Delaware courts have historically been reluctant to allow Caremark (or “board oversight”) claims to gain traction, describing such a claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”1 More recently, however, Delaware courts have allowed a number of Caremark claims to survive a motion to dismiss.2 Nevertheless, two recent decisions from this past year — SolarWinds and NiSource — dismissed Caremark claims regarding alleged “mission critical” risks because the board had implemented reporting systems and monitored risks in good faith, even though the monitoring of those systems was considered less than ideal based on the facts alleged.3 One of those decisions also suggested that a failure to monitor mission critical “business risks” (in contrast to risks arising from violations of positive law), could, in an “extreme” case, give rise to a Caremark claim. The court’s analysis in both cases underscores the important need for boards to implement and monitor effective systems for “mission critical” risks.
Pleading a Caremark Claim
To overcome the “demand” requirement of a Caremark claim, a plaintiff must plead facts under which it is reasonably conceivable to infer that the board acted in bad faith by (1) utterly failing to implement any reporting or information systems or controls; or (2) having implemented such a system or controls, consciously failing to monitor or oversee their operations, including ignoring “red flags.” These are known as “prong one” and “prong two” of Caremark, respectively.
In Construction Industry Laborers Pension Fund v. Bingle (SolarWinds), plaintiffs brought suit after SolarWinds (a software company) suffered a massive cyberattack. The SolarWinds plaintiffs claimed that the board failed to “monitor corporate effort in [a] way that prevented cybercrime.” Although the court found cybersecurity to be “mission critical” for SolarWinds, it dismissed the claim because, based on the allegations, the director defendants (1) did not allow the company itself to violate positive law; (2) ensured the company had at least a minimal reporting system regarding corporate risk, including cybersecurity; and (3) did not ignore sufficient red flags of cyberthreats to imply a conscious disregard of their known duties.
The court distinguished SEC guidance and New York Stock Exchange guidance on cybersecurity disclosures from “positive law” addressing requirements for cybersecurity procedures and risks. The court observed that any failure to adhere to this “guidance” differed from violations of “positive law” alleged in recent cases where a Caremark claim survived a motion to dismiss. And while the SolarWinds decision acknowledged that no case in Delaware had previously imposed oversight liability based “solely on failure to monitor business risk,” it noted the “increasing importance of cybersecurity” and that it is “possible” to conceive of an “extreme hypothetical” that could lead to liability, such as where directors act in bad faith regarding such a risk.
With respect to the first prong, the court determined that SolarWinds did not “utterly fail” to have a reporting system in place for cybersecurity risks because both the Nominating and Corporate Governance (NCG) Committee and the Audit Committee were charged with oversight responsibility for cybersecurity and the NCG committee was alleged to have specifically discussed cybersecurity. While the court described the reporting system as “subpar” because the board did not receive any reports from either committee with respect to cybersecurity for over two years, such allegations were insufficient under prong one of the Caremark test.
The court also concluded that the board did not ignore any alleged “red flags” in violation of prong two. A cybersecurity briefing presented to the NCG Committee was not a “red flag,” but “an instance of oversight” that shows the directors were monitoring risks. Other red flags identified by the plaintiffs were insufficient because those facts never rose to the director level, and thus the directors were not aware of them.
In City of Detroit Police and Fire Retirement System ex rel NiSource, Inc v. Hamrock (NiSource), plaintiffs attempted to bring a claim under both Caremark prongs in the wake of a series of pipeline explosions. The Court of Chancery rejected the plaintiffs’ prong one challenge because books and records obtained by the plaintiffs demonstrated that the board established a system for monitoring and reporting on the “mission critical” risk of pipeline safety, which “demonstrate[d] the existence of a system rather than its absence.”
The plaintiffs advanced two theories under prong two. Their first theory was that the board caused the company to “seek profit by violating the law” instead of spending the money necessary to comply with pipeline safety laws. The court rejected this theory because the plaintiffs did not allege a violation of positive law, but only that the NiSource directors had set too long a timeline to implement a compliance program. The court concluded that the board’s decision regarding the implementation timeline — while “regrettable” — was a “legitimate business decision,” not bad faith.
The court also rejected the plaintiffs’ “red flags” theory, because the “red flags” were either too attenuated from the explosions underlying the complaint or they never rose to the board level. In particular, the court found that the failure of one NiSource subsidiary to comply with an “expansive regulation” could not have alerted the board to the specific risk at another NiSource subsidiary that led to the explosions underlying the complaint.
- Although Caremark claims have been more frequently pursued and sustained over the last few years, the Court of Chancery continues to stress the high bar for such claims.
- The decisions in both SolarWinds and NiSource indicate that a board’s decision to implement a reporting system for a “mission critical” risk, and the board’s good faith efforts to monitor that risk, may mitigate the threat that a board could face fiduciary duty liability, even if a court, in hindsight, could critique the board’s performance in monitoring the risk.
- Whether Caremark liability can attach to failures related to mission critical “business risks,” rather than those borne from violations of “positive law,” remains an open question. Companies should therefore consult with outside counsel to ensure they have adequate controls and oversight in place for all “mission critical” risks.
1 See In re Boeing Co. Derivative Litig., 2021 WL 4059934, at *24 (Del. Ch. Sept. 7, 2021).
2 See Edward B. Micheletti, Bonnie W. David and Ryan M. Lindsay, The Risk of Overlooking Oversight: Recent Caremark Decisions From the Court of Chancery Indicate Closer Judicial Scrutiny and Potential Increased Traction for Oversight Claims, Skadden, Arps, Slate, Meagher & Flom LLP (Dec. 15, 2021); Stephen F. Arcano, Jenness E. Parker and Matthew P. Majarian, ‘Mission Critical’ Issues and ‘Red Flags’: What It Means for a Board To Exercise Oversight, Skadden, Arps, Slate, Meagher & Flom LLP (Sept. 22, 2022).
3 Constr. Indus. Laborers Pension Fund v. Bingle, 2022 WL 4102492, at *1 (Del. Ch. Sept. 6, 2022); City of Detroit Police & Fire Ret. Sys. ex rel NiSource, Inc v. Hamrock, 2022 WL 2387653 (Del. Ch. June 30, 2022).
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.