Skip to main content
close search
site logo

Cyber disclosures won’t save directors under Caremark

Boards will be tempted to equate compliance with upcoming SEC cybersecurity rules to meeting a duty of oversight standard. They shouldn’t, attorneys say.

Published Feb. 9, 2023
Robert Freedman's headshot
Lead Editor
legal duty of oversight
Business people discussing strategy in boardroom. Kali9 via Getty Images

Compliance with the Securities and Exchange Commission’s cybersecurity disclosure rules once they’re finalized won’t necessarily protect your board of directors against a duty-of-oversight challenge under Caremark, say cybersecurity legal specialists in an ACC Docket analysis

At some point a company will likely try to cite its compliance with the rules as de facto proof that its board of directors has met the standard that the closely watched Delaware Chancery Court has applied since 1996.

Under Caremark, directors have a fiduciary responsibility to stay informed on what the company is doing and act in good faith based on what they learn to meet their duty of oversight and avoid personal liability when things go wrong.

But it would be a mistake to think meeting the SEC rule, as it stands in its proposed form, is the same as having a process in place for the board to meet its fiduciary duty when it comes to cybersecurity matters, say Daniel Berick of Squire Patton Boggs and J. D. Bridges of Theta Lake in their analysis. 

“Compliance [with the SEC rules] would and should carry some weight with Delaware courts,” the attorneys say. “But the SEC should not become a de facto safe harbor.”

Reporting to investors

The SEC rules as proposed last year in March are about disclosure and reporting to investors what a company is doing on the cybersecurity front, not whether the measures in place are adequate. 

Among other things, companies are to report on incidents and provide updates on previously reported incidents. They also are to disclose their security processes, who on their board has cybersecurity expertise and what management is doing about security.  

What the rules don’t do is provide guidance on what is and isn’t adequate security. For that reason, it’s possible a company can comply with the rules without the board being much wiser about whether the protections are adequate. 

“Whether or not all these rules will actually make companies — and, therefore, their customers — safer is a matter of debate,” the attorneys say. 

The rules could even make companies less safe to the extent they report on their vulnerabilities, effectively giving cyber criminals a roadmap for breaching their systems. 

“Companies may end up not only disclosing information that may be of concern to investors as they look for possible regulatory violations and disruption to operations, but also exposing technical vulnerabilities and inadvertently putting a company at risk for further attacks,” they say. 

What’s more, since the reporting audience is shareholders, not consumers, companies could be reluctant to disclose on reputational grounds incidents that don’t meet the disclosure threshold. 

“Boards are already incentivized by market pressures to minimize or not report events that may be on the threshold of materiality since the reputational risks of a major cybersecurity event can be significant,” the attorneys say. 

Federal standard

There are other agencies looking at companies’ cybersecurity posture, most notably the Federal Trade Commission.

There are also other regulatory bodies that have cyber enforcement authority, from a consumer rather than a shareholder standpoint, that stem from the new California data privacy law and the European Union’s General Data Protection Regulation.

But what’s missing is a comprehensive federal law. 

“Until any such legislation actually makes it out of the U.S. Congress with its teeth intact, the public should not assume that the proposed SEC rules will force companies to make significant improvements in their cybersecurity posture,” they say.

A federal data privacy law, called the American Data Privacy Protection Act, passed a key House committee last year but it’s unclear what progress it will make in the next year or so.

From a board standpoint, Caremark remains a high bar to meet. No board has been held liable under it since Delaware courts began using it as a standard in 1996.

But since 2019, courts have become more inclined to let cases proceed. A recent case looked at whether Boeing’s board of directors failed in their duty of oversight by not requiring the company’s management to set up a system to keep it informed of safety issues. The matter was settled out of court, but only after the court had denied the company’s motion to dismiss. 

“It’s … crucial to understand the difference between complying with data privacy regulations — which most lawyers today understand is crucial — and having truly good cybersecurity,” the attorneys say.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Trellis Launches Trellis AI to Revolutionize Trial Court Litigation
From Trellis
November 19, 2024
ContractCrab Launches AI Contract Review for In-House Legal Teams
From ContractCrab
November 14, 2024
Breaches and Bots: Law Firms Face a Trust Crisis with Clients, New Integris Survey Reveals
From Integris
November 18, 2024
Editors' picks
Latest in Compliance
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell