Responsabilità degli amministratori societari: il dovere di controllo nei confronti dei cybersecurity risks

Interessante pronuncia della corte del Delaware sull’oggetto (esito infausto per gli attori): COURT OF CHANCERY OF THE STATE OF DELAWARE  , C.A. No. 2021-0940-SG , del 6 settembre 2022, CONSTRUCTION INDUSTRY LABORERS PENSION FUND ed altri c. Bingle ed altri (v.la nel sito delle corti Delaware).

La negligenza addebitata era di non aver prevenuto attacchi da hacker russi, nonostante alcune red flags di deficenza del sistema. L’azienda forniva supporto informatico a clienti importanti e tramite questa sua omissione permise la diffuse di virus nei loro server.

Conclusione del giudice Glasscock, p. 35/6: <<To recapitulate, a subpar reporting system between a Board subcommittee and the fuller Board is not equivalent to an “utter failure to attempt to assure” that a reporting system exists.138 The short time period here between the IPO and the trauma suffered, together with the fact that the Board apparently did not request a report on cybersecurity in that period, is not sufficient for me to infer an intentional “sustained or systematic failure” of oversight,139 particularly given directors are presumed to act in good faith.140 And again, the Complaint is silent as to what the Committees should in good faith have reported, and how it could have mitigated corporate trauma. Carelessness absent scienter is not bad faith. In sum, the Complaint has not pled sufficient particularized facts to support a reasonable inference of scienter and therefore actions taken in bad faith by the Board. Without a satisfactorily particularized pleading allowing reasonably conceivable inference of scienter, a bad faith claim cannot survive a motion to dismiss. Because the Caremark claim is not viable, there is no substantial likelihood of liability attaching to a majority of the directors on the demand Board. Therefore, demand on the Board would not have been futile>>.

Va richiamato anche un precedente 2021 sempre del Delaware e sempre in tema di responsabilità per cybersecurity risks: Firemen’s Retirement System of St. Louis v. Arne M. Sorenson, et al. (Marriott International, Inc.) del 05 ottobre 2021,  C.A. No. 2019-0965-LWW .

E a questo punto pure uno del 2020 seppur non da cyber risks mna pur sempre sul dovere di oversight degli amminisratori: Richardson v. Clark ad altri 31.12.2020, C.A. No. 2019-1015-SG ,