Cybersecurity risk management is no longer just about preventing breaches—it’s about legal accountability at the top. For companies whose products or services depend on secure systems, weak cybersecurity can represent a mission critical legal risk, triggering enhanced oversight duties for directors and officers under Delaware law.
As high-profile breaches and misleading cyber disclosures attract regulatory and shareholder scrutiny, boards must consider how cybersecurity compliance, risk management, and governance frameworks factor into their fiduciary responsibilities. This article explores how ‘Caremark’ claims are evolving in the context of cybersecurity, and what executives need to know to protect themselves—and their companies—from legal fallout.
We’re excited to share this excellent article on Cybersecurity and the Duty of Oversight, courtesy of Kevin LaCroix. Kevin is an attorney and Executive Vice President, RT ProExec, a division of RT Specialty. He has over 35 years of experience with director’s and officer’s liability insurance, is a previous faculty member at the Stanford Law School Directors’ College, and is a frequent and influential public speaker. This article was originally published on the D&O Diary website here.
Thank you, Kevin LaCroix, for allowing us to share this with our readers!
Cybersecurity and the Duty of Oversight
Notwithstanding the less than promising track record for these kinds of claims, in a recent article, NYU Law Professor Jennifer Arlen argues that cybersecurity-related claims for breach of the duty of oversight should support Caremark liability in at least one class of cases – that is, cases relating to companies for whom cybersecurity is a “mission critical legal risk” and in which it is alleged that the company had inadequate cybersecurity that risked (and later caused) substantial harm to businesses and government agency customers, and that the company had misled the customers through statements that were designed to defraud the customers into believing that the company’s cybersecurity systems were materially better than they were. Professor Arlen’s March 18, 2025, post on the Harvard Law School Forum on Corporate Governance about Caremark claims in the cybersecurity context can be found here.
As many readers know, cybersecurity threats pose a substantial threat to companies, threats that can in many cases be deterred. Yet, Professor Arlen states, “many companies have not taken the steps necessary to adequately deter threat actors.” Deficiencies can be found even at software companies and cloud services providers, and other companies that make products or provide services that could leave companies, government agencies, and financial institutions vulnerable to a cyber event.
Companies may, Professor Arlen suggests, have incentives to misrepresent their level of cybersecurity preparedness. For example, fast-growth companies that are under pressure to show rapid growth and to achieve profitability may have incentives to skimp on cybersecurity measures, since good cybersecurity is expensive and can be effort intensive to maintain. Company management may have their own incentives to misrepresent their company’s cyber readiness, for compensation reasons or even for job-security reasons.
For some companies – those whose products’ or services’ cybersecurity effectiveness is critical for its customers – cybersecurity represents a mission critical legal risk. For these companies, Delaware law imposes “enhanced and specific duties on directors to set up systems and assert oversight.” Specifically, directors must determine which committee is responsible for overseeing the risks; establish procedures that require management to report compliance deficiencies; and ensure that management does report to them on deficiencies. The directors must assume primary responsibility over investigations of detected misconduct as well.
These enhanced duties are designed to ensure that the board and not just management are informed about compliance deficiencies and detected misconduct. The information-channeling impact should “help deter violations by shifting control from managers (who are more likely to obtain private benefits from misconduct or face termination), to directors, who have less to lose from revelation of misconduct.”
Professor Arlen notes that Delaware’s courts have not provided specific guidance on precisely what legal risks trigger enhanced oversight duties; the critical factor in the cases is “whether the legal violation could cause egregious long-run harm to the firm,” through lost revenues through loss of customers or through regulatory action. These considerations are of greatest concern to companies for whom weak cybersecurity could cause substantial harm to large institutions, such as multinational businesses or governmental agencies In this context, making “knowingly misleading statements to institutional customers is likely to be a mission critical legal risk because the confluence of the company’s weak cybersecurity, the attack, and the lies is likely to cause customers to flee whom might not have but for the company’s dishonesty.”
As noted above, the breach of the duty of oversight claim filed against the SolarWinds board was dismissed. Interestingly, Professor Arlen contends that the derivative plaintiffs “likely would have avoided dismissal had they predicated their claims on the corporate trauma to SolarWinds from the confluence of its materially misleading statements about its cybersecurity, its apparent cybersecurity deficiencies, and the cyber-hack it suffered.” The core of her arguments in this regard are based on her suggestions both that SolarWinds allegedly made materially misleading statements and that “it was mission critical for SolarWinds to avoid defrauding its customers about its cybersecurity given the nature of its clients and the risks they faced from SolarWinds’ products.” Under these circumstances, SolarWinds was subject to the enhanced Caremark duties, as a result of which plaintiffs need only show, in order to establish liability, that “the directors did not require management to report to them on whether the company’s public statements were materially misleading and did not seek the company’s own audit of its systems that would have informed the board about material deficiencies.”
Cases like these, Professor Arlen observes, “would induce directors of companies for whom cybersecurity quality is mission critical to the company and its customers to attend both to the accuracy of the company’s disclosures and to the company’s cybersecurity itself, to the benefit of the company and society.”
Professor Arlen’s commentary is both interesting and noteworthy because it suggests that notwithstanding the relatively poor track record for plaintiffs’ seeking to assert breach of the duty of oversight claims in the cybersecurity context, it may yet be possible to plead a viable cybersecurity-related Caremark claim. Her commentary is also interesting for her suggestion that – for companies for whom cybersecurity is a mission critical legal risk — the board’s cybersecurity oversight duties extend not only to cybersecurity function, operation, and performance, but also extend to oversight of the company’s disclosures about the effectiveness of its cybersecurity. Professor Arlen’s commentary suggests that the duty of oversight remains critically important in the cybersecurity context, particularly for those companies for whom cybersecurity is mission critical.
Republished with permission.
You’ll find many other excellent articles on Kevin LaCroix’s website: The D&O Diary.
Learn more about D&O liability insurance HERE.
