In my recent annual round-up of the top stories in the world of D&O liability, I noted that among the key D&O issues is the possibility of claims against corporate directors and officers arising out of cybersecurity incidents. One of the more interesting cybersecurity-related D&O claims in recent years is the securities class action lawsuit a plaintiff shareholder filed against FedEx in connection with the company’s disclosures concerning the “NotPetya” virus cyberattack on its European operations. What made the lawsuit interesting is that it involved not the company’s disclosures at the time of the cyber incident but rather concerned the company’s subsequent statements about the company’s recovery from the attack and the attack’s longer-term impact on its finances, operations, and business strategy. In a February 4, 2021 opinion (here), Southern District of New York Judge Ronnie Abrams granted the defendants’ motion to dismiss the FedEx NotPetya securities lawsuit, with prejudice. As I discuss below, the opinion has some interesting lessons on the importance of precautionary disclosure.
In June 2016, FedEx completed the $4.8 billion acquisition of TNT Express, N.V., a Netherlands based logistics company. FedEx hoped the acquisition would significantly expand its European footprint and would prove significantly accretive to earnings. However, on June 27, 2017, the TNT operations were hit by the NotPetya cyberattack, which some consider one of the largest cyberattacks in history and that affected many companies on a global scale. The NotPetya cyberattack spread a malware virus throughout TNT’s systems during a critical period of TNT’s integration into FedEx’s operations.
The class period in the subsequently filed securities class action lawsuit complaint starts on September 19, 2017 – that is, three months after the date of the actual attack — when the company released its fiscal first quarter results and noted that the cyberattack had negatively affect the company’s financial performance. However, allegedly in this disclosure and in subsequent disclosures during the class period, the company provided reassurance’s that TNT’s systems were fully restored, that its customers “stuck with us,” and that its revenue and earnings targets for the TNT acquisition, as well as the integration of TNT, remained on track.
The full extent of the disruption at TNT was, according to the complaint, not fully disclosed until December 18, 2018, when the company again announced disappointing quarterly results, which it attributed to lower package volumes in Europe and a negative shift in TNT’s product mix to lower margin freight business after the cyberattack that had taken place more than a year previously. The complaint alleges that the company’s share price decline over 12% on the news.
As discussed here, on June 26, 2019, a plaintiff shareholder filed a securities class action lawsuit in the Southern District of New York against FedEx and certain of its directors and officers. The plaintiff’s consolidated amended complaint, filed in January 2020, can be found here. The complaint purports to be filed on behalf of a class of investors who purchased the company’s securities between September 19, 2017 and December 18, 2018. The plaintiff alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder.
In its complaint, the plaintiff alleged that the company’s statements during the class period were misleading because they failed to disclose that the TNT division’s international service was “largely disabled” for six months after the virus; that TNT was losing a significant portion of its high-margin customers due to the international disruption from the virus; and that the virus has substantially delayed FedEx’s integration of TNT. The defendants filed a motion to dismiss.
The February 4, 2021 Opinion
In her detailed February 4, 2021 opinion, Judge Abrams granted the defendants’ motion to dismiss with prejudice on the grounds that “the complaint failed to adequately plead the required elements of falsity and scienter.”
In ruling on the defendants’ motion, Judge Abrams grouped the supposedly misleadingly positive statements on which the plaintiff relied into four categories: statements concerning the company’s operating income improvement target; statements concerning the company’s progress in restoring TNT operations in the wake of the NotPetya attack; reassurances about the retention of TNT’s customer base; and statements concerning the pace and cost of TNT integration into FedEx. Judge Abrams reviewed each of these four categories of allegations and concluded that the Complaint “fails to plausibly allege that any of these four categories of statements were false or materially misleading when made.”
In her opinion, Judge Abrams repeatedly emphasized that the very statements on which the plaintiff relied were accompanied by extensive precautionary disclosure. Thus, Judge Abrams noted that “an examination of FedEx’s statements in their full context illustrates the inadequacy of Plaintiff’s fraud allegations.” Each of the quarterly reports on which the plaintiff sought to rely “contained language, often bolded and italicized for emphasis, that warned investors about the potentially lingering effects of the June 2017 cyberattack.”
