2025 Cybersecurity and AI Year in Review - Holland & Knight

Skip to content DECEMBER 23, 2025 2025 Cybersecurity and AI Year in Review Holland & Knight SECond Opinions Blog Season's Readings Series Stephen P. Warren | Jessica B. Magee | Allison Kernisky Season's Greetings! In this first installment of Season's Readings, we look back at this year's developments involving cybersecurity and artificial intelligence (AI), both of which remained priorities for the SEC in 2025, but the agency's approach changed under new leadership. The past year also saw a long-running cybersecurity enforcement action involving SolarWinds come to an unexpected ending. SolarWinds Lawsuit Voluntarily Dismissed Last month, the SEC voluntarily dismissed with prejudice its enforcement action against tech company SolarWinds and its chief information security officer (CISO). The SEC filed the lawsuit in October 2023, claiming the company and CISO misled investors by failing to disclose known vulnerabilities in the company's cybersecurity capabilities, which were exposed in a cyberattack by Russian hackers. The SEC's theory was that the alleged deficiencies in cybersecurity controls violated statutory obligations to maintain internal accounting controls under the securities laws. In July 2024, a federal judge dismissed the majority of the SEC's claims, including the SEC's novel internal accounting controls theory. The court ruled that statutory accounting controls requirements apply to financial reporting controls, not to cybersecurity or operational controls. The court did allow one claim to proceed, namely the SEC's claim that a "Security Statement" on SolarWinds' website – describing in detail its cybersecurity measures – was misleading. In July of this year, after leadership at the SEC changed under the new presidential administration, the parties notified the court that they had reached a settlement but that they needed additional time to seek approval from the SEC's commissioners. In November, however, the parties filed a joint stipulation dismissing the case with prejudice. Notably, no penalty, injunction or officer bar was imposed on SolarWinds or the CISO, so the outcome looks more like a complete win for SolarWinds and the CISO than a settlement. The company called it a "vindication." Cybersecurity Rulemaking and Enforcement Activity Though the SEC has withdrawn some proposed cybersecurity rules (and dismissed the SolarWinds lawsuit), the agency has continued to pursue cybersecurity enforcement actions and continued to make cybersecurity a focal point in other ways. For example, in February 2025, the SEC announced the creation of a Cyber and Emerging Technologies Unit (CETU), which has been tasked with combatting cyber-related misconduct and protecting retail investors from bad actors in the emerging technologies space. CETU replaced the Crypto Assets and Cyber Unit and comprises fraud specialists and attorneys from multiple SEC offices. The launch of CETU demonstrates the SEC will continue to make cybersecurity a priority, while drawing back from cryptocurrency regulation. CETU will prioritize fighting fraud involving retail investors. AI Enforcement and Rulemaking At the same time the SEC is pulling back on cybersecurity rulemaking, there is a push in certain quarters of the agency for improved AI disclosures. Earlier this month, an Investment Advisory Committee at the SEC recommended that the SEC issue guidance (as part of existing disclosure regulations) that would standardize the manner in which public companies report their use of AI. Specifically, the working group recommended that the SEC require issuers to: 1) define AI, 2) disclose board oversight mechanisms, if any, for overseeing the deployment of AI and 3) explain to investors how the company is using AI and how that deployment is affecting the company's business operations and consumer-facing matters. Despite the committee's recommendation, it remains to be seen if the current SEC, which has been moving away from rulemaking, is willing to pass a measure or issue guidance requiring AI-specific disclosures. AI Washing The working group's recommendation was partly a response to the practice of "AI washing," which is when companies make misleading claims about the integration of AI into their business operations. In 2025, the SEC's Enforcement Division continued to pursue companies and advisers that overstated their AI capabilities. For example, in January 2025, the SEC announced that it had settled an enforcement action against Presto Automation for making misleading statements about its AI product, Presto Voice. The company had boasted that Presto Voice eliminated the need for human drive-thru order-taking at fast food restaurants, but the SEC alleged that the vast majority of drive-thru orders required human intervention. Several months later, in April 2025, the SEC filed a civil complaint against Albert Saniger, the former CEO of Nate Inc., a private startup company. The SEC alleged that Saniger had raised more than $42 million from investors by claiming that Nate Inc.'s mobile shopping app used AI to complete online purchases, when, according to the SEC, nearly all orders were manually processed by humans. The SEC's complaint charged violations of the Securities Act and Exchange Act, including antifraud violations. Because Saniger lives in Spain, the SEC has not yet been able to serve him with the complaint under the Hague Convention. The Presto Automation settlement and Saniger complaint should serve as reminders that companies marketing the use of AI tools need to ensure that their public statements are accurate and documented. In addition, the newly created CETU Unit (discussed above) has said that it will target AI washing. Cybersecurity and AI Remain an SEC Priority in Examinations Moving away from enforcement to examinations, cybersecurity and AI will remain areas of focus. In November 2025, the SEC's Division of Examinations released its examination priorities for fiscal year 2026. The division examines, among other entities, investment advisors, investments companies and broker-dealers. In discussing risk areas impacting market participants, the Division of Examinations explained that it will continue to view cybersecurity as a "perennial examination priority" because of, among other things, the operational risks posed by cybersecurity attacks. The division also stressed that one "focus" of its examinations in the coming year "will be on training and security controls that firms are employing to identify and mitigate new risks associated with artificial intelligence (AI)." RELATED BLOG SECond Opinions Blog EDITORS Allison Kernisky Jessica B. Magee RELATED PRACTICES Securities Enforcement Defense White Collar Defense and Investigations Public Companies and Securities Artificial Intelligence Artificial Intelligence Policy & Regulation Data Strategy, Security & Privacy Litigation and Dispute Resolution Corporate Services Compliance Services Consumer Protection Defense and Compliance Marketing, Advertising and Sweepstakes RELATED INDUSTRY Technology & Telecommunications Subscribe to Updates and Events Click to Sign Up Related Insights SEC Initiates Review of ESG Fund Names Rule MARCH 4, 2026 6 Minutes Holland & Knight and SECond Opinions Welcome Camelia Lopez Shoemaker JANUARY 20, 2026 11 Minutes CERTainly Getting Interesting: Supreme Court Again to Address SEC's Power to Obtain Disgorgement JANUARY 14, 2026 8 Minutes "Everywhere You Want to Be" Except Federal Court MARCH 3, 2026 15 Minutes Once a Private Securities Transaction, Now an Outside Business Activity? JANUARY 20, 2026 6 Minutes SEC Enforcement 2025 Year in Review DECEMBER 31, 2025 10 Minutes FINRA Triples Long-Standing Annual Gift Limit FEBRUARY 24, 2026 3 Minutes Financial Services Regulatory Crystal Ball: Outlook for 2026 JANUARY 15, 2026 2025 Delaware Year in Review DECEMBER 30, 2025 8 Minutes View More By clicking “Accept All Cookies,” you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Privacy Preference Center When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. Holland & Knight Cookie Notice Allow All Manage Consent Preferences Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Social Media Cookies Social Media Cookies These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools. Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookie List Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices