Court of Chancery Addresses Board Responsibility Under Caremark for Cybersecurity Risk—SolarWinds
Client memorandum | October 21, 2022
In Construction Industry Laborers Pension Fund v. Bingle (Sept. 6, 2022) (SolarWinds), the Delaware Court of Chancery dismissed a derivative suit asserting Caremark claims against the directors of SolarWinds Corporation for their alleged failure to oversee the company’s cybersecurity risk. SolarWinds, which developed software for businesses to help them manage their information technology infrastructure, was attacked by cyber hackers, resulting in the massive leaking of its customers’ personal information. When the attack (known as “Sunburst”) was disclosed, SolarWinds’ stock price dropped by 40%. Stockholders brought suit and argued that demand on the board to bring the suit was futile as a majority of the directors faced a likelihood of personal liability under Caremark for breach of the duty of loyalty in having failed to oversee the company’s cybersecurity risk. The case was dismissed at the pleading stage.
- This is the second Delaware decision in the past year to address a board’s oversight duties under Caremark with respect to cybersecurity risk. In both cases (the other being Sorenson, relating to the hacking of Marriott’s hotel reservation system), Caremark claims were asserted following a cybersecurity attack by third party hackers that exposed customers’ personal information. In both cases, the court dismissed the Caremark claims and reaffirmed that—notwithstanding a recent increase in Caremark claims following corporate traumas—it remains very difficult for a plaintiff to succeed on a Caremark claim. The court emphasized in both cases that a board’s failure to prevent a corporate trauma is not sufficient for liability under Caremark unless the failure was due to “bad faith” by a majority of the directors.
- The court found that the board’s inattention to cybersecurity issues and “subpar” system for reporting and monitoring cybersecurity risk did not, without more, indicate “bad faith.” The board allegedly: did not receive relevant information from the committees with responsibility for cybersecurity; did not discuss cybersecurity even once in the two years leading up to the Sunburst attack; and ignored warnings about cybersecurity deficiencies. The court found no implication of bad faith, however, as the board: “did not allow the company itself to violate law”; “did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity”; and did not “ignore sufficient ‘red flags’ of cyber threats to imply a conscious disregard of a known duty, indicative of scienter.”
- Notwithstanding the dismissal of the case, the court’s opinion underscores the need for boards to implement appropriate systems to monitor and address cybersecurity risk. The court acknowledged the growing and consequential risks posed by cybersecurity threats. Indeed, the court characterized cybersecurity as a “mission-critical” risk for online providers, as they rely on customers sharing with them access to their personal information
Background. SolarWinds, which became a public company in October 2018, was in the business of selling information technology infrastructure management software. Its numerous customers included many Fortune 500 companies, major technology companies (such as Microsoft), and government agencies (such as the FBI, Secret Service, and National Security Agency). In 2020, Russian hackers concealed malicious code in SolarWinds’ software and thereby gained entry to SolarWinds customers’ systems. The hackers accessed and stole emails, intellectual property, and extensive other proprietary information from up to 18,000 of SolarWinds’ private and public sector customers. Following the company’s announcement of the attack, its stock price dropped 40% (and still reflected a 30% drop at the time the suit was filed). The plaintiffs (stockholders of SolarWinds at the time of the attack) brought suit seeking to hold the company’s directors personally liable, under Caremark, for having “failed to adequately oversee the risk to cybersecurity of criminal attack.” Vice Chancellor Sam Glasscock III dismissed the case for failure to plead demand futility, finding that the complaint failed to demonstrate a substantial likelihood that a majority of the directors faced liability on the merits of the plaintiff’s Caremark claim.
Caremark. “Caremark claims” relate to directors’ duties to oversee and monitor a corporation’s critical risks relating to its operational viability, legal and regulatory compliance, and financial performance and reporting. Under Caremark, directors can have personal liability for having failed to prevent corporate harm under circumstances (usually egregious) involving their knowing bad faith. A successful Caremark claim requires that the plaintiff adequately alleges facts supporting a reasonable inference that either: (i) the directors “utterly failed” to put into place a board-level system to obtain information about and monitor the critical risks facing the company, or (ii) having put such a system into place, they “consciously failed” to monitor or oversee its operation, such as by deliberately disregarding “red flags” that put them on notice of the likelihood of potential corporate trauma relating to such risks (thus disabling themselves from being informed of risks or problems requiring their attention).
The recent increase in Caremark cases. Vice Chancellor Glasscock noted in SolarWinds that “Caremark claims, once relative rarities—have in recent years bloomed liked dandelions after a warm spring rain….” The increase began following the Delaware Supreme Court’s 2019 Marchard v. Barnhill decision, in which the Supreme Court, overturning the Court of Chancery, found that the defendant directors were potentially liable under Caremark. Marchand, while not articulating any different standard for success on Caremark claims than previously, departed from the historical trend of almost invariable dismissal of Caremark claims at the pleading stage. Thereafter, in several Caremark cases (Amerisource-Bergen, Hu, and Boeing), the Court of Chancery found in favor of the plaintiffs at the pleading stage. Most recently, however, the Court of Chancery has again emphasized that Caremark claims are among the most difficult on which a plaintiff can hope to withstand a motion to dismiss; and in several cases (Sorenson, NiSource, and now SolarWinds) the court has dismissed Caremark claims at the pleading stage notwithstanding its view that the board had failed to implement an effective monitoring system for key risks facing the company.
