SolarWinds: Caremark liability rejected in cybersecurity oversight claim Corporate / M&A Decisions update series | Hogan Lovells

In 2020, SolarWinds Corporation, which sells information technology management software, was the victim of a cyberattack by Russian hackers. The attack implanted malware in SolarWinds’s software in an attempt to target SolarWinds’s clients, which included Fortune 500 companies and U.S. government agencies such as the Department of Homeland Security and the Department of Defense. After public disclosure of the attack, SolarWinds’s stock value plunged nearly 40 percent. SolarWinds stockholders filed a derivative suit against SolarWinds’ corporate directors, alleging they “failed to adequately oversee the risk to cybersecurity of criminal attack.”

The Delaware Court of Chancery dismissed the complaint for failing to plead specific facts sufficient to create an inference of bad faith on the part of a majority of the directors.

The court explained that the plaintiffs’ Caremark claim – a derivative claim against corporate directors for failure to oversee operations – was “a flavor of breach of the duty of loyalty, which itself requires an action (or omission) that a director knows is contrary to the corporate weal.” The court further explained that, historically, only violations of positive law have led to viable claims under Caremark. 

The court found that “cybersecurity, for online service providers, is mission critical,” but noted that guarding against cybercrimes was a business risk, not an action associated with ensuring a corporation’s compliance with “positive law.” The court noted that whether Caremark liability can exist for failure to oversee business risk remains an open question in Delaware law, but added that “a violation of law or regulation is still likely a necessary underpinning to a successful pleading.” The court did not resolve this issue, however, because it found the plaintiffs’ allegations insufficient to support an inference that the directors acted in bad faith or with intent to harm the corporation, as would be required to state a viable Caremark claim.

Court of Chancery Rule 23.1 requires that stockholders seeking to bring a derivative suit first make demand for directors to act. Failure to make a demand is only excused when the plaintiffs can plead facts sufficient to establish an inference that demand would be futile. Here, the plaintiffs made no demand. To survive a motion to dismiss, therefore, the court explained that the plaintiffs had to show that at least half of the directors were substantially likely to be liable under their Caremark theory of liability.

The plaintiffs’ alleged that a majority of directors faced a substantial likelihood of liability under both prong one and prong two of Caremark. They alleged that the majority of the board failed to implement and monitor a system of reporting and controls for cybersecurity (Caremark prong one) and that, even if such a monitoring system was in place, the directors failed to sufficiently oversee it because they overlooked “red flags” that signaled risk (Caremark prong two).

The court explained that, to avoid Caremark liability, the directors must have made a good faith effort to satisfy prongs one and two of Caremark. And therefore it was “necessary to assess a director’s good faith or bad faith in connection with a plaintiff’s allegations before an oversight liability claim can be deemed viable.” Bad faith could be shown through a director (i) acting with a purpose other than the best interests of the company, (ii) intending to violate positive law, or (iii) failing to act in the face of a known duty to act.

The court found that the plaintiffs had not alleged that the directors (i) acted intentionally with a purpose other than the best interests of the company; (ii) violated positive law; or (iii) failed to act in the face of a duty to act. The court rejected the plaintiffs’ arguments that various events – a cybersecurity briefing, cybersecurity presentation, and third-party email – were red flags that manifested a duty to act, finding that these incidents indicated the potential lack of an effective reporting system, not allegations supporting an inference of bad faith.

Comments are closed.