After expressly citing the precautionary language from the company’s disclosure statements, Judge Abrams noted that “these cautionary statements exemplify Defendants’ repeated disclosure of the Company’s difficulties in recovering from NotPetya.” She added that “in light of these disclosures, the Court concludes that Plaintiffs have failed to establish that FedEx’s more optimistic statements misled the investing public.”
Judge Abrams also concluded that the defendants were entitled to dismissal on the separate and independent ground that the Plaintiff has not alleged sufficient facts to raise a strong inference of scienter. The complaint, Judge Abrams said, is “devoid of any allegations that the individual defendants acted with any motive, whether pecuniary or otherwise, to deceive the investing public.” Instead, she noted, the complaint alleges that the defendants authorized the allegedly misleading statements despite possessing what the plaintiff said was “information reflecting the true facts regarding FedEx.”
Judge Abrams observed that the plaintiff did not specify what “true facts” the defendants supposedly received nor how or when they received such fact. The complaint, Judge Abrams said, “does not allege any facts to demonstrate that the individual defendants had knowledge that would contradict, let alone undercut the Company’s public statements.”
Accordingly, she found the plaintiffs’ allegations about the defendants’ knowledge of the “true facts” to be “too speculative to raise an inference that the individual defendants knew or falsely disregarded facts that contradicted their statements.” Accordingly, she concluded that the Plaintiff “has not alleged sufficient facts to raise a strong inference of scienter.”
Those of us in the D&O insurance business spend a lot of time worrying about one aspect of securities litigation risk management; the aspect we focus on is the transfer of risk through insurance. However, this case is a powerful reminder that there are other more important components, beyond risk transfer, of a comprehensive securities litigation risk management program. As this case powerfully demonstrates, well-conceived and well-executed disclosure practices can provide potent protection against potential securities law liability exposures.
Judge Abrams’s opinion in this case should be required reading for company managers interested in taking steps to try to reduce their securities litigation loss exposure. The opinion shows how the incorporation of detailed and meaningful precautionary disclosure into public statements can provide significant liability protection even if, as was certainly the case here, the company is hit with significant adverse developments.
In the unpredictable world in which we live, companies can experience hugely disruptive events, and in the event-drive securities litigation world in which we now live companies experiencing these adverse circumstances can get hit with securities lawsuits. But as this case shows, companies that implement well-designed disclosure programs will be in a better position to defend themselves if they do get hit with securities litigation.
As I noted at the outset, one of the reasons that this lawsuit interested me is that the underlying facts involve a massive state-sponsored cyberattack. As we saw again this past December with the SolarWinds cybersecurity incident, the possibility of these kinds of cyber incidents may be a part of the environment in which businesses must now operate. As this lawsuit against FedEx shows, and as the lawsuit filed in January against SolarWinds also shows, the consequences from these kinds of incidents can include D&O litigation.
Judge Abrams’s opinion in this case does provide some reassurance that even if plaintiffs’ lawyers may be drawn to filing D&O claims against companies experiencing cybersecurity incidents, that does not mean that the claims are necessarily meritorious. Over the last several years, a number of the cybersecurity-related D&O lawsuits have been dismissed. At the same time, however, other developments, such as for example the $149 million settlement last February of the Equifax data breach-related securities class action lawsuit, are a reminder that cybersecurity-related D&O lawsuits can be serious. The Equifax settlement may also provide plaintiffs’ lawyers with incentives to pursue these cybersecurity-related lawsuits, even in the face of dismissals like the one the FedEx lawsuit.
One final aspect of the FedEx case that should not be overlooked is how hugely disruptive a state-sponsored cyber attack can be. The NotPetya incident not only disrupted the TNT operations for months but it had a massive financial impact on FedEx. The various disclosure statements at issue in the subsequent securities lawsuit stated, among other things, that the NotPetya attack “negatively impacted” FedEx by an estimated $400 million, primarily from loss of revenue due to decreased TNT shipments as well as incremental costs to restore information technology systems. If nothing else, the story of the impact of the NotPetya cyberattack on FedEx underscores that cybersecurity is critical concern for every organization – indeed, the importance of cybersecurity cannot be overstated.
Special thanks to the several readers who sent me a copy of the FedEx opinion.