alleging he raised over $42 million by falsely claiming the company’s mobile shopping app used AI to complete purchases, while most orders were processed manually. The SEC charged securities law violations including antifraud offenses but has yet to serve Saniger, who resides in Spain. These cases underscore the importance for firms to ensure accurate, documented public AI statements. CETU has explicitly stated it will target AI washing going forward. Cybersecurity and AI Remain an SEC Priority in Examinations Beyond enforcement, cybersecurity and AI are also focal points in SEC examinations. In November 2025, the Division of Examinations released its fiscal year 2026 priorities, covering investment advisors, investment companies, and broker-dealers. The division reaffirmed cybersecurity as a “perennial examination priority” due to operational risks posed by cyberattacks. Additionally, one key examination focus will be on firm training and security controls designed to detect and mitigate emerging AI-related risks. In summary, the SEC in 2025 experienced leadership-driven strategy shifts but maintained strong commitments to addressing cybersecurity and AI challenges through enforcement, new specialized units, and examination priorities, while cautiously navigating rulemaking efforts in these evolving areas.