Evolving Caremark Duties Related to Cybersecurity Risks
In the recent case Construction Industry Laborers Pension Fund on behalf of SolarWinds Corporation, et. al v. Mike Bingle, et al. (2022), the Delaware Chancery Court considered whether the directors of SolarWinds Corporation, a provider of information technology infrastructure management software, had violated their Caremark duties to conduct reasonable cybersecurity risk oversight of the company. While the case was ultimately dismissed, SolarWinds demonstrates the importance of establishing and monitoring cybersecurity oversight, and in particular that directors of companies who may be required to follow certain cybersecurity regulations (positive law) should work to ensure compliance (or oversight thereof) with such regulations, in order to protect against future exposure.
In 2020, hackers concealed malicious code in SolarWinds’ software and orchestrated an attack that affected up to 18,000 of SolarWinds’ clients and led to a precipitous drop in SolarWinds’ stock price. Plaintiffs brought a derivative suit against the directors of SolarWinds, alleging that the attack resulted from the directors’ breach of their fiduciary duties of loyalty for failure to provide reasonable oversight, as established by the landmark case In re Caremark International Inc. Derivative Litigation (1996), of the company’s cybersecurity risks.
Ultimately, the Delaware Chancery Court granted the defendants’ motion to dismiss, ruling that the complaint failed to show a “substantial likelihood” that a majority of the board of directors for SolarWinds faced liability on the merits of the plaintiffs’ claim. The court rejected plaintiffs’ argument that the directors had acted in bad faith in failing to monitor the company’s cybersecurity risks. The court also ruled that it was unwilling to hold the directors liable for failure to monitor a business risk, noting that past cases have only found breaches in director duties of oversight in instances where a company’s directors filed to comply with “positive laws,” such as statutes and regulations regarding particular conduct. In light of these reasons, the court granted the defendants’ motion to dismiss.
The court’s decision in SolarWinds has implications for directors of all companies, as cybersecurity risks continue to arise and evolve. Given the growing risk of cybersecurity breaches, it is likely that more positive laws requiring companies to take certain actions and protection related to cybersecurity will be codified. As such, directors should remain diligent to ensure their companies monitor for applicable cybersecurity requirements, and ensure an appropriate oversight program is established and monitored, in order to avoid liability. In addition, while the court declined to find that lack of reporting to the full board of directors on cybersecurity matters arose to intentional disregard by the board of its oversight duties, the court characterized as “subpar” the reporting system between board committees and the full board. Thus, it is recommended that a regular system of reporting to the full board on cybersecurity matters should be considered.
This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。
In 2020, hackers concealed malicious code in SolarWinds’ software and orchestrated an attack that affected up to 18,000 of SolarWinds’ clients and led to a precipitous drop in SolarWinds’ stock price. Plaintiffs brought a derivative suit against the directors of SolarWinds, alleging that the attack resulted from the directors’ breach of their fiduciary duties of loyalty for failure to provide reasonable oversight, as established by the landmark case In re Caremark International Inc. Derivative Litigation (1996), of the company’s cybersecurity risks.
Ultimately, the Delaware Chancery Court granted the defendants’ motion to dismiss, ruling that the complaint failed to show a “substantial likelihood” that a majority of the board of directors for SolarWinds faced liability on the merits of the plaintiffs’ claim. The court rejected plaintiffs’ argument that the directors had acted in bad faith in failing to monitor the company’s cybersecurity risks. The court also ruled that it was unwilling to hold the directors liable for failure to monitor a business risk, noting that past cases have only found breaches in director duties of oversight in instances where a company’s directors filed to comply with “positive laws,” such as statutes and regulations regarding particular conduct. In light of these reasons, the court granted the defendants’ motion to dismiss.
The court’s decision in SolarWinds has implications for directors of all companies, as cybersecurity risks continue to arise and evolve. Given the growing risk of cybersecurity breaches, it is likely that more positive laws requiring companies to take certain actions and protection related to cybersecurity will be codified. As such, directors should remain diligent to ensure their companies monitor for applicable cybersecurity requirements, and ensure an appropriate oversight program is established and monitored, in order to avoid liability. In addition, while the court declined to find that lack of reporting to the full board of directors on cybersecurity matters arose to intentional disregard by the board of its oversight duties, the court characterized as “subpar” the reporting system between board committees and the full board. Thus, it is recommended that a regular system of reporting to the full board on cybersecurity matters should be considered.
