When Cyber Stumbles Lead to D&O Liability Suits

At this point boards are not surprised if they are sued following cyber stumbles that involve the release of personally identifiable information. Marriott, Yahoo, Equifax, and more all provide instructive cautionary tales.

Another type of cyber stumble occurs when a company's computer infrastructure—think servers and networks infected by malware—becomes so compromised that the result is a significant business interruption, so much so that a company ends up missing earnings targets. Until recently, we hadn't seen a securities class action suit related to a business interruption problem.

Enter FedEx. In June 2019, the company was sued in a securities class action suit due to a cyber stumble that resulted in business interruption and missed targets.

FedEx and NotPetya

In 2017, FedEx was one of the many companies hit with the malicious NotPetya malware. As a result, FedEx experienced serious business interruptions in its European operations and suffered financial losses.

It wasn't the US operations that were the issue. It was FedEx's newly acquired Netherlands-based logistics company, TNT Express, which was hit while FedEx was in the midst of integrating TNT into itself.

Plaintiffs allege that FedEx misled the public when FedEx "assured investors that all critical TNT systems were fully restored and fixes to its customer-specific systems were expected to be finalized by the end of September 2017."

The previous March, FedEx had disclosed its targets for increased operating income resulting from the TNT acquisition, and did not revise down these projections immediately after the NotPetya attack.

Instead, FedEx continued to provide assurances that the integration was on-track.

Indeed, according to plaintiffs, over the course more than a year, FedEx continued to assure investors that the impact from the cyber attack was minimal and they would be able to meet previously projected financial targets.

Unfortunately, in December 2018, FedEx had to disclose disappointing results. Allegedly these disappointments were due in part to European customers moving their higher margin business away from the TNT side of the business after the NotPetya attack.

FedEx also stated that it would not meet the TNT-related operating revenue improvements in its originally disclosed timeframe. Of course, FedEx also lowered its guidance.

FedEx's stock price dropped more than 12% on the news. Shareholders filed suit six months later, alleging that FedEx had violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 by making misstatements and omissions related to the impact of the NotPetya attack.

Early Days, but Not Too Early to Learn

It's important to stress that the plaintiffs have a long way to go before establishing that FedEx violated the '34 Act. But it's not too soon to learn from the case.

A cyber attack is just like any other stumble that a corporation may face; it can be very difficult in the beginning of an event to know how bad the situation really is and how long remediation will take.

Despite these challenges, companies are under tremendous pressure to disclose cyber stumbles quickly with complete answers to the total impact of the problem, as well as exactly when things will be fixed.

Companies naturally also want to avoid the kind of disclosure that will immediately and inappropriately cause the stock price to drop to the detriment of shareholders.

As a company moves forward and remediates the event, it can find out that things are not what it thought at first. Sometimes things are better than expected, sometimes not.

If the situation turns out to be worse than expected, it's no surprise that plaintiffs will sue the company, alleging that the company lied from the beginning.

How Directors and Officers Can Better Handle a Cyber Stumble

It's foreseeable that if a company experiences a bad cyber stumble, it will have to navigate a fair number of tricky disclosure issues very quickly.

It helps if the company has thought about the issues ahead of time. The first time you are thinking about what a severe cyber-related business interruption looks like and how to get back on track should not be in the middle of the remediation process.

When doing tabletop exercises and other cyber-related drills, be sure to include as an element the process of disclosure. You want to know the answers ahead of time to questions like:

• Who gathers the relevant information?
• Who can confirm that the information is accurate?
• Who are the lawyers and other advisers like PR firms who will be involved in crafting the message?
• Who gets to make the final call on what information will be released to the public?

Securities class action suits are premised on the idea that there was a problem with your company's disclosure. For this reason, in the middle of a cyber stumble, you absolutely want to consult not just with your corporate attorney, but also with an experienced securities litigator.

You want to be both accurate and have a view into how the plaintiffs' bar will negatively characterize your work if it turns out your forecasts were not correct.

Finally, as part of your prep work, you want to review your overall risk mitigation strategy when it comes to director and officer protection and cyber attacks. A cyber liability insurance policy tailored to your company's cyber risks may be very helpful in this regard.

Unfortunately many companies hit by NotPetya had relied on insurance products for business interruption coverage that were not designed for a cyber-events. Unsurprisingly, many of these policies ultimately did not pay out.

By contrast, a well-brokered cyber insurance program is designed to respond exactly to a NotPetya-type situation, providing coverage for lost profits and operating expenses during the remediation period following a cyber incident. In addition, many cyber insurance policies offer a plethora of resources to help respond to cyber attacks, such as IT forensics firms, legal guidance, and public relations professionals experienced in responding to cyber stumbles. Management will want to be familiar with these resources before the crisis hits.

FedEx provides a cautionary tale that illustrates that even some of the best-run companies in the world are still vulnerable to cyber stumbles, business interruption, and the resulting D&O litigation, including securities class action lawsuits.

With the FedEx suit now having been filed, boards may want to examine the complaint with reference to their own companies. This is an especially good exercise if a company plans to make a material acquisition that will cause the company to publicly announce metrics for the various benefits of the acquisition.

To the extent that the new asset may be vulnerable to a cyber attack that could lead to a significant business interruption, it is worth considering ahead of time how your company will handle the kinds of disclosures that FedEx is now accused of having made with the intent to mislead its shareholders.