The possibility of a securities class action lawsuit being filed against a company after it experiences a data breach is a long-standing risk. For most of 2025, there were relatively few of these kinds of suits filed, at least compared to recent years. However, last week, two different companies – the e-commerce firm Coupang and the application security firm F5 – were each hit with new cybersecurity-related securities class action lawsuits. The new lawsuits have several interesting features, as discussed below, and at a minimum underscore the fact that the threat of these kinds of cybersecurity suits is ongoing.

The Coupang Lawsuit

Coupang is an e-commerce site and web-services hub largely serving customers in South Korea. Its shares trade on the NYSE. According to the securities suit complaint, during the class period, the company made disclosures about the quality of its technology, data, and privacy controls, as well about the adverse consequences the company would sustain if these controls were compromised or breached.

In late November and early December 2025, a series of press reports disclosed that on November 18, 2025, the company discovered that it had sustained a massive data breach. As the company itself later disclosed, the company ultimately found that personal information of over 33 million customers has been compromised in what press reports called “the largest data breach in South Korean history.” The company also disclosed that the breach had been caused by a former company employee who had retained his log-in credentials after he left the company, and that the employee had exploited a vulnerability in the company’s systems to access  information and data. The company’s CEO later resigned. Subsequent media reports disclosed that the South Korean police are investigating the breach.

According to the complaint, the company’s share price declined in several steps as details of the breach were disclosed.

On December 18, 2025, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against the company and certain current and former executives. A copy of the complaint can be found here. The complaint purports to be filed on behalf of a class of investors who purchased the company’s securities between August 6, 2025 and December 16, 2025 (the date the company filed a disclosure statement on Form 8-K with the SEC about the data breach).

The complaint alleges that during the class period, the defendants misrepresented or failed to disclose that: “(1) Coupang had inadequate cybersecurity protocols that allowed a former employee to access sensitive customer information for nearly six months without being detected; (2) this subjected Coupang to a materially heightened risk of regulatory and legal scrutiny; (3) When Defendants became aware that Coupang had been subjected to this data breach, they did not report it in a current report filings (to be filed with the U.S. Securities and Exchange Commission (the SEC) in compliance with applicable reporting rules; and (4) as a result, Defendants’ public statements were materially false and/or misleading at all relevant times.”

The complaint alleges that the defendants violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.

The F5 Lawsuit

F5 provides multi-cloud application security and delivery solutions, helping companies make their apps available and secure across environments. The company offers services like load balancing, firewalls, and app security. The company’s largest revenue product is called BIG-IP, which manages and secures application traffic for high availability and performance.

According to the securities lawsuit complaint, during the class period F5 provided investors with material information concerning its cybersecurity controls and effectiveness. The defendants, the complaint alleges, “routinely emphasized the importance of effective security measures to its clientele.” Company statements referred to the company’s ability to address newly developing security concerns, provide “best-in-class” security offerings, and protect its clients’ data while capitalizing on the market potential for enhanced security offerings.

On an October 15, 2025 press release (here), the company announced its discovery, in August 2025, of a nation-state actor’s “long-term, persistent” breach to its system, during which the company’s BIG-IP product development and engineering knowledge management systems were compromised. The company also identified its remediation efforts in response to the breach. According to the securities suit complaint, the company’s share price fell nearly 14% on this news.

On October 27, 2025, in connection with its fiscal fourth quarter earnings release, the company provided revised guidance including lowered growth expectations for fiscal 2026 due in part to the security breach. The lowered guidance included expected reductions in sales and increased expenses due to remediation efforts. According to the complaint, the company’s share price fell a further 11% in subsequent trading days.

On December 19, 2025, a plaintiff shareholder filed a securities class action lawsuit in the Western District of Washington against F5 and certain of its executives. The complaint, a copy of which can be found here, purports to be filed on behalf of investors who purchased the company’s securities between October 28, 2024, and October 27, 2025.

The complaint alleges that during the class period, the defendants disseminated “materially false and misleading statements” or concealed “material adverse facts concerning the true state of F5’s security capabilities.” Specifically, the complaint alleges that the company was, contrary to its representations, “not truly equipped to safely secure data for its clients,” as the company was at relevant time “experiencing a significant security breach … of some of its key offerings, and further, that the revelation of this breach would significantly impact F5’s potential capitalize on the security market.” These statements, the complaint alleges, from with material facts were omitted, “caused Plaintiff and other shareholders to purchase F5’s securities at artificially inflated prices.”

The complaint alleges that the defendants violated Section 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder. The complaint seeks to recover damages on behalf of the plaintiff class.

Discussion

At a minimum, these two new lawsuits are a reminder of the ways that a data breach or cybersecurity incident can translate into a D&O claim. There was a time, not that long ago, that commentators (including me) were predicting that there would be massive amounts of cyber-related D&O litigation. Since that earlier time there have indeed been some cyber-related securities suits filed, but these kinds of suits have never really accumulated in the volume anticipated.

This seeming short-fall is due in part to the fact that in many high-profile instances, the plaintiffs have not fared well in these kinds of cases (as discussed, for example, here). Another reason there have been fewer suits than anticipated is that the stock markets have become inured to data breach news. Many companies have sustained massive data breaches in recent years without any ensuing lawsuits filed, likely due to the fact that the breached company’s share price didn’t react to the news of the incident. These two new cases serve notice that the risk of these kinds of suits has not gone away.

There is a specific reason why I find the new Coupang lawsuit particularly interesting, and that is because one of the suit’s major allegations is that the company allegedly failed to make the requisite disclosures under SEC’s cyber security disclosure guidelines. Readers will recall that in July 2023, under the Biden administration, the agency adopted a set of guidelines. The guidelines require companies to make certain data breach-related disclosures within four days of determining that the breach was material, as well as to make annual disclosures concerning the company’s cybersecurity governance.

Since the time the cybersecurity disclosure guidelines were adopted, one of my concerns has been that plaintiffs’ attorneys would incorporate allegations into securities lawsuit complaints about alleged violations of the guidelines. This lawsuit is, to my knowledge, the first securities suit to contain allegations relating to compliance with the guidelines. The Coupang complaint emphasizes this particular allegation, among other things by setting out at length the text of the guidelines.

Interestingly, the F5 complaint also refers to the SEC’s cybersecurity disclosure guidelines, but in a different way than in the Coupang complaint. The F5 complaint, citing the company’s filing on Form 8-K with respect to the breach, notes that on September 12, 2025, the U.S. Department of Justice determined that a disclosure delay was warranted pursuant to Item 1.05(c). This provision authorizes companies to delay otherwise required cyber incident disclosure “if the Attorney General or the Attorney General’s authorized designees determine that the disclosure poses a substantial risk to national security or public safety.” In other words, F5 appears to have received a waiver to the SEC guidelines cybersecurity disclosure guidelines, apparently because the incident involves nation-state actor activity.  (The Coupang complaint also mentions Item 1.05(c), but only to assert that Coupang did not have an exemption.)

In any event, these two recently filed cybersecurity-related securities class actions are a reminder of the ways that cybersecurity concerns can translate into securities litigation and underscore the fact that the threat of this kind of litigation remains.