Recently we discussed whether directors of public companies face potential liability for not preventing cyber attacks. As we discussed, the answer is generally no, because absent allegations to show a director had a “conscious disregard” for her responsibilities, directors do not breach their fiduciary duties by failing to properly manage and oversee the company.
That well-established rule was again affirmed last week by the Delaware Court of Chancery in In re China Automotive Systems Inc. Derivative Litigation, a case that concerned an accounting restatement by a Chinese automotive parts company. Plaintiffs there alleged that the company’s directors breached their fiduciary duties by failing to manage and oversee the company’s accounting practices and the company’s auditors, who improperly accounted for certain convertible notes from 2009 to 2012. When the error was uncovered, the company restated its financials for two years and its stock price dropped by 15%. READ MORE
In the past weeks, we’ve reported that while most companies are properly disclosing their exposure to cybersecurity threats, the increasing occurrence and severity of cyber attacks has the SEC considering even more stringent cybersecurity disclosure requirements. Now, another study reports that while 38% of Fortune 500 companies have disclosed that a potential cyber event would “adversely” impact their business, only six percent of those companies purchase cyber security insurance.
What of the other 94%? Should they be doing more to protect themselves against the growing cyber threat? Do their directors have a fiduciary obligation to do more?
In re Caremark International Inc. Derivative Litigation, a Delaware decision from 1996, sets forth a director’s obligations to monitor against threats such as cyber attacks. In short, as long as a director acts in good faith, as long as she exercises proper due care and does not exhibit gross negligence, she cannot be held liable for failing to anticipate or prevent a cyber attack. However, if a plaintiff can show that a director “failed to act in the face of a known duty to act, thereby demonstrating a conscious disregard for [her] responsibilities,” it could give rise to a claim for breach of fiduciary duty. READ MORE