In times of crisis, the risk of shareholder derivative litigation rises as boards of directors face heightened scrutiny of their actions. While business judgment protection applies to good faith board efforts to navigate a crisis, boards and their advisors should be mindful of guidance that the Delaware courts have issued in the past year, including in a Delaware Chancery Court case decided on April 27, regarding the circumstances in which a claim can move forward seeking to hold directors personally liable for a failure of oversight.
The 1996 Delaware Chancery Court decision in In re Caremark Int’l Inc. Deriv. Litig. clarified that directors are responsible for overseeing that the company has in place information and reporting systems reasonably designed to provide the board and senior management with timely, accurate information sufficient to support informed judgments about compliance risk.1 Since then, shareholder plaintiffs have tried to hold directors liable for a variety of corporate missteps on the basis that directors failed in their oversight role. These claims – known as Caremark claims – have until recently typically been dismissed in early pleading stages (before discovery) for failure to state a claim. Indeed, these types of claims are regarded as among the most difficult on which to establish director liability (although Caremark claims survived motions to dismiss in a few rare cases prior to 20192). Nonetheless they are attractive to plaintiffs because an oversight failure sufficient for a Caremark claim constitutes a breach of the duty of loyalty and good faith which cannot be exculpated under Delaware law. Because most Delaware corporations provide in their charters that directors will not be held personally liable for breaches of the duty of care, this is one of the few remaining avenues to seek monetary damages from directors personally absent a conflict of interest situation.
In three cases in the past year – one involving a listeria outbreak in ice cream (Marchand), one involving a failure to follow established clinical trial protocols for a cancer drug (Clovis) and just weeks ago one involving lack of attention by an audit committee to internal control issues in the wake of a restatement (Hughes) – Delaware courts have denied motions to dismiss on demand futility and sufficiency of pleadings grounds and allowed Caremark claims to move forward. These recent cases confirm the serious nature of directors’ oversight duties regarding compliance and risk, and the litigation risks associated with failure to demonstrate in corporate records that directors are attending to important compliance and other risks facing the company.
This Sidley Update summarizes the recent Delaware case law developments and provides practical guidance for boards and their advisors to reduce the risk of derivative claims premised on a failure of board oversight.
The board of directors is charged under state law with managing and directing the affairs of a corporation and has an obligation to provide direction and oversight to the CEO and senior management team to whom the board has delegated authority for the day-to-day operations of the company. The board may rely on others to whom authority has been delegated so long as it is reasonable to do so. Ongoing assessment of whether reliance on the CEO and management team is reasonable lies at the heart of board oversight and extends to ensuring that information and reporting systems are in place to provide the board with the information it needs to monitor the company’s compliance with applicable laws, rules and regulations.
When corporate employees are found to have participated in fraud or other serious misconduct, shareholders may seek to hold directors liable for a breach of fiduciary duty premised on the board’s failure to provide adequate oversight of compliance and related information systems and controls. Such a claim requires that the plaintiff allege with particularity facts that directors failed to implement any reporting or information system or controls or, having implemented such systems and controls, consciously failed to monitor or oversee its operations such that the directors effectively disabled themselves from being informed of compliance risk issues that required their attention.
In the 1960s, the prevailing wisdom was that directors had no duty to look for wrongdoing within the company. Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125 (Del. 1963) (“[D]irectors are entitled to rely on the honesty and integrity of their subordinates until something occurs to put them on suspicion that something is wrong…. [b]ut absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists [emphasis added].”)
Over the next three decades, corporate efforts to ensure compliance with law and regulation developed significantly due to increasing application of criminal sanctions and the mitigation provisions of the federal Organizational Sentencing Guidelines (1991), which created incentives for maintaining effective ethics and compliance programs. In its 1996 Caremark decision, the Delaware Chancery Court took notice of these developments and provided additional guidance about directors’ oversight obligations, clarifying that directors could not simply claim ignorance of compliance issues. The Court noted that decisions by employees can impact a company’s reputation and well-being and that criminal penalties and the Organizational Sentencing Guidelines provide “powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts.” The Court emphasized that directors have an affirmative duty to assure “that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.” The level of detail for an information and reporting system is a matter of business judgment, but failure to have an information and reporting system may “render a director liable for losses caused by non-compliance with applicable legal standards.”
A decade later in Stone v. Ritter,3 the Delaware Supreme Court emphasized the high standard to bring a claim against directors for failure of compliance oversight. Quoting Caremark, the Court emphasized that “[g]enerally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation ... only a sustained or systemic failure of the Board to exercise oversight — such as an utter failure to attempt to assure a reasonable information and reporting system exists — will establish the lack of good faith that is a necessary condition to liability.”
