When Paul Atkins became the new chairman of the Securities and Exchange Commission (SEC) in April 2025, the market expected enforcement actions against public companies to decrease. Chairman Atkins has criticized the prior SEC administration’s pursuit of large corporate fines, believing that they unfairly penalized shareholders. He also criticized the Gensler administration’s focus on technical violations that did not involve any “genuine harm and bad acts.”
With 2025 ending, it appears that Atkins followed through on his promise to realign the SEC’s enforcement priorities to return to the SEC’s core mission of pursuing clear-cut rule violations in an effort to bolster investor protection, with a focus on traditional fraud as opposed to technical violations, such as books-and-records infractions. This resulted in a sharp decline in public company enforcement. A recent Cornerstone report[1] showed that in FY 2025, the SEC initiated 56 actions against public companies and their subsidiaries, 52 of which were initiated prior to Chairman Gary Gensler’s departure on January 20. Only two enforcement actions were initiated after Atkins became chairman, and he recused himself with respect to one of the charging decisions.
In addition to a decrease in new public company enforcement actions, 2025 also saw the SEC retreating from Gensler-era initiatives in crypto and cybersecurity enforcement. Since January, the SEC has closed most of its crypto investigations and enforcement actions, which Atkins has characterized as “the previous administration’s regulation-by-enforcement crusade.” On November 20, the SEC terminated its long-running litigation against SolarWinds and its chief information security officer relating to SolarWinds’ cybersecurity disclosures.
Looking ahead to 2026, we expect the SEC to prioritize charging individuals responsible for misconduct rather than imposing corporate penalties. We also expect a continued focus on insider trading, especially in the biotech sector. Finally, as discussed in our October 28 blog post, foreign issuers listed on US stock exchanges will likely face continued close scrutiny, particularly where “pump and dump” schemes are suspected.
Sharp decline in public company enforcement actions in FY 2025 amid leadership change
The Cornerstone report compared the FY 2025 statistics to three prior fiscal years that also involved a change in SEC administration (FY 2013, FY 2017 and FY 2021). While enforcement actions in those three prior years were distributed fairly evenly between the periods before and after the departure of the incumbent chairman, FY 2025 saw a stark contrast between the incoming and outgoing administrations. As noted above, 52 of the 56 public company enforcement actions in FY 2025 happened prior to Gensler’s departure in January. In addition, the SEC initiated 29 public company actions in Q1 (which ran from October 2024 to December 2024) – the highest Q1 number in the SEED database, which goes back to FY 2010. By contrast, there was only one public company enforcement action in September 2025, compared to 35 in September 2024.
SolarWinds lawsuit dismissed
The SEC’s voluntary dismissal of the SolarWinds lawsuit marked the end of a two-year litigation that arose from the 2020 SUNBURST cyberattack. The SEC alleged that SolarWinds overstated its cybersecurity practices while understating its cybersecurity risks, and that SolarWinds minimized the scope and severity of the SUNBURST attack. (Read more about the SolarWinds litigation and an amicus brief Cooley submitted on behalf of 50+ cybersecurity leaders and organizations.)
In July 2024, Judge Paul A. Engelmayer of the US District Court for the Southern District of New York dismissed most of the SEC’s claims, except for a securities fraud claim based on a Security Statement on the company’s website, which was published a year before its initial public offering. The defendants moved for summary judgment in April 2025, arguing that the SEC had conceded in the parties’ joint statement of undisputed material facts that SolarWinds implemented each of the policies described in its Security Statement. The court never ruled on this motion, as the SEC chose to dismiss the case entirely.
The parties’ stipulation of dismissal stated that the SEC’s decision to dismiss this action “does not necessarily reflect the Commission’s position on any other case.” Indeed, the SEC is still focused on cybersecurity disclosures, as reflected by its creation of a Cyber and Emerging Technologies Unit, which – among other things – will “combat misconduct as it relates to … [p]ublic issuer fraudulent disclosure relating to cybersecurity,” as discussed in our February 25 blog post. Consistent with Atkins’ stated goal of focusing on “genuine harm,” we can expect the SEC to continue to police material cybersecurity misrepresentations and omissions that led to investor harm.
