Caremark Liability for Materially Misleading Cybersecurity Disclosures: Solar Winds Reconsidered

Delaware’s Caremark doctrine requires directors to exert oversight over legal risks and imposes personal liability for corporate traumas caused by legal violations on directors who knowingly or utterly breach those duties.  Duties and the threat of liability are heightened in the case of a Mission Critical Legal Risk (MCLR). Yet to date Delaware judges consistently dismiss Caremark against directors for poor oversight of a mission critical risk: cybersecurity. The reason is simple. Caremark oversight duties and liability applies to legal risk. Poor corporate cybersecurity often is a mission critical risk, but generally does not violate the law.

In a forthcoming article, I show that directors nevertheless can be held liable under Caremark for corporate trauma triggered by inadequate cybersecurity in an important class of cases. Specifically, directors should face potential liability under Caremark when the company had inadequate cybersecurity that risked (and later caused) substantial harm to business and government agency customers, and violated the law prior to the malicious cyber-event by knowingly making materially misleading statements to its business or government customers designed to defraud them into believing that the company’s cybersecurity systems and practices were materially better than they were, provided that these lies constituted a MCLR for the company. Directors in such circumstances should be liable for all corporate trauma caused by directors’ breach of their oversight duties, including losses from customer flight and litigation and sanctions arising from securities fraud cases predicated on the materially misleading statements to consumers.  I show that the derivate plaintiffs in the SolarWinds case likely would have avoided dismissal had they predicated their claims on the corporate trauma to SolarWinds from the confluence of its materially misleading statements about its cybersecurity, its apparent cybersecurity deficiencies, and the cyber-hack it suffered.

I. Corporate Misleading Statements about Cybersecurity

Malicious cyber-events pose a substantial threat to companies, their shareholders and customers, and society at large.  Malicious cyber-events can be deterred by effective cybersecurity. Yet many companies have not taken the steps necessary to adequately deter threat actors. Deficiencies can be found even in the software companies, cloud providers, manufacturers of hospital equipment, and other companies which make products and services whose cybersecurity deficiencies could leave multinational companies, government agencies, hospitals and financial institutions vulnerable to a malicious cyber-event.

The U.S. generally does not regulate cybersecurity quality, relying instead on market forces to induce companies to adopt effective cybersecurity. But market forces are not effective if companies lie about cybersecurity systems and practices.  Federal and state laws contain multiple provisions that effectively prohibit companies making materially misleading statements to private and/or public sector customers relating to the expected quality or risks of the company’s products or services. These laws include Mail Fraud, Wire Fraud, False Statements, False Claims, and Section 5 of the FTC Act. Inducing adherence to these laws is vital to strong cybersecurity.

Unfortunately, corporate criminal enforcement alone does not suffice to deter corporate fraud for two reasons. First, companies often can expect to profit from fraud—including frauds relating to cybersecurity—because the benefits are high and the probability of being caught and sanctioned is low. Lying about cybersecurity quality can be particularly profitable for fast-growth companies that make products or services that could put other companies in peril, since good cybersecurity is resource intensive. Second, management can benefit, even when the company does not, either through compensation and job-security resulting from the misleading statements or through other benefits from weak compliance.

Both considerations appear at play in SolarWinds. SolarWinds makes software that integrates into the IT systems of its customers, such as national and multi-national companies and federal government agencies, placing them in peril to cyber hackers enabled by allegedly weak cybersecurity at SolarWinds. Although cybersecurity was mission critical to SolarWinds, SolarWinds allegedly failed to follow many, if not most, of the accepted best practices set forth in the National Institute of Standards and Technology Cybersecurity Framework (“NIST”) framework. Nevertheless, in a bid to attract customers, the company put a security statement on its website claiming to follow the NIST protocols—a statement its author allegedly knew was materially misleading. Russian hackers took advantage of SolarWinds’ weak cybersecurity and planted malicious code into its software—code that its customers, including the Department of Defense, subsequently uploaded when they purchased SolarWinds products. When the hack was revealed, customers fled and the SEC and state authorities filed enforcement actions. The stock initially lost 40% of its value; as of October 2024 the stock price was down 60% from where it was five years earlier. It does not appear that the board of directors ascertained whether the company’s systems conformed to the promises they made to customers—promises whose breach harmed SolarWinds’ customers, and later SolarWinds itself.

II. Caremark’s Potential When Fraudulent Cybersecurity Disclosure is a MCLR

Delaware’s Caremark doctrine provides an important supplement to corporate criminal liability, imposing duties and liability that can increase the likelihood that the company detects and the directors learn about legal violations. Director liability is important because directors control the resources that help determine compliance function effectiveness.  Directors also are less likely than is management to have conflicts of interest when deciding whether to comply with their legal duties to terminate detected misconduct.

Caremark duties and liability are only effective, however, in situations where lying to customers about cybersecurity quality constitutes a potential mission critical legal risk for the company.  Otherwise the duties imposed by Caremark are so minimal and non-specific that directors can avoid liability by asserting only minimal attention to legal compliance. But with respect to “mission critical legal risks” the situation changes. In this context, Delaware imposes enhanced and specific duties on directors to set up systems and assert oversight over the MCLR. Specifically, in this context, directors must specifically determine which committee of the board is responsible for overseeing the MCLR, and establish procedures that require management to report compliance deficiencies and suspected violations of MCLR laws to those directors. In turn, the responsible directors must ensure management does report to them on deficiencies in the company’s compliance function and suspected violations of the MCLR. They also must assume primary authority over investigations into detected misconduct. These enhanced duties are all designed to ensure that directors—and not just management—are informed about compliance deficiencies and detected misconduct relating to the MCLR, and oversee investigations. This information-channeling impact of Caremark should help deter violations by shifting control from managers—who are more likely to obtain private benefits from misconduct or face termination, demotion, or sanction as a result of its revelation—to directors, who have less to lose from revelation of misconduct and face personal liability under the Massey Prong of Caremark if they fail to terminate it.

