The Board of Directors’ Duty of Oversight and Cybersecurity

Over the last several years, cyberattacks, including from foreign state actors, have affected thousands of companies and government agencies. Past corporate victims include Yahoo!, Home Depot, and LinkedIn. And the real world consequences of a cyberattack became vivid to the Americans public in May 2021, when the operator of the Colonial Pipeline was compromised. As a consequence of the attack, the pipeline, which provides roughly 45 percent of the gasoline and other types of fuel for the East Coast, had to be shut down for six days. The stoppage precipitated a run on gasoline along parts of the East Coast and left thousands of gas stations without fuel.[1]

Regulators have for over a decade issued guidance and undertaken enforcement activities in response to the threat of cyberattacks to the U.S. and global economy. Going back to 2011, following a joint letter from five U.S. senators to U.S. Securities and Exchange Commission Chairman Mary Schapiro, the SEC released disclosure guidelines regarding a public company’s obligation to address cybersecurity threats. More recently, sweeping new privacy laws have been enacted and come into effect in the U.S. and abroad,[2] and in May 2021 President Biden issued an executive order reinforcing his commitment to fighting cyberattacks as “a top priority and essential to national and economic security.”[3]

With cybersecurity attacks growing more frequent and government regulators focusing more sharply on cybersecurity issues, corporate boards and their advisers should consider applicable state case law in addressing the board’s fiduciary duties to monitor cybersecurity risk.

Caremark Duties in Delaware

In Caremark[4] and its progeny, Delaware courts articulated the scope of a board’s duty to monitor and oversee corporate risk. Importantly, liability for failure to monitor risk can only be imputed to individual board members where: (a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling  themselves from being informed of risks or problems requiring their attention. In either case, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations.[5]

Since Caremark, Delaware courts have been careful not to allow plaintiffs to use the duty to monitor to second-guess a well-informed board’s business decisions, including those about taking risk. Notably, in Citigroup,[6] the Delaware Court of Chancery rejected the plaintiffs’ claims that Citigroup board members breached their fiduciary duty by failing to prevent the losses the bank incurred as a result of its substantial exposure to the subprime mortgage market. The court held that the alleged warning signs cited by the plaintiffs were insufficient to imply knowledge of the need to oversee subprime mortgage investment decisions. The court reiterated its well-established principle that “the mere fact that a company takes on business risk and suffers losses – even catastrophic losses – does not evidence misconduct and without more, is not a basis for personal director liability.”

Caremark and Cybersecurity: The Marriott Decision

Following the 2019 Delaware Supreme Court decision in Marchand,[7] the duty of oversight has become a more common theme in Delaware litigation. It was therefore unsurprising that plaintiffs’ firms would bring litigation against corporate boards under a Caremark theory following disclosure of a cyberattack. The October 2021 Delaware Court of Chancery’s decision in Marriott[8] directly addresses the application of Caremark in the context of a cyberattack.[9] The opinion should give corporate boards comfort that a Caremark claim following a cybersecurity breach should not proceed against boards that establish and oversee reasonable procedures to monitor compliance with applicable cybersecurity laws.

The Marriott case resulted from a data security breach announced by Marriott International in the fall of 2018. The incident had exposed the personal information of up to 500 million guests. In its decision, the court expressly noted at the outset of its Caremark analysis that “[t]he corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.” However, as the court goes on to explain, the growing risks posed by cybersecurity threats “do not… lower the high threshold that a plaintiff must meet to plead a Caremark claim,” and only a “sustained or systemic failure of the board to exercise oversight … will establish the lack of good faith that is a necessary condition to liability.”

In looking at the facts of Marriott, the court found that the board consistently ranked cybersecurity as a primary risk facing the company and that the board had systems in place to assess cybersecurity risks. In fact, the plaintiffs’ own complaint described how the board and its audit committee were routinely apprised of cybersecurity risks and mitigation, provided with annual reports on Marriott’s Enterprise Risk Assessment, which specifically evaluated cyber risks, and engaged outside consultants to improve, and auditors to audit, corporate cybersecurity practices. The Company also had internal controls over its public disclosure practices. Also, “red flag” reports were delivered by management to the board. Therefore, the court concluded that plaintiffs’ contention that the board faced liability under the first prong of Caremark was meritless.

