Do Directors Face Potential Liability For Not Preventing Cyber Attacks?

In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.

What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?

In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty.

As Delaware courts have repeatedly held, a Caremark claim is possibly the most difficult theory in corporations law upon which a plaintiff might hope to win a judgment. To succeed, a plaintiff must establish:

• The existence of facts suggesting that the board knew that internal controls were inadequate and could leave room for materially harmful behavior, and

• That the board chose to do nothing about the control deficiencies that it knew existed.

Put another way, the plaintiff must be able to show a “sustained or systematic failure of the board to exercise oversight.” While this standards are strict, one could easily envision a situation whereby a company suffers a serious cyber attack and then, months later, suffers another. The board surely knew of the first attack and knew of the damage it caused the company, so to the extent a plaintiff could show the board’s response was insufficient – to the extent a plaintiff could show the board ignored the “red flag” of the prior attack – a claim could arise.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Securities Litigation and Regulatory Enforcement Group | Attorney Advertising

Written by:


Orrick - Securities Litigation and Regulatory Enforcement Group on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.