Carlton Fields

Aug 17, 2023

2 views The new SEC Cybersecurity Regulations (17 CFR 229.106)  that go into effect December 2023 has raised the bar for Directors and Officers to take actions needed to protect themselves from shareholder lawsuits that could result from a material cyber-incident (now needs to be reported to the SEC within 96 hours) that results in shareholder losses. History offers us a sobering look into one such shareholder lawsuit again Home Depot, that is documented in the article linked below (click Read More). The article also contains some prudent advice for Officers and Directors to protect themselves from personal liability, in the event of such a lawsuit. This advice is especially important now that the SEC Cybersecurity Regulation are finalized and codified. Here are a few useful recommendations from the Home Depot Caremark Lawsuit experience contain in the article: Liability for directors and officers in a cyber Caremark derivative action will likely depend on whether those individuals put in place before the breach a reasonable process calibrated to the company’s data, risk profile, and regulatory environment. And the expense of the defense will be directly proportional to how well this preparation was documented. In this regard, the following proactive best practices should be considered: Conduct a risk assessment that evaluates the nature of the company’s data, its vulnerability to hackers, and the ramifications if it were compromised. Draft policies and procedures, as well as an incident response plan, that not only seek to prevent a data breach but also outline the steps to take after such an event occurs. Consider whether the company’s existing insurance policies provide the requisite coverage for data breaches, as well as defense of the directors and officers in the event of litigation post-breach raising a Caremark or other derivative claim. Evaluate the “tech IQ” of the company’s directors and officers, and then task (or hire) a director to take the lead on cybersecurity oversight, serving as a liaison between the directors and management’s head of IT security. Provide regular updates to the board regarding cybersecurity and use third-party consultants as appropriate. Work with counsel to review and update the company’s public disclosures related to cybersecurity. This is a critical issue, given the SEC’s increasing focus on cybersecurity disclosures. And, plaintiffs — including the Home Depot derivative plaintiff — are likely to use the company’s cybersecurity disclosures to their advantage in litigation (e.g., to argue that the company overstated its defenses). Boards and company executives can no longer profess ignorance about their company’s cybersecurity. Company Officers and Directors of public companies are directly responsible for cybersecurity processes under the new SEC rules that take effect December 2023. A material cyber-incident could open the door for shareholder scrutiny of Company cybersecurity processes and protections that were in place when the incident occurred, possibly leading to a Caremark lawsuit, as has occurred in the past with Home Depot. It would be prudent for Companies to take action before the December 2023 effective date to ensure that "convincing" and "reasonable" processes are in place and documented, in the event this process documentation is needed by the defense to protect Officers and Directors from personal liability in a shareholder lawsuit. The presentation of cybersecurity process documentation and tamper-proof evidence of these controls in operation can be very beneficial to the defense. It's true that Officers and Directors cannot claim ignorance of material cyber-risks, especially within the Software Supply Chain with the CISA Known Exploited Vulnerabilities (CISA KEV) publicly available, daily, notifying companies of real cyber-risks coming from known exploited software product vulnerabilities provided by CISA. Preparing for a Cyber Caremark Lawsuit: Lessons from the Home Depot Derivative Complaint | Carlton Fields Ending months of speculation, a shareholder has finally filed a derivative lawsuit against the directors and management of The Home Depot, Inc., in connection with the massive data breach the company suffered in 2014. The complaint, which alleges breach of fiduciary duty and corporate waste, fits the emerging template of shareholder derivative lawsuits after breaches at public companies. As such, it is worth a closer analysis for those whose jobs include protection of public companies and their boards from and during data breaches, both directly through more robust cybersecurity measures and indirectly through director and officer insurance and cyber-risk policies.