Prior posts here, here here, and here concerned so-called “Caremark Claims” – a civil claim often brought by shareholders in the aftermath of Foreign Corrupt Practices Act scrutiny or an enforcement action.
In short, a corporate director’s duty of good faith has evolved over time to include an obligation to attempt in good faith to assure that an adequate corporate information and reporting system exists. In Caremark (a 1996 decision by the Delaware Court of Chancery – a trial court), the court held that a director’s failure to do so, in certain circumstances, may give rise to individual director liability for breach of fiduciary duty. In 2006, in Stone v. Ritter, the Delaware Supreme Court provided the following necessary conditions for director oversight liability under the so-called Caremark standard: (i) a director utterly failed to implement any reporting or information system or controls; or (ii) having implemented such systems or controls, a director failed to monitor or oversee the corporation’s operations.
Search for the term “FCPA” and “Caremark” and you will find enough reading material to last the rest of the day. However, much of the analysis is thin “Caremark Claims” are not nearly the boogeyman that some FCPA commentators make it out to be.
A recent Delaware Court of Chancery opinion in the cybersecurity context highlights the difficulty of successfully pleading a “Caremark Claim.” As relevant to “Caremark Claims” in the FCPA context, the opinion notes that SEC guidance “does not establish positive law.”
The decision by Vice Chancellor Sam Glasscock begins:
“Nominal Defendant SolarWinds Corporation (the “Company”) was in the business of providing management software to its customers. Sometime in 2020, SolarWinds became the victim of a major crime. Per the complaint, Russian hackers were able to penetrate SolarWinds systems and insert malware, to the detriment of SolarWinds customers, ultimately damaging the value of the company itself. The Plaintiffs here, SolarWinds stockholders at the time of the trauma, allege that the Defendant corporate directors, a majority of whom were on the board at all times pertinent, failed to adequately oversee the risk to cybersecurity of criminal attack. They seek to hold the Defendants liable in damages.
Derivative claims against corporate directors for failure to oversee operations—so-called Caremark claims, once relative rarities—have in recent years bloomed like dandelions after a warm spring rain, largely following the Delaware Supreme Court’s opinion in Marchand v. Barnhill. The cases, superficially at least, seem easy to conjure up: find a corporate trauma; allege the truism that the board of directors failed to avert that trauma; and hey, presto! an oversight liability claim is born. They remain, however, one of the most difficult claims to cause to clear a motion to dismiss. That is also easy to understand. Directors are not liable under our corporate law for the most likely cause of operational loss, simple negligence. Nor, given the ubiquity of exculpation clauses, are the directors even liable for gross negligence in violation of their duty of care. And, of course, most corporate trauma, to the extent it represents a breach of duty at the board level, implicates the exculpated duty of care. To plead potential liability sufficient to cause directors to be unable to consider a demand and thus justify a derivative claim under Rule 23.1, therefore, the lack of oversight pled must be so extreme that it represents a breach of the duty of loyalty. This in turn requires a pleading of scienter, demonstrating bad faith—in then-Chief Justice Strine’s piquant formulation, a failure to fulfill the duty of care in good faith. In other words, an oversight claim is a flavor of breach of the duty of loyalty, which itself requires an action (or omission) that a director knows is contrary to the corporate weal. Historically, only utter failures by directors to impose a system for reporting risk, or failure to act in the face of “red flags” disclosed to them so vibrant that lack of action implicates bad faith, in connection with the corporation’s violation of positive law, have led to viable claims under Caremark.
