90 | Weil, Gotshal & Manges LLP LITIGATION TRENDS 2024 | 91 T O C E M P A N T I I P C A P R O W C C O N T A C T I N T A P P P A T C C L S E C S E C Court determined that the committee failed to satisfy MFW and remanded the case to the Delaware Court of Chancery for further proceedings. The Match decision provides important guidance from the Delaware Supreme Court regarding the path to business judgment review for transaction planners considering any transaction involving a controlling stockholder that stands on both sides of the transaction and receives a non-ratable benefit. It also highlights the importance of carefully implementing the MFW framework in order to achieve the benefits of the business judgment rule and secure a pleading stage dismissal of any stockholder claims challenging the controlling stockholder transaction. Increased SEC Focus on Cybersecurity and Risk Disclosures More Broadly In August 2023, the SEC adopted rules requiring companies to disclose cyberattacks within four days of their occurrence and to disclose, on an annual basis, their cybersecurity risks and their strategies for managing those risks. Further demonstrating the SEC’s increased focus on cybersecurity and risk disclosures, in October 2023, the SEC filed a civil enforcement action against SolarWinds—itself a provider of cybersecurity software—and a senior executive officer, alleging that the defendants “defrauded SolarWinds investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing— cybersecurity risks.” SolarWinds “provides software that thousands of companies and many government agencies use to manage their information technology infrastructure by, for example, monitoring activity on networked servers.” In 2020, in a highly publicized story, SolarWinds publicly disclosed that “it was the target of a massive, nearly two-year long cyberattack” that also affected numerous SolarWinds customers. The SEC complaint was the culmination of a multiyear investigation and alleges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to the SEC, “[t]he true state of SolarWinds’ cybersecurity practices, controls, and risks ultimately came to light only following a massive cyberattack” on SolarWinds’ “flagship product”—considered to be a “crown jewel” asset accounting for 45% of SolarWinds’ revenue in 2020—that “exploited some of SolarWinds’ poor cybersecurity practices.” The SEC complaint alleges numerous violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 and seeks, among other things, permanent injunctive relief, disgorgement, civil penalties, and an officer and director bar against the SolarWinds executive. While this is not the first time the SEC has taken enforcement action on cybersecurity and risk disclosure matters, the SolarWinds case is notable for its allegations of knowing and intentional fraud, which can be difficult to prove and highlight the effort and resources the SEC is willing to devote to risk disclosure and cybersecurity matters. Indeed, in announcing the SolarWinds enforcement action, the SEC’s director of enforcement issued a stern warning to issuers about risk disclosures in general: “Today’s enforcement action not only charges SolarWinds and [its executive officer] for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.” We expect this to be a continued area of SEC focus. Securities Litigation
RkJQdWJsaXNoZXIy MTE2NjA5Mw==