Individual accountability over corporate penalties
The relatively slow pace of SEC enforcement activity this year can be attributed to several factors. Atkins assumed his role in April, followed by Enforcement Director Meg Ryan in September. In October, the federal government commenced its longest shutdown in history, which only recently concluded. During this transitional period, the Division of Enforcement is likely working to align its priorities, case theories and remedies with the new SEC leadership. This alignment is critical for novel or “first-of-their-kind” matters, as the staff assesses the SEC’s position on new types of charges and relief before formally recommending action. Once the Division of Enforcement has clarity on the SEC’s direction, subsequent cases of a similar nature are expected to proceed more swiftly.
For public companies, the early signals suggest that the SEC will likely favor holding individuals responsible for misconduct, rather than pursuing large corporate settlements. As an example, on November 7 (during the government shutdown), the SEC charged the founder and CEO of a trade finance platform for engaging in a fraudulent scheme in connection with the company’s de-SPAC merger in 2020. The SEC alleged that the defendant overstated the amount of activity on the platform in order to induce the special purpose acquisition company (SPAC) investors to approve the merger, which generated $60 million for the defendant. Ultimately, the investors suffered “substantial losses” when the company’s stock price fell below $1 and all the public securities were acquired for $0.1 per share by a company owned and controlled by the defendant and the SPAC’s former CEO.
Insider trading – especially in biotech stock – has been a focus
Over the summer, the SEC charged a number of individuals for insider trading in biotech stock:
- In an August 7 complaint, the SEC alleged that an individual learned through his investment in a private biotech company that the private company was going to merge with a public biotech company. The individual purchased the public company’s stock in 15 accounts belonging to him and his family members. When the merger was announced, the price of the public company’s stock rose by 215%, resulting in approximately $160,000 in trading profits for the individual.
- In an August 18 complaint, the SEC alleged that two men traded in the stock of six public companies based on material nonpublic information (such as drug trial results and upcoming mergers) that their friend obtained as a consultant to pharmaceutical and biotech companies. The defendants made more than $500,000 through those trades.
- In an August 22 complaint, the SEC charged a former director of a biopharmaceutical company, along with his two family members and two friends, with insider trading ahead of a merger announcement. The defendants collectively made more than $500,000 in profit.
The price of biotech stock can fluctuate dramatically in response to clinical trial results, US Food and Drug Administration decisions and merger activities. This makes biotech companies particularly susceptible to insider trading. The SEC and the Financial Industry Regulatory Authority employ sophisticated surveillance tools to monitor trading patterns around significant corporate announcements, enabling regulators to detect suspicious trades. Given the SEC’s apparent focus on insider trading in the biotech sector, biotech companies should consider strengthening their insider trading compliance programs, including implementing appropriate blackout periods around major events.
Foreign issuers will continue to face scrutiny
There is one notable exception to the SEC’s generally restrained approach to public company enforcement. Foreign issuers whose stock primarily trades on US stock exchanges will continue to be a focus of this SEC administration. As we explained in our October 28 blog post, the SEC has suspended securities trading of a number of Asia-based Nasdaq issuers due to suspected “pump and dump” schemes. The SEC appears to be closely coordinating with Nasdaq such that when the SEC suspension period expires, Nasdaq issues its own trading halt pending its request for information from these companies. In addition, as we discussed in our September 18 blog post, the SEC is expected to use its newly created Cross-Border Task Force to scrutinize foreign issuers and their disclosures to US investors. Therefore, foreign issuers should consider evaluating and enhancing their compliance programs, as well as ensuring the accuracy of their disclosures, to mitigate the heightened enforcement risks.
[1] The findings of the report are based on the Securities Enforcement Empirical Database (SEED), which tracks and records SEC enforcement actions against public companies and their subsidiaries based on data from the SEC’s website.
Contributors
Luke Cadigan
Tejal Shah
Elizabeth Skey
Samantha Kirby
