In the latest example of claimants seeking to assert the newly revitalized type of claim for breach of the duty of oversight against corporate boards, plaintiff shareholders have filed a derivative lawsuit in Delaware Chancery Court against certain past and current directors of technology company SolarWinds, based on the massive cybersecurity incident involving the company’s software and systems discovered in December 2020. As discussed below, there are several interesting features of this lawsuit in light of recent developments involving claims for alleged breaches of the duty of oversight. A copy of the heavily redacted publicly available version of the plaintiffs’ complaint against the SolarWinds board can be found here.
SolarWinds is an information technology infrastructure management technology company. On December 13, 2020, Reuters reported that hackers allegedly working for the Russian government had monitored email traffic at the U.S. Treasury and Commerce departments and that the alleged hackers were believed to have gained access to the agencies’ email traffic as by interfering with software updates released by SolarWinds, which provides technology services to various government vendors in the executive branch, the military, and the intelligence services.
On December 14, 2020, SolarWinds filed a Form 8-K with the SEC, disclosing that the company “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products, which, if present and activated, could potentially allow a hacker to compromised the server on which the Orion products run.” The incident, the SEC filing went on to note, “was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker.” The filing noted that the company has retained third-party cybersecurity experts to assist with the investigation, and that the company was cooperating with the FBI, the U.S. intelligence community, and other governmental agencies. The release also noted that the vulnerability apparently was inserted in the Orion product between March and June 2020. The company’s share price fell 17% on this news.
The SolarWinds cybersecurity incident, subsequently dubbed “SUNBURST,” ultimately was determined to have impacted a number of company’s clients, including U.S. national security agencies and technology companies. (The company contends that fewer than 100 clients were affected).
As discussed here, the SolarWinds cybersecurity incident previously was the subject of a securities class action lawsuit filed in the Western District of Texas in January 2021 against the company and certain of its directors and officers. The defendants’ motion to dismiss the plaintiffs’ consolidated amended complaint in the securities lawsuit is currently pending.
The Delaware Complaint
On November 3, 2021, three SolarWinds shareholders filed a derivative lawsuit in the Delaware Court of Chancery against certain former and current directors of SolarWinds, as well as against the company itself as nominal defendant. The complaint alleges a single court for the defendants’ alleged “Breach of the Duty of Loyalty and Care through a Bad Faith Failure to Oversee SolarWinds’ Cybersecurity.” Among other things, the complaint seeks to recover damages on behalf of the company.
The complaint, which is based in part on information the plaintiffs’ lawyers obtained through a books and records request, states that it asserts the claim against the directors “for their utter failure to implement or oversee any reasonable monitoring system concerning … cybersecurity risks fundamental to SolarWinds’ only line of business.” The complaint alleges that the company was an “attractive target” for cybersecurity attacks because the ubiquity of its software means that “hackers can use the Company’s software to gain privileged access to SolarWinds’ clients’ systems.”
The complaint alleges that the company received or should have been aware of numerous “warnings” about the “specific and heightened risk from supply chain cyberattacks that was (or should have been) apparent to any fiduciary reasonably familiar with SolarWinds’ business.” These warnings include an Officer of the Director of National Intelligence communique describing risks to software supply chain operations, and private sector cybersecurity experts warning about increasing danger of supply chain attacks. Despite these warning, the complaint alleges, the board failed to take sufficient steps to oversee these risks.
These alleged “oversight failure” had “grave consequences” for the company. The company “suffered from internal cybersecurity deficiencies that defied elementary cybersecurity standards.” Among these deficiencies were “poor password controls.” The company has “acknowledged” that “password vulnerabilities” were among the likely points of entry for SUNBURST.
The complaint alleges that the company’s directors had “a fiduciary duty to monitor and oversee the Company’s known mission critical cybersecurity risks” and therefore “should have known about and addressed these and other fundamental security deficiencies” before Solar Winds “became a channel for hackers to invade its clients’ IT systems.” The defendant directors “breached their fiduciary duties by utterly failing to monitor or oversee any aspect of the Company’s known mission critical cybersecurity risks.”
The complaint alleges that the plaintiffs’ omission to make a pre-suit demand on the SolarWinds board was excused because all of or a majority of the directors face a substantial risk of liability.
In response to the filing of the derivative suit complaint, the company issues a statement saying “We do not comment on pending litigation, but this action is similar to a purported derivative lawsuit filed earlier this year. More importantly, we continue to focus on deepening our relationships with customers and openly discussing our Secure by Design initiatives as we look to set the standard for secure software development.”
The type of breach of the duty of oversight claims that the plaintiffs asserted in their complaint against the SolarWinds’ board are often referred to as Caremark claims in reference to the 1996 Delaware Court of Chancery decision that articulated the legal theory behind this type of claim. Caremark cases are notoriously difficult to sustain; in the words of a much-quoted statement about these kinds of claims, breach of the duty of oversight is “possibly the most difficult theory in corporation law upon which plaintiff might hope to win a judgment.”
However, in a series of decisions starting with the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill, a number of breach of the duty of oversight claims have been sustained. The most recent example of a breach of the duty of oversight claim surviving a dismissal motion is the high-profile Boeing 737 Max Air Crash derivative suit, which recently settled for $237.5 million. These developments, and in particular the dismissal motion ruling in the Boeing case, have prompted some commentators to suggest that these kinds of breach of the duty of oversight claims may not longer be as difficult to establish as may have previously been the perception.
At the time of the Delaware Supreme Court’s 2019 Marchand v. Barnhill ruling, I speculated that a newly revitalized breach of the duty of oversight claim could represent a legal theory on which plaintiffs might seek to rely in asserting claims against boards of companies that had experienced cybersecurity incidents. As I noted at the time, cybersecurity is for many types of operations “mission critical.” With the benefit of post-incident hindsight, plaintiffs’ lawyer could, I speculated, seek to portray the ups and downs of daily operations as presenting “red flags” that should have triggered boards’ monitoring of key operations. The recent filing of the breach of the duty of oversight claims against the SolarWinds board seems to represent the realization of the concerns I expressed in my earlier post.
In thinking about the potential of this lawsuit for success, the October 2021 decision in the Marriott data breach-related derivative lawsuit needs to be considered. As I noted in a post at the time, Vice Chancellor Lori Will granted the defendants’ motion to dismiss, ruling that the plaintiffs’ obligation to make a pre-suit demand on the board was not excused. With respect to the plaintiff’s breach of the duty of oversight claims under Caremark, Vice Chancellor Will specifically said that the “allegations in the complaint do not meet the high bar required to state a Caremark claim.”
In her opinion in the Marriott case, Vice Chancellor Will did say some things that the plaintiffs in the SolarWinds case may find to be helpful. For example, she said that cybersecurity risks are an increasingly important part of the corporate landscape, and that as risks of cybersecurity become manifest “corporate governance must evolve to address them,” adding further that “the corporate harms presented by non-compliance with cybersecurity safeguards increasingly call upon directors to ensure that companies have appropriate oversight systems in place.”
However, in granting the motion to dismiss, Vice Chancellor Will also said that in the end, the plaintiff has not shown “that the directors completely failed to undertake oversight responsibilities, turned a blind eye to know compliance violations, or consciously failed to remediate cybersecurity failures.”
The standard historically applicable to Caremark claims is high, and Vice Chancellor Will’s opinion in the Marriott case highlights how difficult it will be for the plaintiffs in the new SolarWinds case to meet the “high bar required to state a Caremark claim.” Nevertheless, it will be very interesting to watch what develops in this case as it goes forward. The recent massive settlement in the Boeing breach of the duty of oversight claim underscores how steep the stakes are.