The Delaware Chancery Court’s recent opinion in Construction Industry Laborers Pension Fund et al. v. Bingle et al., C.A. No. 2021-0494-SG (Del. Ch.) dismissing claims asserted against members of SolarWinds Corporation’s (“SolarWinds” or the “Company”) board of directors supplies instructive guidance on the scope and limits of directorial liability for alleged failure to oversee corporate operations.

Background

SolarWinds is a leading provider of information technology management software and solutions. The Company’s client list includes virtually all of the Fortune 500 and numerous U.S. government agencies. In 2020, Russian special services executed a cyberattack on SolarWinds to implant malware known as “Sunburst” in the Company’s flagship Orion software, ultimately seeking to target the systems of SolarWinds’ Orion clients. The Sunburst attack has been called the “most sophisticated” cyberattack in history.

Following the announcement of the Sunburst attack in December 2020, the Company found itself targeted in a number of governmental investigations and shareholder lawsuits. A putative derivative action filed in the Delaware Court of Chancery alleged claims seeking to hold SolarWinds’ directors liable for alleged damages to the Company purportedly flowing from the board’s failure to adequately oversee cybersecurity risks—a so-called Caremark [1] claim.

Defendants filed motions to dismiss the complaint on various grounds, including that plaintiffs failed to plead, with the factual particularity required under Delaware law, that a pre-suit demand upon SolarWinds’ board to bring the claims was legally excused as “futile” because a majority of the Company’s directors could not have exercised their business judgment with regard to such a demand. Vice Chancellor Sam Glasscock, III agreed that plaintiffs failed adequately to plead demand futility, and therefore dismissed the complaint.

The Court’s Ruling

The Court began by noting the high bar a shareholder asserting a Caremark claim must clear to avoid dismissal at the pleading stage. Where, as with SolarWinds, a corporation’s charter includes provisions authorized under Delaware General Corporation Law Section 102(b)(7) exculpating directors from liability for acts of gross negligence, the complaint must plead facts establishing bad faith—i.e., “an action (or omission) that a director knows is contrary to the corporate weal.” [2] In the context of a Caremark claim, pleading such bad faith typically requires allegations establishing that the directors either (1) utterly failed to establish any system for board-level reporting of risk or (2) failed to act in the face of known “red flags.” [3] Further, as the Court observed, Caremark claims have, historically, been found viable only “in connection with the corporation’s violation of positive law.” [4]

Plaintiffs did not allege that SolarWinds violated any laws. Instead, plaintiffs urged the Court to find that Caremark liability might attach to the board’s alleged failure to oversee risks relating to cybercrimes that third parties might seek to commit against SolarWinds. [5] The Court noted that the question of whether directors of Delaware corporations may face liability under Caremark for failing to monitor such business risks—as opposed to corporate compliance with applicable laws—remains undecided. [6] Although the Chancery Court’s recent opinion in another derivative action arising from a cyberattack on Marriott International, Inc. had entertained the possibility that failure to monitor cybersecurity risks could give rise to Caremark liability, the Court dismissed the claims against Marriott’s board, noting that there was “no known illegal conduct, lawbreaking, or violation[] of a regulatory mandate alleged in the Complaint that could support a finding that the [] Board faces a substantial likelihood of liability for failed oversight.” [7] In Construction Industry Laborers, Vice Chancellor Glasscock observed that, while it might be possible to “envision an extreme hypothetical” in which bad faith failure to monitor business risk could give rise to Caremark liability, it is unclear whether cybersecurity attacks perpetrated by malicious third parties “present a sufficient nexus between the corporate trauma suffered and the Board for liability to attach.” [8] Ultimately, the Court concluded it need not decide that question, as the claims before it instead could be resolved via a “traditional ‘two prong’ Caremark analysis.” [9]

The Court began its analysis with Caremark’s second prong—examining plaintiffs’ allegations that SolarWinds’ board acted in bad faith by purportedly ignoring “red flags” pertaining to cybersecurity risks. [10] The Court found these allegations wanting. The Court rejected plaintiffs’ allegations that a cybersecurity briefing presented to the board’s Nominating and Governance Committee (“NGC”) was a red flag that was ignored. [11] Where the presentation warned of cybersecurity threats and risks but “was not indicative of an imminent corporate trauma,” the Court held that (1) the presentation was not a “red flag” at all, but rather an instance of board-level oversight; and (2) the complaint failed to plead that the presentation “made action by the Board necessary.” [12] The Court also quickly dispensed with allegations about other supposed “red flags”—including concerns allegedly raised by a former employee and allegations about use of a weak password—that plaintiffs failed to plead were brought to the board’s attention during the relevant period. [13]

