December 23, 2025

2025 Cybersecurity and AI Year in Review

Holland & Knight SECond Opinions Blog Season's Readings Series
Stephen P. Warren | Jessica B. Magee | Allison Kernisky
White mug of coffee with cinnamon stick and pine cone next to it

Season's Greetings! In this first installment of Season's Readings, we look back at this year's developments involving cybersecurity and artificial intelligence (AI), both of which remained priorities for the SEC in 2025, but the agency's approach changed under new leadership. The past year also saw a long-running cybersecurity enforcement action involving SolarWinds come to an unexpected ending.

SolarWinds Lawsuit Voluntarily Dismissed

Last month, the SEC voluntarily dismissed with prejudice its enforcement action against tech company SolarWinds and its chief information security officer (CISO). The SEC filed the lawsuit in October 2023, claiming the company and CISO misled investors by failing to disclose known vulnerabilities in the company's cybersecurity capabilities, which were exposed in a cyberattack by Russian hackers.

The SEC's theory was that the alleged deficiencies in cybersecurity controls violated statutory obligations to maintain internal accounting controls under the securities laws. In July 2024, a federal judge dismissed the majority of the SEC's claims, including the SEC's novel internal accounting controls theory. The court ruled that statutory accounting controls requirements apply to financial reporting controls, not to cybersecurity or operational controls. The court did allow one claim to proceed, namely the SEC's claim that a "Security Statement" on SolarWinds' website – describing in detail its cybersecurity measures – was misleading.

In July of this year, after leadership at the SEC changed under the new presidential administration, the parties notified the court that they had reached a settlement but that they needed additional time to seek approval from the SEC's commissioners. In November, however, the parties filed a joint stipulation dismissing the case with prejudice. Notably, no penalty, injunction or officer bar was imposed on SolarWinds or the CISO, so the outcome looks more like a complete win for SolarWinds and the CISO than a settlement. The company called it a "vindication."

Cybersecurity Rulemaking and Enforcement Activity

Though the SEC has withdrawn some proposed cybersecurity rules (and dismissed the SolarWinds lawsuit), the agency has continued to pursue cybersecurity enforcement actions and continued to make cybersecurity a focal point in other ways.

For example, in February 2025, the SEC announced the creation of a Cyber and Emerging Technologies Unit (CETU), which has been tasked with combatting cyber-related misconduct and protecting retail investors from bad actors in the emerging technologies space. CETU replaced the Crypto Assets and Cyber Unit and comprises fraud specialists and attorneys from multiple SEC offices. The launch of CETU demonstrates the SEC will continue to make cybersecurity a priority, while drawing back from cryptocurrency regulation. CETU will prioritize fighting fraud involving retail investors.

AI Enforcement and Rulemaking

At the same time the SEC is pulling back on cybersecurity rulemaking, there is a push in certain quarters of the agency for improved AI disclosures. Earlier this month, an Investment Advisory Committee at the SEC recommended that the SEC issue guidance (as part of existing disclosure regulations) that would standardize the manner in which public companies report their use of AI.

Specifically, the working group recommended that the SEC require issuers to: 1) define AI, 2) disclose board oversight mechanisms, if any, for overseeing the deployment of AI and 3) explain to investors how the company is using AI and how that deployment is affecting the company's business operations and consumer-facing matters. Despite the committee's recommendation, it remains to be seen if the current SEC, which has been moving away from rulemaking, is willing to pass a measure or issue guidance requiring AI-specific disclosures.

AI Washing

The working group's recommendation was partly a response to the practice of "AI washing," which is when companies make misleading claims about the integration of AI into their business operations. In 2025, the SEC's Enforcement Division continued to pursue companies and advisers that overstated their AI capabilities. For example, in January 2025, the SEC announced that it had settled an enforcement action against Presto Automation for making misleading statements about its AI product, Presto Voice. The company had boasted that Presto Voice eliminated the need for human drive-thru order-taking at fast food restaurants, but the SEC alleged that the vast majority of drive-thru orders required human intervention.

Several months later, in April 2025, the SEC filed a civil complaint against Albert Saniger, the former CEO of Nate Inc., a private startup company. The SEC alleged that Saniger had raised more than $42 million from investors by claiming that Nate Inc.'s mobile shopping app used AI to complete online purchases, when, according to the SEC, nearly all orders were manually processed by humans. The SEC's complaint charged violations of the Securities Act and Exchange Act, including antifraud violations. Because Saniger lives in Spain, the SEC has not yet been able to serve him with the complaint under the Hague Convention.

The Presto Automation settlement and Saniger complaint should serve as reminders that companies marketing the use of AI tools need to ensure that their public statements are accurate and documented. In addition, the newly created CETU Unit (discussed above) has said that it will target AI washing.

Cybersecurity and AI Remain an SEC Priority in Examinations

Moving away from enforcement to examinations, cybersecurity and AI will remain areas of focus. In November 2025, the SEC's Division of Examinations released its examination priorities for fiscal year 2026. The division examines, among other entities, investment advisors, investments companies and broker-dealers.

In discussing risk areas impacting market participants, the Division of Examinations explained that it will continue to view cybersecurity as a "perennial examination priority" because of, among other things, the operational risks posed by cybersecurity attacks. The division also stressed that one "focus" of its examinations in the coming year "will be on training and security controls that firms are employing to identify and mitigate new risks associated with artificial intelligence (AI)."

Related Blog

SECond Opinions Blog

Editors

Allison Kernisky Jessica B. Magee

Related Practices

Securities Enforcement Defense White Collar Defense and Investigations Public Companies and Securities Artificial Intelligence Artificial Intelligence Policy & Regulation Data Strategy, Security & Privacy Litigation and Dispute Resolution Corporate Services Compliance Services Consumer Protection Defense and Compliance Marketing, Advertising and Sweepstakes

Related Industry

Technology & Telecommunications
Subscribe to Updates and Events
Click to Sign Up

Related Insights