In 2020, SolarWinds Corp., a provider of information technology software to private and government agencies, suffered a cybersecurity breach. Russian hackers are believed to have incorporated malicious code into a SolarWinds software product called Orion, which was used to infect and possibly compromise SolarWinds customers. As a result, SolarWinds is subject to litigation, including a derivative action in Delaware Chancery Court. Construction Workers’ Pension Fund v. Bingle.
Shareholders then filed a lawsuit against SolarWinds’ board, alleging that it failed to oversee the company’s cybersecurity risks. Plaintiff shareholders of Bingle The defendant directors alleged they violated their duty of loyalty by allegedly failing to adequately prevent the breach in 2020. Plaintiffs say the board allegedly ignored warnings about cybersecurity flaws, among other things.
After careful consideration of the plaintiff’s arguments, the Court concluded that dismissal was proper for reasons of Full Court Rule 23.1. The gist of the rule is that shareholders alleging wrongdoing that has harmed the company must first ask the board to investigate the matter before filing a lawsuit, or else follow strict pleadings standards. must be satisfied. These standards require plaintiffs to present specific facts that suggest a reasonable inference that a majority of the directors have deliberately neglected their duties over an extended period of time, and therefore the board to investigate the problem first, to no avail.
by holding it Bingle Plaintiffs did not admit the futility of the request, but the court held that under Delaware law, “the pertinent question is whether the board could have prevented corporate trauma due to a third-party criminal attack. Not whether. Instead, the question is whether the board has (to the extent applicable) acted in bad faith in its oversight duty.” We need a qualitatively different and more responsible act than that which causes a violation of negligence.”
Stated another way, plaintiffs must defend certain facts that show that the directors had “actual or presumed knowledge that their conduct was legally improper.” No. They can appeal to the directors in one of three ways: (I) violated the positive law (i.e.laws or regulations mandating certain actions); (ii) deliberately acted against the best interests of the enterprise, or (iii) deliberately neglects obligations, either by ignoring red flags so vibrant as to be implied by scientists, or by failing entirely to put in place mechanisms to monitor or report risks. Did. The court considered each of these points, beginning with the plaintiffs’ allegation that the board had violated the positive law.
Violation of positive law
In support of their claim that the board acted contrary to positive law, plaintiffs relied, among other things, on the 2018 Securities and Exchange Commission’s interpretive guidance.[c]Companies must establish and maintain appropriate and effective disclosure controls and procedures.[,] Including those related to cybersecurity[.]The court said, “While the guidance does set disclosure requirements for publicly traded companies, it does not establish clear legislation on cybersecurity. procedure Or how to manage cybersecurity risks. The court stressed that plaintiffs who admit failure to oversee must demonstrate a “sufficient relationship between corporate trauma and the actions or inactions of the board of directors,” and in Delaware courts, such Relationships are only satisfied when the board fails to oversee compliance. The company then violates that law. As the court observed, “no lawsuit in this jurisdiction imposed supervisory liability solely on the basis of failure to monitor business risks, as opposed to failure to monitor a company’s compliance with positive law.” Leaving open the question of whether the board’s liability may be based on its failure to oversee business risks (such as cybersecurity risks), the court ruled that plaintiffs “understand SolarWinds’ corporate governance practices.”
Intentional acts with a purpose contrary to our company
Turning to the second prong, the court found that the plaintiffs could not specifically defend this prong because the court did not grant the plaintiff’s allegation that the board acted willfully for purposes contrary to the company’s best interests.
Ignoring red flags or lack of an effective reporting system
After considering the third prong, the court quickly dismissed the plaintiffs’ claim that the board ignored the red flag. Initially, the court dismissed plaintiffs’ claims that a cybersecurity briefing presented to the Board’s Nominating and Governance Committee (“NGC”) was an ignored red flag. According to the court, the presentation warned of cybersecurity threats and risks but “did not indicate impending corporate trauma.” Thus, the presentation was not a “red flag” but an example of board-level oversight. However, the complaint could not argue that the presentation “required action by the board.” It declined to admit to other allegations purported to be “red flags” of the plaintiffs, noting that the plaintiffs failed to acknowledge that these flags were presented to the board during the relevant period.
The court next addressed plaintiffs’ allegations that these and other allegations suggested a lack of an effective reporting system. In this regard, the plaintiff alleges that in the two years prior to the attack, the board of directors “had not held a single meeting or discussed the company’s mission-critical cybersecurity risks.” claimed. The court noted that during the relevant period, the board imposed oversight responsibilities for cybersecurity risks on two of his board committees. As the court explained, the delegation of oversight responsibility for “a particular risk in a particular year” to a “bona fide and functioning committee” was an indication that the board had maliciously intended its oversight responsibility. It does not mean that you have ignored it. Furthermore, the committee’s failure to report to the board indicated a “substandard reporting system” that should have been of concern to the directors, but “seeks to ensure that a reporting system exists”. It did not represent a “complete failure of the attempt.” was not shown. Intentional “Persistent or systemic failure” of supervision, especially by directors Estimate Act with integrity. Concluding that the complaint failed to assert facts to support a reasonable inference of bad faith by the SolarWinds directors, the court held that the plaintiff’s allegations were “infeasible,” and therefore plaintiffs argued the futility of their claims. I decided I couldn’t. Therefore, the court dismissed the complaint.
of Bingle The court’s ruling, while favorable to SolarWinds, appears to be just a stepping stone to a series of long-running lawsuits. In fact, on November 3, 2022, SolarWinds announced he was facing an investigation from the SEC. Notably, the SEC isn’t the only one investigating companies that have experienced data breaches. The Federal Communications Commission, Federal Trade Commission, New York Department of Financial Services and others are also actively investigating and taking enforcement action against companies. These regulatory investigations are often conducted in parallel, requiring companies to simultaneously navigate the nuances and potentially disparate scope of investigations across jurisdictions, regions, and sectors. It is reasonable to expect that the list of regulators in cyberspace will continue to grow along with their security requirements. Therefore, a key aspect of post-breach practices is working with regulators to manage the burden, leading to more efficient processes and outcomes for both targets, regulators, and ultimately consumers.