In the recent case Construction Industry Laborers Pension Fund on behalf of SolarWinds Corporation, et. al v. Mike Bingle, et al. (2022), the Delaware Chancery Court considered whether the directors of SolarWinds Corporation, a provider of information technology infrastructure management software, had violated their Caremark duties to conduct reasonable cybersecurity risk oversight of the company. While the case was ultimately dismissed, SolarWinds demonstrates the importance of establishing and monitoring cybersecurity oversight, and in particular that directors of companies who may be required to follow certain cybersecurity regulations (positive law) should work to ensure compliance (or oversight thereof) with such regulations, in order to protect against future exposure.
In 2020, hackers concealed malicious code in SolarWinds’ software and orchestrated an attack that affected up to 18,000 of SolarWinds’ clients and led to a precipitous drop in SolarWinds’ stock price. Plaintiffs brought a derivative suit against the directors of SolarWinds, alleging that the attack resulted from the directors’ breach of their fiduciary duties of loyalty for failure to provide reasonable oversight, as established by the landmark case In re Caremark International Inc. Derivative Litigation (1996), of the company’s cybersecurity risks.
Ultimately, the Delaware Chancery Court granted the defendants’ motion to dismiss, ruling that the complaint failed to show a “substantial likelihood” that a majority of the board of directors for SolarWinds faced liability on the merits of the plaintiffs’ claim. The court rejected plaintiffs’ argument that the directors had acted in bad faith in failing to monitor the company’s cybersecurity risks. The court also ruled that it was unwilling to hold the directors liable for failure to monitor a business risk, noting that past cases have only found breaches in director duties of oversight in instances where a company’s directors filed to comply with “positive laws,” such as statutes and regulations regarding particular conduct. In light of these reasons, the court granted the defendants’ motion to dismiss.
The court’s decision in SolarWinds has implications for directors of all companies, as cybersecurity risks continue to arise and evolve. Given the growing risk of cybersecurity breaches, it is likely that more positive laws requiring companies to take certain actions and protection related to cybersecurity will be codified. As such, directors should remain diligent to ensure their companies monitor for applicable cybersecurity requirements, and ensure an appropriate oversight program is established and monitored, in order to avoid liability. In addition, while the court declined to find that lack of reporting to the full board of directors on cybersecurity matters arose to intentional disregard by the board of its oversight duties, the court characterized as “subpar” the reporting system between board committees and the full board. Thus, it is recommended that a regular system of reporting to the full board on cybersecurity matters should be considered.
[View source.]
