In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.
What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?
In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty.
As Delaware courts have repeatedly held, a Caremark claim is possibly the most difficult theory in corporations law upon which a plaintiff might hope to win a judgment. To succeed, a plaintiff must establish:
• The existence of facts suggesting that the board knew that internal controls were inadequate and could leave room for materially harmful behavior, and
• That the board chose to do nothing about the control deficiencies that it knew existed.
Put another way, the plaintiff must be able to show a “sustained or systematic failure of the board to exercise oversight.” While this standards are strict, one could easily envision a situation whereby a company suffers a serious cyber attack and then, months later, suffers another. The board surely knew of the first attack and knew of the damage it caused the company, so to the extent a plaintiff could show the board’s response was insufficient – to the extent a plaintiff could show the board ignored the “red flag” of the prior attack – a claim could arise.