Next, the Court addressed what it characterized as plaintiffs’ “stronger argument”—that the above and other allegations pled in plaintiffs’ complaint alleged the absence of an effective reporting system subjecting SolarWinds’ directors to liability under prong one of Caremark. [14] Central to plaintiffs’ argument in this regard was the allegation that SolarWinds’ board—as a whole—did not receive any briefing on cybersecurity risk during a roughly two-year period preceding the announcement of the Sunburst attack. [15] The complaint acknowledged, however, that the charters of both the Company’s Audit Committee and NGC charged those committees with responsibility for oversight of cybersecurity matters, and expressly acknowledged that the NGC had received a cybersecurity briefing from management in February 2019. [16] Accordingly, the Court determined that the critical “question is whether I can infer that the Committees’ failure to report to the Board regarding cybersecurity risk over a period of 26 months … was reflective of bad faith, on the part of a majority of directors.” [17]

The Court found any such inference unwarranted where the complaint gave no indication that either of the committees to which oversight responsibility had been delegated were “sham” committees, and the complaint affirmatively pled that the NGC met and discussed cybersecurity during the relevant period. [18] Further, in the absence of particular fact allegations concerning the committees’ alleged “awareness of a particular [cybersecurity] threat, or understanding of actions the Board should take,” the allegation that neither committee reported to the full board on cybersecurity risk during the period in question failed to implicate bad faith. [19] The Court noted that board committees delegated oversight responsibility must “exercise business judgment in determining what issues should be brought from the subcommittee to the full Board.” [20] More to the point, the Court reasoned that “[h]aving delegated oversight of risk to two non-sham, functioning Committees, the failure of those Committees to make a Board presentation on a particular risk in a particular year, without more, does not to my mind give rise to an inference that the Board intentionally disregarded its oversight duties in bad faith.” [21] As the Court succinctly put it: “It is not indicative of an utter failure of reporting and control for the Board to delegate risk assessment to the Committees, and then fail to demand an accounting of a particular business risk.” [22]

Having concluded that the complaint failed to plead facts supporting a reasonable inference of bad faith by SolarWinds’ directors, the Court held that plaintiffs’ Caremark claim was “not viable,” and therefore that plaintiffs had failed to plead that a majority of the board faced a substantial likelihood of liability excusing plaintiffs’ failure to make a pre-suit demand. Accordingly, the Court dismissed the complaint.

Key Takeaways

The Construction Industry Laborers opinion reaffirms that viable Caremark claims must be predicated on allegations of particular facts indicating bad faith. The decision confirms that directors who have ensured that a board-level reporting system is in place do not face liability under prong one of Caremark, and that it is entirely appropriate to delegate responsibility for oversight of particular risks to a board committee. The opinion also reinforces the premise that, for Caremark prong two purposes, purported “red flags” must signal concrete and, in the Court’s words, “imminent corporate trauma”—theoretical warnings about potential risks are not “red flags.” [23] The Court’s decision left for another day the question of whether Delaware directors might, under some circumstances, face Caremark liability for alleged bad faith failure to oversee business risks arising from malicious acts by third parties, as opposed to alleged legal or regulatory violations by the companies those directors serve.

Endnotes

1In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996).(go back)

2Construction Industry Laborers Op. at 2.(go back)

3Id.(go back)

4Id. (emphasis in original).(go back)

5Id. at 17.(go back)

6Id. (citing cases).(go back)

7Firemen’s Ret. Sys. of St. Louis ex rel. Marriott Int’l, Inc. v. Sorenson, 2021 WL 4593777, at *11–12 (Del. Ch. Oct. 5, 2021).(go back)

8Construction Industry Laborers Op. at 18–19.(go back)

9Id. at 20.(go back)

10Id. at 26–28.(go back)

11Id. at 27.(go back)

12Id.(go back)

13Id. at 27–28.(go back)

14Id. at 28–36.(go back)

15Id. at 28.(go back)

16Id. at 29–31.(go back)

17Id. at 31.(go back)

18Id. at 31–32.(go back)

19Id. at 32–33.(go back)

20Id. at 33.(go back)

21Id. at 34 (emphasis in original).(go back)

22Id.(go back)

23Id. at 27.(go back)