The court also reviewed the plaintiffs’ argument that the Marriott board faced a substantial likelihood of liability under the second prong of Caremark for consciously disregarding red flags indicating that the company was violating positive law. Importantly, the court noted that pleading non-compliance with non-binding industry standards, like the Payment Card Industry Data Security Standard (PCI DSS), is not the same as pleading that directors knowingly permitted a company to violate the law. The court also reminded plaintiffs that a Caremark claim requires that they demonstrate scienter, which they had failed to do. In short, the facts of the case were “not reflective of a board that had decided to turn a blind eye to potential corporate wrongdoing.”

Practice Points for Boards

In light of the emphasis that the SEC and other regulators have placed on cybersecurity issues, the increasing amount of  litigation over  cybercrime, and the guidelines offered by Caremark and its progeny, boards should assess whether cybersecurity is “mission critical” to their business and, if so, should proactively incorporate cybersecurity issues into their oversight functions. With that in mind, the following are selected recommendations for boards to strengthen compliance with their Caremark obligations:

  • Teach directors about cyber-risk and perhaps retain cybersecurity experts and consultants to provide periodic updates to the board on new developments.
  • Consider requiring a standing board committee to specifically monitor cybersecurity and compliance with privacy laws. A generic mandate that a committee be in charge of “risk oversight” would be less helpful.
  • Invest time and resources into making sure that management has developed a well-constructed and deliberate response plan that is consistent with best practices for a company in the same industry.
  • Regularly conduct on-the-record and well-documented discussions regarding cybersecurity. A clear pattern of regular board engagement will be evidence of members acting in good faith.
  • Expect management to routinely prepare reports to the board on mission critical components of the business. Information should not trickle up to the board on an impromptu, intermittent, or discretionary basis.
  • Stay engaged and display leadership if there is a material cyberattack that results in corporate trauma. Although engagement during a crisis may not necessarily cure a lack of good faith engagement in oversight before the crisis, lack of engagement will only exacerbate the perceived failures of the board.
  • Develop a business culture that makes cybersecurity a priority.

ENDNOTES

[1]  See https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636.

[2]  See https://www.gibsondunn.com/wp-content/uploads/2021/01/us-cybersecurity-and-data-privacy-outlook-and-review-2021.pdf.

[3]  See https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[4]  In re Caremark Int’l Deriv. Litig., 698 A.2d 959 (Del.Ch. 1996).

[5]  Of course, no discussion of Caremark could be complete without reiterating the point often made by the Delaware courts that oversight liability under Caremark is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” However, from the perspective of board members, personal liability is potentially at stake, since Caremark duties fall within the duty of loyalty, which in turn falls outside the permissible exculpatory provisions in corporate charters.

[6]  In re Citigroup S’holder Deriv. Litig., 964 A.2d 106 (Del. Ch. 2009).

[7]  Marchand v. Barnhill, 212 A.3d 805 (Del.2019). Despite the author’s preference not to cite himself, see https://clsbluesky.law.columbia.edu/2019/07/02/boards-of-directors-duty-of-oversight-and-esg-matters-caremark-revisited/.

[8]  Firemen’s Retirement System of St. Louis v. Sorenson, et al., C.A. No. 2019-0965-LWW.

[9]  The court analyzes the plaintiff’s Caremark claims in the context of defendants moving to dismiss plaintiff’s complaint under Court of Chancery Rule 23.1 for failure to make a demand on the board. The court concluded the demand was not excused, and the complaint therefore was dismissed in its entirety.

This post comes to us from Eduardo Gallardo, a partner in the New York office of Gibson Dunn & Crutcher, co-chair of the firm’s Mergers and Acquisitions Practice Group. and chair of its Shareholder Activism Defense Group. The opinions in this piece are solely his and do not necessarily represent the views or opinions of Gibson Dunn or any other partner of the firm.