The court emphasized in SolarWinds that no Delaware decision yet has found directors potentially liable under Caremark based on a “failure to monitor business risk” outside the context of “noncompliance with positive law.” The court stressed that, “absent statutory or regulatory obligations, how much effort to expend to prevent criminal activities by third parties against the corporate interest requires an evaluation of business risk, the quintessential board function.” To date, the court stated, it has found “a sufficient connection between the corporate trauma [that occurred] and the actions or inactions of the board” only when a board has failed to oversee the company’s compliance with “positive-law regulation.” It “remains an open question” whether Caremark liability may be imposed for a board’s failure to oversee business risk (such as cybersecurity risk unrelated to compliance with law). The court declined to resolve the issue—as it found that, in any event, the plaintiffs’ complaint failed to plead particularized facts indicating “bad faith” by the board, which would be required for a finding of liability under any Caremark theory (given that, as is usual, the company charter exculpated directors from liability for duty of care violations).
The plaintiffs did not allege facts that gave rise to a reasonable inference that the defendant directors acted in bad faith such that they breached the duty of loyalty. Specifically, based on the allegations:
- The directors did not act in violation of “positive law.” The plaintiff pointed to interpretive guidance issued by the SEC in 2018, which included a statement that companies are “required to establish and maintain appropriate and effective disclosure controls and procedures, including those related to cybersecurity.” The court viewed this guidance as “certainly indicative of requirements regarding public company disclosures,” but not as “positive law with respect to required cybersecurity procedures or how to manage cybersecurity risks.” The plaintiff also pointed to the New York Stock Exchange’s “guide” to cybersecurity. The court did not view the guide as positive law because it was not binding. The plaintiffs had “not alleged that legal and regulatory frameworks have evolved with respect to cybersecurity, such that SolarWinds’s corporate governance practices must have followed,” the court wrote.
- The directors did not ignore “red flags.”
- Briefing received by a board committee. The plaintiff contended that a briefing a board committee had received on cybersecurity concerns was a red flag. To the contrary, the court stated, the report was “in fact, an instance of oversight.” Further, the report was “not indicative of an imminent corporate trauma” but reflected “that the Company might become the subject of a cyberattack”; the allegation that the committee ignored the report was “conclusory”; and it was not pled that the report “made action by the board necessary.”
- Warnings by a company executivs about cybersecurity deficiencies. The court stated that, as these warnings were given before the company went public, they were not known to the board, so the board’s response (or lack thereof) could not have been in bad faith.
- Insufficient password. The plaintiff pointed to the company’s use of “a jejune, even farcical, password—’solarwinds123’—that could have compromised the Company’s security….” In addition, an unaffiliated third party allegedly had sent an email to the company’s information technology team informing them of this security deficiency. The court stated that stated there were no allegations that the board knew about the password being used or the third-party email—and, “[w]ithout such knowledge, the Board again cannot have acted in bad faith relating to this incident.”
- Bad cybersecurity practices and industry warnings. The court noted (in a footnote) the plaintiff’s contention that “gross deficiencies” in the company’s cybersecurity practices and industry warnings about such practices were red flags that the board ignored. The court wrote: “These decisions are business decisions rather than particularized incidents giving rise to red flags…. [And] [f]ailing to take industry warnings into account…is bad practice, but is insufficient to plead bad faith failure to oversee SolarWinds particularly, as was the fiduciary duty of the Board.”
- The directors did not “utterly fail” to establish an oversight mechanism for cybersecurity risk. The plaintiff alleged that the board “did not conduct a single meeting or have a single discussion about the Company’s mission critical cybersecurity risks” in the two years leading up to the Sunburst attack. The court stated that, during that time, the board charged two board committees with responsibility for oversight of cybersecurity risks. Delegating oversight responsibility of a “particular risk in a particular year” to a “non-sham, functioning Committee” does not indicate that the board intentionally disregarded its oversight responsibilities in bad faith, the court wrote. While the committees’ failure to report to the board indicated a “subpar reporting system” that should have been of concern to the directors, it did not represent an “utter failure to attempt to assure” that a reporting system existed, and thus did not indicate “an intentional ‘sustained or systematic failure’ of oversight, particularly given directors are presumed to act in good faith.”
The committee members who failed to report to the board on cybersecurity risk also were not liable. The court stated that which issues a committee chooses to bring to the full board is an exercise of business judgement protected by the company’s exculpatory charter provisions. Further, the court stated, it was “simply unwarranted” to hold liable committee members for failing to “discuss a particular business risk with the full board over a period of 26 months while contending with the [company’s] transition to life as a public company and the novel coronavirus pandemic.”