Marchand, Clovis and Hughes Cases
In the past year, Delaware courts have allowed three claims of oversight failure to proceed past a motion to dismiss, providing guidance about the types of circumstances in which these claims are sufficiently alleged to proceed: Marchand v. Barnhill, 212 A.3d 805 (Del. June 18, 2019); In re Clovis Oncology Inc. Deriv. Litig., C.A. No. 2017-0222-JRS (Del. Ch. Oct. 1, 2019); and Hughes v. Hu, C.A. No. 2019-0112-JTL (Del. Ch. Apr. 27, 2020).
Marchand involved a listeria outbreak in ice cream that resulted in three deaths. After a total product recall, the shutdown of plants and layoffs, and resolution of a resulting liquidity crisis through a dilutive private equity investment, a shareholder of Blue Bell Creameries filed a derivative suit alleging that directors failed to make a good faith effort to implement and monitor an oversight system for food safety, a key area of risk to the business. Prior to filing the suit the shareholder had used a books and record demand under Section 220 of the Delaware General Corporation Law to access board minutes and related documents. This enabled the plaintiff to allege with a fair degree of specificity that over a period of several years regulators had found numerous compliance failures including 15 positive listeria tests, but, despite management’s awareness of the increasing frequency of compliance failures and presence of listeria, neither topic was mentioned in the board meeting minutes.
The Chancery Court granted the defendants’ motion to dismiss and plaintiff appealed to the Delaware Supreme Court, which reversed. The Supreme Court found that the allegations supported a reasonable inference that the directors failed to implement any system to monitor Blue Bell’s food safety performance or compliance. The Supreme Court noted that food safety is a central compliance issue for Blue Bell. As a manufacturer of a single product, its business relies on consumers trusting that its ice cream is safe to eat. Despite this reliance, Blue Bell had “no committee overseeing food safety, no full board-level process to address food safety issues, and no protocol by which the board was expected to be advised of food safety reports and developments.” In addition, despite management’s awareness of increasing yellow and red flags relating to food safety, there was no evidence of any process to report food safety information up to the board. Accordingly, the Supreme Court concluded that the plaintiff’s Caremark claim should be allowed to proceed.
Clovis involved a biotechnology company with a drug in development for the treatment of a type of lung cancer. The drug was a “mission critical product” for Clovis Oncology, on which the company’s future prospects largely rested. The likelihood of Food and Drug Administration (FDA) approval depended on the success of the clinical trials, which under established protocols were to be reported based on confirmed clinical responses. The FDA took issue with the degree to which the protocol for reporting was strictly followed. When the actual confirm rate was disclosed, the company’s share price declined significantly. Shareholder plaintiffs filed a derivative suit against directors, alleging among other things failure to oversee the clinical trials. The Chancery Court denied defendants’ motion to dismiss the duty of oversight claim. Because the board had oversight and reporting systems in place relevant to the clinical trials, the Court held that the plaintiffs had not established that the board had failed to implement such systems. However, the Court found that the plaintiffs had stated a claim with respect to the duty to monitor oversight systems by alleging with particularity that the board consciously ignored multiple red flag warnings that management was inaccurately reporting the clinical trial results.
Vice Chancellor Joseph Slights drew an important distinction between the board’s oversight of a company’s management of business risks inherent in its business plan (i.e., risks that confront the business in the ordinary course of operations) and the board’s oversight of a company’s regulatory compliance risks. Citing Marchand, he stated that a board must exercise its oversight function more rigorously when the company operates in an environment where externally imposed regulations govern its mission critical operations. In that context, Caremark demands that a board make a good faith effort to implement and monitor an oversight system for compliance issues that are intrinsically critical to the company rather than leave such issues to management’s discretion. This is particularly true “when a monoline company operates in a highly regulated industry.”
Hughes is distinct from Marchand and Clovis in that it did not involve a single-product (monoline) company dealing with mission critical regulations. On April 27, the Chancery Court denied a motion to dismiss a shareholder derivative suit against officers and directors of Kandi Technologies, a publicly traded Delaware corporation based in China that sells parts used in electric vehicles. The company had had persistent problems with financial reporting and internal controls, encountering particular difficulties with related-party transactions dating back to 2010. In March 2014, the company had disclosed material weaknesses in financial reporting and oversight, including a lack of audit committee oversight and a lack of internal controls for related-party transactions. The company pledged to remediate these problems. However, in March 2017, the company disclosed that its preceding three years of financial statements needed to be restated – and despite its pledge to “get its house in order,” it also disclosed that it lacked sufficient expertise and/or controls relating to:
- US GAAP requirements and SEC disclosure regulations.
