An important recent litigation phenomenon that I have been monitoring on this site is the recent revival of the duty of oversight as a legal theory on which plaintiffs can try to assert claims against corporate boards. Delaware’s court have recently sustained several of these kinds of claims – often referred to as “Caremark” claims in reference to the 1986 Delaware Court of Chancery decision that first recognized the legal theory behind these claims – and indeed on recent federal court decision sustained a breach of the duty of oversight claim under Ohio law. In light of these developments, boards will need to anticipate the possibility that these kinds of claims can arise, which possibility in turn raises the question of what boards can do to protect themselves from these kinds of claims.

 

Background

As I detailed in a recent post (here), though duty of oversight claims have been around for years, they have until recently been notoriously difficult for plaintiffs to sustain. As I also detailed in the recent  post, in a series of recent decisions beginning with the 2019 Delaware Supreme Court decision in Marchand v. Barnhill (here), the Delaware courts have sustained plaintiffs’ claims and allowed breach of duty of oversight claims to go forward.

 

These recent Delaware decisions taken collectively stand for the proposition that under Delaware law corporate directors have a fiduciary duty to create and implement a system of controls in order to monitor company management and operations, particularly with respect to “mission critical” operations, and that directors must heed and follow-up on “red flags.”

 

Given these recent developments, it should come as no surprise that plaintiffs increasingly are seeking to pursue claims against corporate boards based on alleged breaches of the duty of oversight. Indeed as William Savitt of the Wachtell, Lipton, Rosen & Katz law firm noted in a May 21, 2021 post on the Harvard Law School Forum on Corporate Governance (here), on May 4, 2021 plaintiff shareholders filed a Delaware Chancery Court complaint against the directors of NiSource, Inc., in connection with a tragic 2018 accident when an explosion of one of the company’s pipelines caused a mass evacuation, numerous injuries, and one death.

 

The complaint (here) alleges that NiSource’s board disregarded “numerous red flags evidencing violations of gas pipeline safety laws that occurred over a number of years.” The plaintiff’s asserted that the defendant directors had committed “bad failed oversight failures that are not protected under Delaware law.”

 

As Savitt noted in his Harvard Law School Forum post, these kinds of claims “now regularly follow whenever a company has bad news,” noting further that once a Caremark claims survives an initial pleading motion, “it becomes a vehicle for extensive discovery and takes on substantial settlement value, even if not ultimately meritorious.” In underscoring the risk that these developments present, Savitt notes further that “corporate trauma can happen, even to the best-run companies, and the courts should be expected to permit multiple avenues of litigation attack when it does.”

 

The Need Regular Board-Level Corporate Risk Review

With the courts showing a willingness to sustain these kinds of claims at least under certain circumstances, and with plaintiffs’ lawyers showing an increased willingness to assert these kinds of claims, the question arises of what companies can do to try to protect themselves.

 

In trying to address these questions, Savitt suggests that these developments reinforce “the imperative for boards of directors to regularly review key enterprise risks.” The “best approach,” Savitt suggests is for boards “to undertake at least quarterly review of corporate operations and developments affecting enterprise-level risk.” As important as the quarterly review itself is that directors should “create a clearly written record of their review and their vigilant response to any compliance risks that may emerge.”

 

Savitt concludes his boards that institute these measures “will be in accord with best practices for corporate risk management” and “will have a powerful answer, available at the pleading stage, if even charge with neglecting their oversight duties.”

 

Discussion

Savitt’s recent article correctly suggests that any effort to try to manage directors’ litigation risk should include measure to try to position the directors to be able to defend themselves from breach of the duty of oversight claims. His suggestion for boards to institute quarterly enterprise risk reviews, and just as important, to fully document those reviews, represent valuable guidance for companies to adopt to try to address their directors’ potential liabilities.

 

I know for many readers it will be helpful to provide a practical example of what this kind of review might involve. So, for example, one risk that many organizations face these days has to do with cybersecurity. Numerous recent developments, from the Solar Winds data breach to the Colonial Pipeline cybersecurity incident, underscore the potential significance of cybersecurity as an enterprise risk. As I have noted previously, in the event of a cybersecurity incident, plaintiffs’ lawyers might well seek to assert a claim for an alleged breach of the duty of oversight against the directors of the organization experiencing the incident.

For these reasons, organizations for whom cybersecurity represents a mission critical element will want to incorporate in the kind of quarterly risk review that Savitt recommends an oversight review of the company’s cybersecurity program and performance. In a separate May 11, 2021 memo entitled “Cybersecurity Oversight and Defense – A Board and Management Imperative” (here), the Wachtell Lipton law firm details the need for this type of enterprise risk review of cybersecurity-related concerns, spells out what this type of review might consist of, and reiterates the need for documentation of board-level oversight.

 

Cybersecurity is of course only one area of enterprise risk, and what specific operational concerns should be addressed in any given company’s board’s quarterly risk review will vary according to the company.

 

There is a larger issue here, and that is that risk management itself if a critical board concern. Boards of course will focus on corporate strategy, company planning, and financial performance metrics and measures. However, for the benefit of the company, and also as a defensive measure, well-advised boards will recognize that risk management is an indispensable element of board function. One element of a well-designed risk management program is the kind of quarterly risk review that discussed above.

 

Although beyond the scope of this blog post, those readers interested in considering the broader scope of board risk management will want to review the June 2020 memo from the Wachtell law firm entitled “Risk Management and the Board of Directors” (here).