Board Oversight of Cyber Risk – A Matter of Personal Liability for Directors

Privacy Plus+

Privacy, Technology and Perspective

Board Oversight of Cyber Risk – A Matter of Personal Liability for DirectorsOn November 3, 2021, a derivative lawsuit was filed in the Delaware Court of Chancery against certain former and current directors of SolarWinds, alleging, in a single-count Caremark complaint, “Breach of the Duty of Loyalty and Care through a Bad Faith Failure to Oversee SolarWinds’ Cybersecurity.” You can click on the following link to review the Complaint:

https://www.dandodiary.com/wp-content/uploads/sites/893/2021/11/SolarWinds-court-of-chancery-complaint.pdf 

 SolarWinds Review:  If you don’t immediately recall the enormous, paralyzing SolarWinds hack, you may review our past post on subject by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/solarwinds-supply-chain-hack

Caremark Review: We’ve also written before about Caremark claims and the potential for personal cybersecurity liability for executives and boards of directors, and you can read one of those posts here:

https://www.hoschmorris.com/privacy-plus-news/privacy-and-cyber-liability

The Latest SolarWinds Lawsuit: The new Complaint against Solarwinds further crystalizes the exposure to personal liability that executives and members of boards may face when they are alleged to have failed to implement or oversee a reasonable system of monitoring over mission critical operations, which in SolarWinds’ case, allegedly included cybersecurity risks fundamental to its line of business.

While the Complaint itself is heavily redacted, two references in the Complaint stand out as they seem to indicate items on which the company may have fallen short –

  • SEC’s 2018 Cybersecurity Release.  Starting at paragraph 60, the Complaint highlights the SEC’s 2018 Cybersecurity Release, and its express requirement that public companies to include “a description of how the board administers its risk oversight  function.” The SEC’s guidelines require disclosure concerning (i) “the nature of the board’s role in overseeing the cybersecurity issues”; (ii) “how the board of directors engages with management on cybersecurity issues”; and (iii) the “company’s cybersecurity risk management program.”

 

  • NYSE’s 2015 Guidance. Starting at paragraph 64, the Complaint further highlights 2015 guidance issued by the New York Stock Exchange, entitled “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors  and Officers”, which is available here:


    https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity- 9780996498203-no_marks.pdf

    The guidance underscores the important role boards play in overseeing their companies’ cybersecurity, explaining that “[t]houghtful, well-planned director involvement in cybersecurity oversight” is a “critical part of a comprehensive [cybersecurity] program,” and, in fact, “[a]ctive, hands-on engagement by the executive team and the board is required. The risk is existential. Nothing is more important.”

While the standard historically applicable to Caremark claims is high, so are the stakes.  According to SolarWinds most recent 10-K filing, the company is facing “numerous lawsuits and investigations,” including “[m]ultiple class action lawsuits” and “two shareholder derivative actions…asserting breach of duty and other claims against certain of our current and former officers and directors in connection with the cyberattack.”

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

                                                   

Previous
Previous

Censoring the “Censors”

Next
Next

FTC Amends GLBA’s Safeguards Rule