- Completeness of disclosure of financial statements for equity investments.
- Disclosure of related-party transactions.
- Classification and reporting of cash and non-cash activities related to accounts receivable, accounts payable and notes payable.
- Accuracy of the accounting and reporting of income taxes and related disclosures.
The shareholder plaintiff filed a derivative claim to recover damages from the three directors who comprised the audit committee during the period, the CEO and three CFOs who had served in quick succession. Prior to filing suit, the plaintiff shareholder had obtained books and records under a Section 220 demand and used those records to assert that directors “consciously failed” to establish a board-level system of oversight for the company’s financial statements and related-party transactions and simply relied blindly on management while devoting inadequate time to audit committee matters – leading to the restatement and causing the company harm.
Defendants moved to dismiss the complaint for failure to make a demand on the board and for failure to state a claim. The Court found that the books and records produced – and fair inferences from what the company failed to produce – supported a reasonable pleading-stage inference of a bad faith failure of oversight by the director defendants. It also found that demand was futile given that a majority of the board were defendants (and the substantial threat of liability renders them incapable of disinterestedly considering a demand). The analysis of the Rule 23.1 motion was viewed as dispositive of the Rule 12(b)(6) motion, which was also denied.
The Court highlighted several “chronic deficiencies” that support a reasonable inference that the directors failed to provide meaningful oversight of the company’s financial statements and system of financial controls:
- The audit committee typically met only once per year, even though it was aware of serious accounting and financial reporting deficiencies that the company publicly disclosed and resolved to remediate.
- Audit committee meetings never lasted more than one hour, and, at times, the members failed to cover important agenda items.
- The audit committee acted by unanimous written consent to approve related-party transactions on significantly different terms than those proposed and discussed at recent meetings.
- The audit committee acted by unanimous written consent to replace the outside auditor, explicitly basing its decision on management’s determination that it was “in the best interest of the company to change its independent auditors.”
The Court found that the plaintiff adequately pleaded that the audit committee “met sporadically, devoted inadequate time to its work, had clear notice of irregularities, and consciously turned a blind eye to their continuation” and that “the board never established its own reasonable system of monitoring and reporting, choosing instead to rely entirely on management.”
The company failed to produce related-party agreements and review procedures that were referenced in audit committee meeting minutes and were responsive to the Section 220 demand, suggesting that they either did not exist or did not impose meaningful restrictions on company insiders. The Court explained that what the company produced – or rather “conspicuously failed to produce” – “is telling because ‘[i]t is more reasonable to infer that exculpatory documents would be provided than to believe the opposite: that such documents existed and yet were inexplicably withheld’.”
Ultimately, the Court determined that the defendant directors “face a substantial likelihood of liability under Caremark for breaching their duty of loyalty by failing to act in good faith to maintain a board-level system for monitoring the company’s financial reporting” and declined to dismiss plaintiff’s claim. Vice Chancellor Travis Laster noted that the “complaint in this case depicts directors who acted similarly to their counterparts in Marchand, who failed ‘to make a good faith effort – i.e., try – to put in place a reasonable board-level system of monitoring and reporting’.”
Marchand, Clovis and Hughes underscore that the duty of oversight is central to a director’s fiduciary duties. While it may be difficult to state a claim for failure of oversight, with access to books and records and an egregious set of facts, the Delaware courts will entertain such claims, and boards should continue to focus on oversight of key areas in light of these decisions. These cases also emphasize the following:
- Board oversight responsibility includes good faith efforts both to ensure that a compliance system is implemented, and to monitor the system once implemented.
- Having a compliance program including information and reporting systems in place is necessary but not sufficient. The board must attend to these systems to monitor mission critical risks.
- Board responsibilities must be exercised and assessed in relation to the level of risk presented. In a mission critical environment, board oversight must be more rigorously exercised.
- The board record, including board agendas and minutes that plaintiffs may demand to inspect in a Section 220 books and records demand, needs to show that directors are attending to mission critical compliance risks. The absence of references in the board record to discussions and materials related to the specific risks at issue may allow the courts to infer on a motion to dismiss that such discussions were not occurring. Specifically, where board minutes provide no indication that the board has made an effort to inform itself of a compliance issue “intrinsically critical to the company’s business operation,” or the available record indicates that directors turned a blind eye to red flags regarding a mission critical compliance matter, a court may reasonably infer on a motion to dismiss that the board has not met the good faith effort required by Caremark.