This matter is before me on the Defendants’ Motions to Dismiss. Here, there is no credible allegation that the Company violated positive law. Instead, the Directors are accused of failing to monitor corporate effort in way that prevented cybercrime. Of course, absent statutory or regulatory obligations, how much effort to expend to prevent criminal activities by third parties against the corporate interest requires an evaluation of business risk, the quintessential board function. Judicial post-hoc intrusion into the appropriate consideration of business risk, pre-trauma, is problematic, particularly where the demand is for damages and the directors are exculpated for gross negligence. Accordingly, this should be an easy action to resolve in favor of the Defendants. Many corporate decisions have implications for customers, no doubt. Nonetheless, I note that before me is a peculiar kind of business risk. Online software companies are dependent on their customers sharing access to the customer’s information. The resulting relationship is essential to the business of these companies. In light of the ubiquity of attempts by evildoers to breach the security of tech companies and their customers, disclosure obligations have been imposed by the SEC regarding board efforts to oversee cybersecurity, and at least one major stock exchange has promulgated cybersecurity guidelines. To use the shibboleth arising from Marchand, cybersecurity, for online service providers, is mission critical.
To what extent are the decisions or omissions of Directors reviewable under Caremark in such a scenario? I need not address that issue here, because, as pled, the director defendants here (1) are not credibly alleged to have allowed the company itself to violate law, (2) did ensure that the company had at least a minimal reporting system about corporate risk, including cybersecurity, and (3) are not alleged to have ignored sufficient “red flags” of cyber threats to imply a conscious disregard of a known duty, indicative of scienter.4 In other words, the directors failed to prevent a large corporate trauma, but the Plaintiffs have failed to plead specific facts from which I may infer bad faith liability on the part of a majority of the directors regarding that trauma. The defendants have moved to dismiss, and I conclude Rule 23.1 is unsatisfied. The motions to dismiss must be granted accordingly.”
Later in the decision, Vice Chancellor Glasscock states:
“The Plaintiffs have argued that a substantial likelihood of liability attaches to a majority of the demand Board based on either or both of what are colloquially referred to as prongs one and two of Caremark. That is, the Plaintiffs allege both that a majority of the demand Board utterly failed “to implement and monitor a system of corporate controls and reporting mechanisms” regarding cybersecurity, and that even if a monitoring system was in place, the directors failed to “oversee” such system of oversight in breach of their fiduciary duties because they overlooked “red flags” signaling corporate risk.
Plaintiffs in Caremark cases must “plead with particularity ‘a sufficient connection between the corporate trauma and the [actions or inactions of] the board.’” “A stockholder cannot displace the board’s authority simply by describing the calamity and alleging that it occurred on the directors’ watch.” The requirement of a connection between the Board and the corporate trauma at issue is at least one plausible reason that Caremark cases are generally brought in the context of violations of applicable laws. For example, in Marchand v. Barnhill, the corporate trauma suffered as a result of a listeria outbreak was—at least theoretically—within the company’s (and the directors’) control. That is, the board’s failure to institute a reporting and monitoring system allowing it to oversee the company’s compliance with positive-law regulation of food safety led to a pleading-stage inference of bad faith. Similarly, in Boeing, the Boeing board of directors, in their duties as overseers of corporate performance, failed to monitor compliance with airplane safety regulations at the board level, even after two fatal
crashes.The Plaintiffs plead that despite this juridical history of applying Caremark primarily to cases involving violations of positive law, oversight liability may be established even in the absence of such a violation. Here, the Plaintiffs ask me to find that oversight liability may attach to the Company’s alleged failure to sufficiently oversee risks related to efforts to avoid cybercrime by third parties—that is, business risk. Many Delaware cases have cautioned that whether Caremark should be applied to business risk remains an open question.
The Plaintiffs cite Firemen’s Retirement System of St. Louis on behalf of Marriott International, Inc. v. Sorenson in support of their argument. Sorenson is a recent Court of Chancery case that found Caremark to apply, at least hypothetically, to failure to monitor cybersecurity risks, reasoning that “corporate governance must evolve” as “legal and regulatory frameworks” do. But Sorenson did not address the question of whether an appropriate nexus existed between the corporate trauma—a cybersecurity breach—and the Board. And Sorenson specifically found that there was
no known illegal conduct, lawbreaking, or violation[] of a regulatory mandate alleged in the Complaint that could support a finding that the [] Board faces a substantial likelihood of liability for failed oversight . . . . The plaintiff in this action has not pleaded particularized facts that the [] Board knowingly permitted Marriott to violate the law.