This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。
Related Attorneys
Related Articles
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
In the recent case Construction Industry Laborers Pension Fund on behalf of SolarWinds Corporation, et. al v. Mike Bingle, et al. (2022), the Delaware Chancery Court considered whether the directors of SolarWinds Corporation, a provider of information technology infrastructure management software, had violated their Caremark duties to conduct reasonable cybersecurity risk oversight of the company. While the case was ultimately dismissed, SolarWinds demonstrates the importance of establishing and monitoring cybersecurity oversight, and in particular that directors of companies who may be required to follow certain cybersecurity regulations (positive law) should work to ensure compliance (or oversight thereof) with such regulations, in order to protect against future exposure.
In 2020, hackers concealed malicious code in SolarWinds’ software and orchestrated an attack that affected up to 18,000 of SolarWinds’ clients and led to a precipitous drop in SolarWinds’ stock price. Plaintiffs brought a derivative suit against the directors of SolarWinds, alleging that the attack resulted from the directors’ breach of their fiduciary duties of loyalty for failure to provide reasonable oversight, as established by the landmark case In re Caremark International Inc. Derivative Litigation (1996), of the company’s cybersecurity risks.
Ultimately, the Delaware Chancery Court granted the defendants’ motion to dismiss, ruling that the complaint failed to show a “substantial likelihood” that a majority of the board of directors for SolarWinds faced liability on the merits of the plaintiffs’ claim. The court rejected plaintiffs’ argument that the directors had acted in bad faith in failing to monitor the company’s cybersecurity risks. The court also ruled that it was unwilling to hold the directors liable for failure to monitor a business risk, noting that past cases have only found breaches in director duties of oversight in instances where a company’s directors filed to comply with “positive laws,” such as statutes and regulations regarding particular conduct. In light of these reasons, the court granted the defendants’ motion to dismiss.
The court’s decision in SolarWinds has implications for directors of all companies, as cybersecurity risks continue to arise and evolve. Given the growing risk of cybersecurity breaches, it is likely that more positive laws requiring companies to take certain actions and protection related to cybersecurity will be codified. As such, directors should remain diligent to ensure their companies monitor for applicable cybersecurity requirements, and ensure an appropriate oversight program is established and monitored, in order to avoid liability. In addition, while the court declined to find that lack of reporting to the full board of directors on cybersecurity matters arose to intentional disregard by the board of its oversight duties, the court characterized as “subpar” the reporting system between board committees and the full board. Thus, it is recommended that a regular system of reporting to the full board on cybersecurity matters should be considered.
This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。
In 2020, hackers concealed malicious code in SolarWinds’ software and orchestrated an attack that affected up to 18,000 of SolarWinds’ clients and led to a precipitous drop in SolarWinds’ stock price. Plaintiffs brought a derivative suit against the directors of SolarWinds, alleging that the attack resulted from the directors’ breach of their fiduciary duties of loyalty for failure to provide reasonable oversight, as established by the landmark case In re Caremark International Inc. Derivative Litigation (1996), of the company’s cybersecurity risks.
Ultimately, the Delaware Chancery Court granted the defendants’ motion to dismiss, ruling that the complaint failed to show a “substantial likelihood” that a majority of the board of directors for SolarWinds faced liability on the merits of the plaintiffs’ claim. The court rejected plaintiffs’ argument that the directors had acted in bad faith in failing to monitor the company’s cybersecurity risks. The court also ruled that it was unwilling to hold the directors liable for failure to monitor a business risk, noting that past cases have only found breaches in director duties of oversight in instances where a company’s directors filed to comply with “positive laws,” such as statutes and regulations regarding particular conduct. In light of these reasons, the court granted the defendants’ motion to dismiss.
The court’s decision in SolarWinds has implications for directors of all companies, as cybersecurity risks continue to arise and evolve. Given the growing risk of cybersecurity breaches, it is likely that more positive laws requiring companies to take certain actions and protection related to cybersecurity will be codified. As such, directors should remain diligent to ensure their companies monitor for applicable cybersecurity requirements, and ensure an appropriate oversight program is established and monitored, in order to avoid liability. In addition, while the court declined to find that lack of reporting to the full board of directors on cybersecurity matters arose to intentional disregard by the board of its oversight duties, the court characterized as “subpar” the reporting system between board committees and the full board. Thus, it is recommended that a regular system of reporting to the full board on cybersecurity matters should be considered.
This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。
Related Attorneys
Related Articles
Related Capabilities
© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.
News and Insights
Podcasts
Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast
Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.
July 15, 2026
Publications
Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report
Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.
July 14, 2026
Publications
Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law
Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.
July 7, 2026
Publications
In New York Law Journal, The True Lender Doctrine and the OppFi Decision
Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.
July 1, 2026
Event
Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference
On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.
July 1, 2026