General Practice Pointers on Board Oversight of Compliance
Boards of companies in heavily regulated industries, companies dependent on a sole product line and companies that have not emphasized the role of the board and audit committee in internal controls and financial reporting and enlisted the expertise and resources needed to support public company reporting obligations are especially on notice after this trinity of cases of the diligence expected of boards with respect to oversight. However, this guidance is not limited to companies in these situations. In light of these decisions and the heightened risks associated with the current COVID-19 pandemic, boards should consider sharpening their focus on oversight of compliance.
- Board understanding of critical risks: Identify and understand the key risks facing the company. Reach a thoughtful and well-informed business judgment about what, if any, compliance risks might be deemed to be “mission critical.”
- Compliance systems review: Understand and oversee (as either the full board or an appropriate board committee) the compliance culture, programs and systems (the policies, controls, and procedures) that management has put in place to identify, manage and mitigate risks and take prompt action to respond to risk incidents that arise. The duty of oversight is discharged in large measure by ensuring that the company has implemented appropriate compliance programs (including information and reporting systems) designed in relation to the risk profile of the company – including mission critical risks. Often this focus on compliance systems is delegated to a board committee. At least once a year (and more often if issues arise), review the compliance programs and systems in place and ensure that they are performing and are aligned with the standards set forth in federal Organizational Sentencing Guidelines, Department of Justice guidelines and other influential resources that provide guidance regarding board oversight of compliance and compliance program effectiveness. Consider alignment of the programs and systems with key compliance risks facing the company, which may evolve over time as the company’s business and compliance environment change. Consider the effectiveness of reporting hotlines and whistleblower mechanisms and whether changes are advisable.
- Information and reporting systems: Ensure that an appropriate information and reporting system is in place to provide information to management and the board about compliance issues. The system should be “reasonably designed to provide the board with timely, accurate information sufficient to allow the board to reach informed judgments concerning the corporation’s compliance with laws and oversight of risk.” Set clear expectations with management about the circumstances in which compliance issues should result in a board or committee report and which material developments in an area of risk should be brought to the immediate attention of the board or an appropriate committee. Hear, on a regular basis, from the senior executives with overall responsibility for the most significant risk areas facing the company. If there is an issue in a significant area of risk, ensure that management has an appropriate plan for addressing the risk and that the board or committee is updated regularly regarding that plan. If red flags or follow-up actions are identified, monitor the steps management takes to address those items.
- Oversight delegation: Consider from time to time whether the board has adequately apportioned responsibility for risk oversight including oversight of compliance risk as between the board and its various committees. Ensure that mission critical risks are matched to a committee having appropriate competency and resources. If monitoring of a critical risk has been delegated to an existing or newly created committee, reflect that responsibility in the committee’s charter. Be sure that the charter provision is carefully drafted: Emphasize that the role is “oversight” of management, and do not state that the committee’s role is to “ensure” compliance.
- Competency: Ensure appropriate access to information and expertise to monitor the company’s key risks, and assess management’s efforts to mitigate those risks. Consider the competency and experience of management, access to appropriate experts and the board’s own expertise.
- Agenda, minutes and exhibits: Schedule reports about a company’s critical risks in the calendar for the full board or an appropriate board committee. Ensure that board and committee agenda, minutes and exhibits (meeting materials) reflect discussions on compliance issues both with respect to ongoing oversight, periodic reviews and deeper dives and special situations that arise. Carefully document in board and/or committee minutes the fact (and sometimes the substance) of the presentations and discussions about mission critical compliance risks and agreed-upon follow-up actions taken. In considering recording the substance, recognize that the text of minutes may not be privileged or otherwise remain confidential and may be scrutinized by shareholder-plaintiffs and/or courts and compared against the company’s public disclosures.
- Disclosure: Review and confirm the accuracy of the company’s public disclosures about risks facing the company. Periodically assess the adequacy of the company’s disclosure controls and procedures.
- Audit committees: Audit committees need to invest real time in overseeing the correction of accounting and financial deficiencies of which they become aware – and keep a record of their activities in doing so – and ensure that a means is in place to promptly bring any such deficiencies to their attention. The audit committee or its chair should be advised, in real time, of any SEC comment letters or inquiries or whistleblower allegations, in each case that pertain to accounting and financial reporting matters. The audit committee should follow up on remediation of any internal control deficiencies or weaknesses. Among other things, the audit committee should insist on candor and transparency from the CFO, the independent auditors and the head of internal audit. Executive sessions of the audit committee should not be pro forma affairs. The audit committee should take care not to overly rely on management, either for the selection of auditors or in monitoring compliance with accounting and financial reporting requirements.
