In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.

What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?

In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty.

As Delaware courts have repeatedly held, a Caremark claim is possibly the most difficult theory in corporations law upon which a plaintiff might hope to win a judgment. To succeed, a plaintiff must establish:

• The existence of facts suggesting that the board knew that internal controls were inadequate and could leave room for materially harmful behavior, and

• That the board chose to do nothing about the control deficiencies that it knew existed.

Put another way, the plaintiff must be able to show a “sustained or systematic failure of the board to exercise oversight.” While this standards are strict, one could easily envision a situation whereby a company suffers a serious cyber attack and then, months later, suffers another. The board surely knew of the first attack and knew of the damage it caused the company, so to the extent a plaintiff could show the board’s response was insufficient – to the extent a plaintiff could show the board ignored the “red flag” of the prior attack – a claim could arise.

 

Topics:  Board of Directors, Covenant of Good Faith and Fair Dealing, Cyber Attacks, Cybersecurity, Disclosure Requirements, Fiduciary Duty, SEC

Published In: Business Organization Updates, Privacy Updates, Science, Computers & Technology Updates, Securities Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Securities Litigation and Regulatory Enforcement Group | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »