SolarWinds’ Cyberbreach: Another Caremark Claim Dismissed

The law doesn’t demand that you get things right, only that you tried; the recent dismissal of a derivative lawsuit against SolarWinds Corporation illustrates this perfectly.

The cyber catastrophe that was SolarWinds in 2020 was epic. As a brief recap, the Texas-based company develops software for businesses to manage their networks, systems, and IT infrastructure.

Russian cyberterrorists successfully hacked into SolarWinds’ Orion platform and planted malicious code that was then deployed to all SolarWinds customers in a software update. That code installed a backdoor to each of those customer’s operating systems, which granted further access to cybercriminals to all of those companies.

In Construction Industry Laborers Pension Fund on behalf of SolarWinds Corporation, et al. v. Mike Bingle, et al., SolarWinds stockholders allege that SolarWinds corporate directors failed to adequately oversee cyber risk, which resulted in the attack—all of which ultimately harmed the value of the enterprise.

One might think that failure at the SolarWinds scale, and the ripple effect it had on its customers, means its directors would obviously face personal liability. After all, the court in Marchand emphasized that the company had one major risk—health and human safety—and it was critical of the board’s efforts to monitor and address this risk.

So surely, for a company like SolarWinds, where the major risk is cybersecurity, the failure of its cybersecurity measures meant there was a Caremark violation. Not so.

In a September 2022 Delaware Court of Chancery decision, Vice Chancellor Sam Glasscock III found that while SolarWinds directors “failed to prevent a large corporate trauma,” the plaintiffs also “failed to plead specific facts to infer bad faith liability on the part of the directors.”

Moreover, the court underscored the idea that Caremark claims may not ever succeed when applied to matters of business or operational risk, such as cybersecurity.

Bingle Case Overview

Duty of Oversight

Duty of oversight falls under the fiduciary duty of loyalty for board members to monitor a company’s operations. When plaintiffs bring claims against directors for breaching the duty of loyalty, these are called Caremark claims—named after a landmark case—which Delaware courts still rely on to make decisions about the duty of loyalty.

It is challenging for Caremark claims to survive a motion to dismiss.
To establish an oversight claim, plaintiffs must prove that either:

• Directors had utterly failed to implement any reporting or information system or controls, or
• Having implemented a system or controls, consciously failed to monitor or oversee operations, thus disabling themselves from being informed of risks or problems requiring their attention.

Bad Faith

In Bingle, the court recognized that the most important question at hand was “not whether the Board was able to prevent a corporate trauma,” but “whether the Board undertook its monitoring duties (to the extent applicable) in bad faith.”

The facts of the case showed that:

• “The full Board did not conduct any meetings or hold any discussions concerning cybersecurity at the Company from October 2018 until the Sunburst Attack occurred in December 2020,” and
• “Neither of the formed committees made any presentation to the full Board regarding cybersecurity during this time period, either.”

Nevertheless, the court found that plaintiffs inadequately pleaded a Caremark claim. The court went on to note that “the passage of time alone”—the failure to report to the board on cyber risk over a period of 26 months—does not implicate bad faith.

And while Vice Chancellor Glasscock noted that the directors’ oversight duties were “far from ideal,” their actions (or failure to act) were not enough to indicate bad faith:

… a subpar reporting system between a Board subcommittee and the fuller Board is not equivalent to an "utter failure to attempt to assure" that a reporting system exists. The short time period here between the IPO and the trauma suffered, together with the fact that the Board apparently did not request a report on cybersecurity in that period, is not sufficient for me to infer an intentional "sustained or systematic failure" of oversight.

Positive Law

Caremark claims typically apply to cases involving violations of laws passed by a legislature or regulations duly promulgated by an appropriate authority (“positive law”).

For example, in the famous Marchand case, it was clear that Blue Bell Creameries violated safety regulations, leading to the death of its customers. Similarly in the case of the Boeing derivative suit filed after the tragic crashes of two 737 MAX airplanes, airplane safety regulations that create affirmative obligations were violated.

In the context of a bad faith claim, a board’s allowing a company to violate positive law can demonstrate a board’s intent. As the court notes, “[T]o act in bad faith, the directors must have acted with scienter,” in that the directors had “actual or constructive knowledge that their conduct was legally improper.”

In Bingle, however, the plaintiffs could not clearly point to the same type of positive law violations. Plaintiffs instead argued that Caremark could apply to a lack of oversight in the category of business risk. The court noted that “whether Caremark should be applied to business risk remains an open question” that the court did not wish to resolve in this case.

In analyzing this matter, Vice Chancellor Glasscock discussed a recent Delaware case that the plaintiffs presented: Firemen’s Retirement System of St. Louis on behalf of International, Inc. v. Sorenson.

In Sorenson, the court found Caremark could apply to a failure to monitor cybersecurity risks— hypothetically—stating that corporate governance should evolve as legal and regulatory frameworks do.

However, Sorenson was ultimately dismissed, and Vice Chancellor Glasscock pointed to the fact that “even if lack of cybersecurity oversight might be an appropriate subject for a Caremark claim, a violation of law or regulation is still likely a necessary underpinning to a successful pleading.”

The plaintiff also argued, however, that the SolarWinds board acted in a manner contrary to positive law and cited the Securities and Exchange Commission’s guidance on public company cybersecurity disclosures as an example.

The SEC’s guidance states that “the development of effective disclosure controls and procedures is best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

Vice Chancellor Glasscock dismissed the plaintiff’s argument, stating that while the SEC’s guidance is “certainly indicative of requirements regarding public company disclosures,” it is not law on “required cybersecurity procedures or how to manage cybersecurity risks.”

The Outcome

For all of these reasons and more, the court ultimately found that the SolarWinds director defendants:

1. Were not credibly alleged to have allowed the company itself to violate law;
2. Ensured that the company had at least a minimal reporting system about corporate risk, including cybersecurity; and
3. Were not alleged to have ignored sufficient red flags of cyber threats to imply a conscious disregard of a known duty.

To be clear, the court is not saying that the SolarWinds board did a good—or even adequate—job; merely that as lame as their efforts may have been, they were enough for the defendants to win their motion to dismiss a Caremark claim.

Good Practices for Boards

Directors may be tempted to think that they can relax knowing that even SolarWinds directors were not held liable given some of the facts of the case, and the resulting trauma that occurred with the breach.

But the win isn’t that, after expensive litigation that leads to embarrassing disclosures about your board’s competence, you win your motion to dismiss. The win is that plaintiffs will be discouraged from pursuing a claim in the first place after reviewing the corporation’s books and records, such as the board and board committee meeting minutes.

Here are steps that directors will want to think about regarding how to best execute their fiduciary duty of oversight:

1. Identify the most critical risks facing the company—both those related to positive law and those related to operational risks.
2. Establish a system that brings information to the board about these risks in a timely way.
3. Once the oversight system is established, pay attention and take corrective actions as needed.
4. Monitor the positive law landscape in order to be aware of new laws and regulations that might be relevant to your company.
5. To the extent oversight has been delegated to a committee, regularly have the committee report to the full board.
6. Document the board’s efforts.

Specifically with respect to cyber risk, directors will want to remember that the SEC is doing a big push on cybersecurity disclosures. Reviewing the proposed rules and understanding how it may apply to the board’s role will be important.

In the case that you do have a cyber incident, cyber insurance can play an important role in mitigating your loss. The underwriting might also be a good way for a board to confirm that at least basic controls are in place. With increased frequency and severity of losses, cyber underwriters want to know which security controls are in place prior to granting coverage.

As my colleague Dan Burke points out in his article on cybersecurity controls and insurance:

Many carriers will now decline to offer terms for companies that do not meet the minimum or sometimes even the baseline protection … Furthermore, the carriers are no longer simply taking your word for having some of the technical controls in place. Most cyber insurance carriers now perform external scans of a prospective customer’s network both to confirm you have specific controls in place and to identify any known vulnerabilities present on your network.

The SolarWinds derivative suit dismissal should be encouraging for directors who are concerned about personal liability, since it is another example of the stringent requirements for Caremark claims to survive a motion to dismiss.

However, it is also clear that SolarWinds directors did not exactly cover themselves in glory when it comes to what their shareholders likely expected them to do concerning a major business risk.

In this way, the case can also serve as a timely reminder of the steps good boards take to fulfill their roles beyond the very minimal baseline the law requires.