The Sorenson (Marriott) decision—the other recent case involving Caremark claims relating to oversight of cybersecurity risk. In Sorenson (Oct. 5, 2021), Marriott International Inc. discovered in 2018 a data security breach that had exposed the personal information of up to 500 million of its hotel guests. An investigation revealed that the cyberattack occurred through the reservation database of Starwood Hotels (which Marriott had acquired two years prior) and had begun in 2014. After Marriott publicly announced the incident, the plaintiff brought suit challenging the directors’ and certain key executives’ failure, pre-acquisition, to conduct adequate due diligence of Starwood’s cybersecurity technology; and, post-acquisition, their failure (under Caremark) to oversee cybersecurity and cease using Starwood’s deficient systems. The court found the first claim time-barred; and found no likelihood of liability under Caremark. The court acknowledged that “cybersecurity has increasingly become a central compliance risk deserving of board level monitoring at companies across sectors”—but found that the plaintiff’s allegations were “unsupported by allegations of bad faith.” The allegations did not show that the directors “completely failed to undertake their oversight responsibilities, turned a blind eye to known compliance violations, or consciously failed to remediate cybersecurity failures,” the court wrote.
- Boards (supported by management, the audit committee, the company’s outside auditors, and legal counsel) should stay focused on, and apprised of key developments with respect to, issues and risks that are central to the business—including cybersecurity risk. Under Caremark, boards need not ensure regulatory compliance or the avoidance of corporate harm but they must in good faith seek to establish a reasonable oversight system and then monitor it reasonably, particularly with respect to the company’s “mission-critical” risks. Identification of mission-critical risks is an ongoing process. Particular attention should be paid to risks relating to human health and safety and to compliance with legal and regulatory requirements. Cybersecurity risk relating to the protection of customer information may be considered mission-critical. Boards should keep in mind also the recent increased focus on ESG issues, climate change, sustainability, human capital, and other evolving areas of risk—and should seek to anticipate key areas of risk that may develop in the future.
- Boards should pay particular attention to seeking to ensure the company’s compliance with applicable laws and regulations relating to key risks, including cybersecurity. Violation of “positive law” clearly heightens the risk of Caremark liability. (SolarWinds underscores that, in the event a company is subject to laws or regulations governing its cybersecurity practices, Caremark claims relating to cybersecurity oversight might be considered by the court in the context of a key “noncompliance risk” rather than merely as a “business risk.”) At the same time, we note that, in a number of recent cases—NiSource; Fisher v. Sanborn (LendingClub); and Richardson v. Clark (MoneyGram)—the court dismissed Caremark claims at the pleading stage that were based on governmental investigations finding the company had a history of regulatory noncompliance. Successful defenses in these cases (that supported a lack of bad faith by directors) included that: the board was not aware of the regulatory noncompliance; the noncompliance was not sufficiently related to the corporate trauma that occurred; the noncompliance occurred at a different subsidiary of the company; and/or the board had taken steps to remediate the noncompliance.
- We recommend (based on recent Caremark decisions) that boards:
- identify the “mission-critical” risks facing the company and delegate responsibility for oversight of these risks to specific board committees;
- be active in establishing effective management of key risks as a corporate priority;
- consider setting a regular schedule for reporting from management on key risks and be proactive in seeking out additional reports when appropriate;
- not simply delegate to senior officers of the company the management of critical risks, but become informed about and consider how those risks are managed;
- not ignore (but, rather, proactively address) “red flags” (or “yellow flags”) about key risks;
- create a record (such as in board minutes) of its risk monitoring and oversight efforts; and
- when recruiting new directors, take into consideration the board’s expertise in addressing regulatory and other key risks (such as cybersecurity).
- We recommend (based on recent Caremark decisions) that management:
- establish regular processes and protocols requiring management to keep the board apprised of key regulatory compliance and other practices, risks or reports;
- inform the board when it learns of “red flags” (or “yellow flags”) about key risks (including, for example, complaints or reports from regulators or whistleblowers);
- include the board in the company’s whistle-blower process;
- tailor risk management strategies to the company’s specific circumstances and risk profile;
- inform the board of the practices of other companies in its industry or peer companies with respect to oversight of mission-critical risks; and
- integrate risk management considerations into the company’s corporate strategies and decision-making generally.
- Boards should be familiar with the SEC’s new proposed rule to enhance and standardize disclosure requirements for cybersecurity risks—and should be aware of the practical issues it may present in the event of a cybersecurity incident. The proposed rule requires, among other things, that a public company report all “material” cybersecurity incidents within four business days of determining the event’s materiality. Notably, there is no exception for a delay in disclosure pending law enforcement investigations, coordination with national security agencies, compliance with court orders restricting disclosure, or the like. A board may be presented with difficult issues if premature disclosure of a cybersecurity incident would impede a company’s “patch” of the cyber vulnerability involved, interfere with a pending law enforcement investigation or needed coordination with national security or other government agencies, or cause damage to other companies that may be subject or vulnerable to an ongoing cybersecurity attack.
This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.