Thus, despite the Sorenson court’s discussion of the increasing importance of cybersecurity, echoed in this decision, supra., Sorenson expressly looked to affirmative corporate illegality in assessing the substance of the Caremark claims. Sorenson ultimately suggests that even if lack of cybersecurity oversight might be an appropriate subject for a Caremark claim, a violation of law or regulation is still likely a necessary underpinning to a successful pleading. Unable to find one applicable to its facts, the court dismissed the complaint.
While no case in this jurisdiction has imposed oversight liability based solely on failure to monitor business risk, it is possible, I think, to envision an extreme hypothetical involving liability for bad faith actions of directors leading to such liability. What is not wholly clear to me is that cybersecurity incidents of the type suffered by SolarWinds and in Sorenson—involving crimes by malicious third parties—present a sufficient nexus between the corporate trauma suffered and the Board for liability to attach. Oversight liability caselaw focusing on the “connection” element is comparatively thin, with virtually all of the discussion centered around illegal acts by the company stemming from company (board or management) action or inaction. As the court in Sorenson aptly noted at the end of its analysis, the corporate trauma “that came to fruition was at the hands of a hacker. Marriott was the victim of an illegal act rather than the perpetrator.” So too with SolarWinds here. The pertinent question is not whether the Board was able to prevent a corporate trauma, here a third-party criminal attack. Instead, the question is whether the Board undertook its monitoring duties (to the extent applicable) in bad faith.
I need not resolve these open questions in order to address the pending motions, which can be adequately resolved via a traditional “two prong” Caremark analysis, in any event. I turn now to that analysis.
Caremark’s Doctrinal Underpinnings
At bottom, a meritorious Caremark claim demonstrates a breach of the duty of loyalty, by way of a failure by the directors to act in good faith. As Chancellor Allen wrote in Caremark itself, and as has been reaffirmed by our Supreme Court in Stone v. Ritter and Marchand v. Barnhill, a lack of good faith is a “necessary condition” to a finding of non exculpated oversight liability. In Stone, the Delaware Supreme Court indicated that imposing oversight liability “requires a showing that the directors knew that they were not discharging their fiduciary obligations.”
[…]
Marchand v. Barnhill is the latest word in Delaware Supreme Court cases that substantively treat the Caremark doctrine. Marchand emphasizes again the requirement that directors act in a manner lacking good faith before a Caremark claim can be considered viable. That opinion notes that “[b]ad faith is established, under Caremark,” by way of either prong one, “when the directors completely fail to implement any reporting or information system or controls,” or via prong two, when directors, “having implemented such a system or controls, consciously fail to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” Per the Supreme Court in Marchand, “[u]nder Caremark, a director may be held liable if she acts in bad faith in the sense that she made no good faith effort to ensure that the company had in place any ‘system of controls.’” As I understand Marchand, the lack of a system of controls with respect to a particular incarnation of risk does not itself demonstrate bad faith; the lack of such system must be the result of action or inaction taken in bad faith. This distinction is heightened, I believe, in consideration of risk outside the realm of positive law.
Marchand does not undertake an analysis of bad faith under Disney or its progeny, despite the concept’s prominence in the opinion. As I read Marchand, directors must make a good faith effort to satisfy prongs one and two of Caremark. This interpretation is, I believe, bolstered by the opinion’s further statement that “[i]f Caremark means anything, it is that a corporate board must make a good faith effort to exercise its duty of care.” That is, directors cannot intentionally disregard their duties to be “informed of risks or problems requiring their attention,” because such intentional disregard would constitute bad faith supporting a Caremark claim. Marchand and the other caselaw discussed above thus demonstrate that it is necessary to assess a director’s good or bad faith in connection with a plaintiff’s allegations before an oversight liability claim can be deemed viable.”