- Fiduciary duty review: Periodically (once every one or two years) have the general counsel or outside counsel review fiduciary duty standards with the board. This discussion should include a review of the board’s oversight responsibilities with respect to compliance as well as a discussion of any significant compliance risks.
- Informed common sense: Apply the same informed common sense approach to oversight in the current situation that directors apply in other contexts, mindful that the primary question to ask oneself is whether the reliance placed on management, other experts and advisors and board committees is reasonable.
Practice Pointers Specific to Board Oversight of a Company’s COVID-19 Response
Through the Caremark line of cases, the Delaware courts have emphasized that, on the right set of facts, director passivity as to oversight of regulatory or legal compliance risk can constitute bad faith, as an intentional dereliction of duty or intentional disregard of a known risk or duty to act.4 While Marchand and Clovis apply this in the context of mission critical risks relating to a company’s single product line, the Hughes case can be read as recognizing that for a public company, compliance with regulations involving accounting and financial reporting are mission critical and, therefore, chronic deficiencies in overseeing those areas can state a Caremark claim.
With respect to board oversight of management’s response to the current pandemic, it bears noting that the Delaware courts have expressly rejected extension of Caremark claims from compliance risk to business risk in Citigroup following the mortgage meltdown of 2008.5 To the extent that a claim of failed oversight is outside of the context of mission critical and regulatory compliance risks, a board’s actions or inactions in the COVID-19 context should be assessed purely on the basis of its duty of care. While a duty of care failure alone will not give rise to personal liability due to exculpatory charter provisions, nevertheless, directors and their advisors are prudent to take special care during this time to assure that they are meeting that standard, as well as the standard of good faith. With that in mind, we offer the following suggestions for areas of board focus in light of the pandemic:
- Discuss with management identification of and plans to mitigate key risks facing the company in light of the COVID-19 pandemic and the health and safety, financial and operational issues it presents, including issues related to employee leave and work-from-home policies and sanitation protocols, business and supply chain disruption and continuity planning, as well as financial and contractual covenants, cybersecurity and privacy issues and other legal, regulatory and compliance risks. Ask questions about material issues, and follow up as necessary.
- Expect and plan for the risk posture of the company to change such that board attention to oversight of risk identification and mitigation should also be fluid.
- Set clear expectations that management will keep the board well-informed as situations develop.
- Consider whether special board protocols such as scheduling additional board communications and/or meetings, establishing an ad hoc committee or assigning additional duties to a current committee (e.g., an executive or risk committee) would assist the board in providing oversight during the crisis.
- Review developments regarding state and federal regulation and guidance regarding employee and customer health and safety issues, and discuss with management its plans to ensure compliance with such regulation and guidance, and impact on company policies and procedures. Also consider developments regarding emerging industry practices and recommended practices from health and safety experts.
- Set clear expectations that management will document all of these activities in board minutes and other appropriate corporate books and records, and that directors will promptly review minutes.
- Discuss with management and review any significant changes to corporate disclosures (e.g., supplements to risk factors, the withdrawal or modification of earnings guidance, updates to the MD&A and financial statements) and related SEC developments.
- Encourage management to maintain a clear and consistent communications strategy.
- Discuss with management whether additional efforts are prudent to protect against selective disclosure and insider trading and whether changes need to be made to insider trading or other policies.
1698 A.2d 959 (Del. Ch. 1996).
2For example, see In re Puda Coal Inc. S’holder Litig. (Del. Ch. 2013); Rich v. Chong (Del. Ch. 2013); In re China Agritech, Inc. S’holder Deriv. Litig. (Del. Ch. 2013); Louisiana Municipal Police Employees Retirement System v. Pyott (Del. Ch. 2012); and American Int’l Group, Inc., Consol. Deriv. Litig; AIG, Inc. v. Greenberg (Del. Ch. 2009).
3911 A.2d 362 (Del. 2006).
4In re The Walt Disney Co. Deriv. Litig., 907 A.2d 693 (Del. Ch. 2005) aff’d, 906 A.2d 27 (Del. 2006).
5In re Citigroup Inc. S’holder Deriv. Litig., 964 A.2d 106 (Del. Ch. 2009).
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.