Delaware has not provided specific guidance, however, on precisely which legal risks trigger enhanced oversight duties. Analysis of the cases reveals that the critical factor is whether the legal violation could cause egregious long-run harm to the firm, generally through loss of future revenues. Legal violations can impact future revenues if the resulting harm may trigger substantial customer flight or the legal violation can trigger regulators to intervention to limits future sales, for example through debarment, exclusion, delicensing, product recalls, or plant closings.

Many, if not most, material misleading statements about cybersecurity do not constitute mission critical risks because they relate to protections for the types of personally identifiable information that customers assume are already on the dark web, such as name, address, phone and social security number.  Yet there are predictable situations where lying to customers about cybersecurity can constitute a MCLR. Such lies are likely to constitute a MCLR when weak cybersecurity at the company could cause substantial harm to large institutions, such as business or government customers, whose own welfare depends on protecting themselves from malicious cyber-events. In such cases, cybersecurity quality is a mission critical business risk. And knowing materially misleading statements to institutional customers is likely to be a mission critical legal risk because the confluence of the company’s weak cybersecurity, the attack, and the lies is likely to cause customers to flee who might not have but for the company’s dishonesty.

Companies that lie to customers risk greatly exacerbating the customer flight potentially triggered by a cyber-attack because customers substantially harmed by the company’s deficient cybersecurity are more likely to flee if they learn the company lied to them and thus cannot be trusted to protect them in the future.  Materially misleading statements also can cause on-going harm if they trigger regulator interventions that threaten future revenues. This threat is particularly great in the case of materially misleading statements about cybersecurity to government agencies.

Directors of companies for which defrauding consumers about cybersecurity constitutes a MCLR are subject to multiple duties. They must ensure that the company adopts compliance protocols for its cybersecurity disclosures that are both designed to ensure the accuracy of the company’s cybersecurity disclosures and require management to report regularly to the appropriate unit of the board about any deficiencies in the oversight systems and any potential instances of materially misleading cybersecurity disclosures. The directors must in fact engage in on-going oversight of the veracity of the company’s cybersecurity disclosures to customers, including by ensuring that management reports to the board, on an ongoing basis, on any material deficiencies in the cybersecurity disclosure oversight systems and on any detected material misleading disclosures that could constitute a mission critical risk. Inevitably, this will entail asking the executives in charge of information security to review and report on the veracity of the company’s public statements and contractual obligations and specifically highlight any materially misleading statements. Should the board receive a report of a red flag, directors must exercise direct oversight of the investigation and cannot simply delegate to management. Finally, upon learning about any materially misleading statements, directors’ Massey duties are triggered: they must terminate the violation, either by correcting the statements or bringing the company’s cybersecurity into compliance with its pronouncements.

Directors of companies subject to these duties should be motivated to improve the quality of both the company’s cybersecurity disclosures and its cybersecurity systems and practices themselves since companies for whom cybersecurity is mission critical rarely can thrive in the market if they honestly disclose that their cybersecurity is deficient.

Directors who breach these duties in bad faith risk being held liable for the corporate trauma caused by their breach. This can include the harm to the company from customer flight and regulatory interventions. It also can include litigation, liability and enforcement costs from actions arising from the materially misleading statements to consumers, including SEC enforcement actions and securities fraud class actions predicated on materially misleading statements made to consumers that also reached the securities markets.

III. SolarWinds Revisited

With this framework in mind, we can now reconsider SolarWinds.  Based on the SEC complaint, it would appear that SolarWinds made materially misleading statements about its cybersecurity—including statements about features of the system that enabled the hack—to both business customers and government agencies. If true, the company’s statements violated multiple laws, including possibly the False Claims Act.  It also appears that it was mission critical for SolarWinds to avoid defrauding its customers about its cybersecurity given the nature of its clients and the risks they faced from using SolarWinds’ products. Such lies risked undermining customer trust, and thereby triggering massive customer flight should SolarWinds suffer a hack that harms customers, as appears to have happened. Lies to the government also risked SolarWinds being excluded from vital future contracting with the impacted federal agencies. The effects could be and were calamitous.

Given this, the SolarWinds directors likely should be subject to enhanced Caremark duties to oversee the veracity of the company’s cybersecurity disclosures. In this case, derivative plaintiffs would simply need to show that the directors did not require management to report to them on whether the company’s public statements were materially misleading and did not seek the company’s own audits of its systems that would have informed the board about material deficiencies.  This would leave the board liable for the resulting corporate trauma, including customer flight and also litigation and enforcement actions predicated on the materially misleading statements to customers, including those predicated on the securities laws.

Cases like this would induce directors of companies for whom cybersecurity quality is mission critical to the company and its customers to attend to both the accuracy of the company’s disclosures and to the company’s cybersecurity itself, to the benefit of the company and society.

Moreover, the claim that materially misleading statements to consumers can constitute a mission critical legal risk subjecting directors to enhanced oversight duties is not limited to cybersecurity.  It should extend to multiple health and safety contexts as well, to the benefit of companies and society.