November 29, 2022

Caremark Liability: SolarWinds Dismissal Shows It’s Still a High Bar

John blogged a few months ago about lessons for boards from recent Delaware cases. A recent Fried Frank memo layers on the Court of Chancery’s recent dismissal of Caremark claims in a derivative suit against SolarWinds’ directors, relating to the massive cyber attack that occurred at that company two years ago and the 40% tumble in the company’s stock price that followed the incident. Here’s an excerpt with key takeaways:

This is the second Delaware decision in the past year to address a board’s oversight duties under Caremark with respect to cybersecurity risk. In both cases (the other being Sorenson, relating to the hacking of Marriott’s hotel reservation system), Caremark claims were asserted following a cybersecurity attack by third party hackers that exposed customers’ personal information. In both cases, the court dismissed the Caremark claims and reaffirmed that—notwithstanding a recent increase in Caremark claims following corporate traumas—it remains very difficult for a plaintiff to succeed on a Caremark claim. The court emphasized in both cases that a board’s failure to prevent a corporate trauma is not sufficient for liability under Caremark unless the failure was due to “bad faith” by a majority of the directors.

The court found that the board’s inattention to cybersecurity issues and “subpar” system for reporting and monitoring cybersecurity risk did not, without more, indicate “bad faith.” The board allegedly: did not receive relevant information from the committees with responsibility for cybersecurity; did not discuss cybersecurity even once in the two years leading up to the Sunburst attack; and ignored warnings about cybersecurity deficiencies. The court found no implication of bad faith, however, as the board: “did not allow the company itself to violate law”; “did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity”; and did not “ignore[] sufficient ‘red flags’ of cyber threats to imply a conscious disregard of a known duty, indicative of scienter.”

Notwithstanding the dismissal of the case, the court’s opinion underscores the need for boards to implement appropriate systems to monitor and address cybersecurity risk. The court acknowledged the growing and consequential risks posed by cybersecurity threats. Indeed, the court characterized cybersecurity as a “mission-critical” risk for online providers, as they rely on customers sharing with them access to their personal information.

The memo takes a look at key facts that were relevant to the court’s decision to dismiss this case, and provides additional practice pointers specific to boards & to management.

Lest anyone get too carried away with celebrating this dismissal, it’s important to remember that derivative suits are only one flavor of liability. SolarWinds reported on a Form 8-K last month that it had settled a securities class action, also arising out of the December 2020 cyber incident, for $26 million. This blog from ISS Securities Class Action Services summarizes that complaint – and notes that the SEC may also be considering an enforcement action against the company.

Cybersecurity oversight continues to be a hot-button issue for the SEC’s disclosure initiatives as well – making an appearance in the Strategic Plan that I blogged about yesterday. All of this adds up to a topic that boards cannot ignore. For an additional resource, check out Dave’s 21-minute podcast about cybersecurity exposure preparedness for directors.

Liz Dunshee