Turning next to a consideration of the SolarWinds’s directors bad faith, Vice Chancellor Glasscock noted:
“The Plaintiffs allege that the directors behaved in a manner contrary to positive law, but this is not supported by the Complaint. The Complaint cites a number of “warnings” by government agencies and private companies. Its strongest fact is that the SEC in 2018 issued “new interpretive guidance” about disclosures around cybersecurity risks, including a statement that “[c]ompanies are required to establish and maintain appropriate and effective disclosure controls and procedures[,] including those related to cybersecurity[.]” While this guidance is certainly indicative of requirements regarding public company disclosures, it does not establish positive law with respect to required cybersecurity procedures or how to manage cybersecurity risks. NYSE—the stock exchange upon which SolarWinds is listed—has also promulgated a “guide” to cybersecurity, which the Complaint references, but this guide is also not positive law. The Plaintiffs did not plead that this guide was binding. In other words, the Plaintiffs have not alleged that “legal and regulatory frameworks” have “evolve[d]” with respect to cybersecurity, such that SolarWinds’s corporate governance practices must have followed.
The Complaint also does not plead with particularity that the SolarWinds directors intentionally acted with a purpose inimical to the corporation’s best interests and, so far as I can tell, the Plaintiffs do not attempt to put that argument forward here.
The last, best argument available to the Plaintiffs in this action is that the directors demonstrated a conscious disregard for their duties by intentionally failing to act in the face of a known duty to act, either by ignoring red flags so vibrant that scienter is implied, or by utterly failing to put into place a mechanism for monitoring or reporting risk. The Complaint discusses in considerable detail the actions and inactions of the SolarWinds Board and various Board committees with respect to cybersecurity, and I take all of the allegations in the Complaint as true, given the procedural posture here. Again, the Plaintiffs are also entitled to the benefits of all reasonable inferences at this stage.
But even with this plaintiff-friendly tailwind, the Complaint does not clear the high hurdle of pleading scienter with particularity. To establish that the directors acted in bad faith, a predicate to oversight liability, the Plaintiffs must make out a particularized allegation of facts from which I may infer scienter on the part of the directors. To the extent the Plaintiffs argue that I should infer scienter exists due to a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists,” or lack of action in the face of “red flags” manifesting a duty to act, I find that such an inference would not be reasonable here.
[…]
Certainly, the actions (or omissions) of the Committees in carrying out their oversight duties here appear in hindsight far from ideal. I agree fully with the Sorenson court that good corporate practice requires director consideration of potential risks to customers; particularly so, perhaps, regarding cybersecurity. That does not mean the actions of the Committees, as pled, imply scienter supporting bad faith. Even if the acts of the Committees did implicate bad faith, those actions would not necessarily implicate the directors not serving therein. Having delegated oversight of risk to two non-sham, functioning Committees, the failure of those Committees to make a Board presentation on a particular risk in a particular year, without more, does not to my mind give rise to an inference that the Board intentionally disregarded its oversight duties in bad faith. The fact that the Board did not receive reports from the Committees with respect to cybersecurity over a 26- month period, I may infer, should have been, to a prudent director, of concern, but failure to demand a presentation, without facts pled implying that the directors were aware of a failure of Committee duties, does not implicate bad faith—instead, it goes to the duty of care, not loyalty. It is not indicative of an utter failure of reporting and control for the Board to delegate risk assessment to the Committees, and then fail to demand an accounting of a particular business risk. As this Court noted in Boeing, the “‘intentional dereliction of duty’ or ‘conscious disregard for one’s responsibilities’ . . . ‘is more culpable than simple inattention or failure to be informed of all facts material to the decision,’” instead requiring that “directors have acted in bad faith and cannot avail themselves of defenses grounded in a presumption of good faith” to raise the inference of liability. Here, inferences cannot take the Plaintiffs from inattention to intentional dereliction.
To recapitulate, a subpar reporting system between a Board subcommittee and the fuller Board is not equivalent to an “utter failure to attempt to assure” that a reporting system exists.
[…]
Carelessness absent scienter is not bad faith. In sum, the Complaint has not pled sufficient particularized facts to support a reasonable inference of scienter and therefore actions taken in bad faith by the Board.”
