The rule requires that directors act in good faith, with due care (making decisions on an informed basis) and with the reasonable belief that they are acting in the best interests of the corporation.

It is elementary that directors in a technological firm appreciate the importance of making sound business decisions relating to their digital operational posture. After all, they must promote the success of their business, protect their firm, their clients and their reputation.

Directors in Ireland are subject to comparable responsibilities. Pursuant to Section 228 of the Companies Act 2014, a director is required to fulfil several duties, including acting in the best interests of the company, acting honestly in relation to the conduct of the affairs of the company, avoiding conflicts of interest, and demonstrating an appropriate level of care, skill, and diligence.

To what extent a director has exercised care, skill, and diligence will be considered against a two-stage test which contains both subjective and objective elements.

They are:

1. the knowledge and experience that may reasonably be expected of a person in the same position as the director; and
2. the knowledge and experience which the director has.

Then the next question arises: what level of knowledge and expertise might one reasonably expect from an individual occupying a director’s role in a technologically advanced company. This consideration is particularly pertinent for a company that:

1. Advertises its product as a ‘stable architecture encompassing data collection, processing, storage’ and
2. Markets this product to entities classified under Critical National Infrastructure (CNI).

Given the givens, the bar is high. It would not be unreasonable to expect that any person holding a position of director and involved in the daily operations and management of a technologically sophisticated business would consider that in order to meet their legal obligations they would:

1. Exercise reasonable care to ensure their own digital estate management is resilient, and
2. Address reasonably identifiable circumstances to manage and mitigate risks to their business and their clients. In other words, they would recognise the importance of their business as a supplier to highly sensitive government agencies.

While these questions are not yet before the court, it is inevitable that businesses, on both sides of the Atlantic will find themselves defending their decisions and their decision-making process following cyber-attacks. Ultimately, this will be more painful in situations where the directors failed to fulfil their legal responsibilities, resulting in cyber-attacks that were preventable.

However, while it has been an intellectually stimulating exercise to speculate on potential outcomes, the current situation faced by the firm and its Chief Information Security Officer (CISO) offers a significant learning opportunity for businesses.

The complaint filed by the SEC in the Southern District of New York offers valuable lessons for those in the business sector who are receptive to learning. Although the cyberattack was significant, affecting nine federal agencies and numerous private companies, the core issue of the complaint transcends the company’s failure to implement the latest technologies for cyber defence. Rather, it centres on the allegations that the business and its CISO made a series of false claims.

From a legal perspective, the presence of multiple false claims is significant as it indicates a pattern of conduct within the business. Had there been a solitary occurrence, it might have been capable of being construed as an error or oversight. However, a series of such incidents over a period of time evidences a continuity of purpose. This makes defending any genuine errors extremely difficult for the legal team.

The fact that misstatements were made in Company-Approved Press Releases, Blog Posts, and Podcasts is significant. It is the equivalent of the business rubber stamping or approving the misinformation. A critical lesson that businesses could promptly incorporate to avoid a similar situation would be the formulation and execution of a sensible Communications Policy.

This policy should expressly prohibit any employee from making statements about the business that are untrue or false. Declarations that statements are true together with notification of penalties for misleading the market could assist senior executives in appreciating the seriousness of making false claims.

Furthermore, it should be a standard expectation for executives to provide clear justification for their positions. For instance, if a technical executive, referred to as Executive A, makes a technological claim that is endorsed and propagated by the business across various departments (such as sales and marketing), there needs to be a transparent and traceable link from the claim’s originator to the final document. Importantly, this document should not be subject to alterations. Separate versions of the document should be preserved to document and track any modifications.

SolarWinds and Brown claimed to follow the NIST (National Institute for Standards in Technology) Framework. The latest version called the NIST Cybersecurity Framework version 2 or NIST CSF 2.0 is an effective framework for addressing cybersecurity risks and has been widely used. Relying on NIST or NIST CSF 2.0 shows a level of sophistication and maturity within the business when it comes to cyber resilience. But of course, this only operates if the business actually takes the time and trouble to implement it. The SEC maintained in their filings that SolarWinds had ‘no policy or practice in place for most of the NIST framework’. It is easy to envision investors trusting this statement with the assumption that the firm was operating professionally and not engaging in widespread deceit. Businesses would do well to find a framework, commit to it and be truthful about where your business is on its journey. The downside for telling the truth is less painful in both the short and long term than the downside for making false statements.

SolarWinds and Brown claimed that they had a Strong Password Policy. Indeed, it appeared that they did have a strong policy. However, the gap between what the policy said and to what extent they had implemented their own strong password policy gave rise to a complaint by the SEC that the statement was materially false.

Given that it is well known and understood that strong passwords are a critical factor in keeping businesses safe and protecting them from cyber-attacks, it should be uncontroversial to implement best practice. Given that it is neither technologically difficult nor expensive to enforce, it is surprising that the firm failed to comply with even the most well-known, plain vanilla cyber security strategies.

It is likely that we will witness an increase in corporate scandals of this nature. This can be expected not due to any modification in the practices of companies within these sectors, but rather because institutional investors, regulatory bodies, and law enforcement agencies have significantly enhanced their comprehension of the cyber resilience and threat landscape.

The paramount lesson derived from the SolarWinds scandal is the widespread presence of dishonesty and duplicity within the organisation, indicative of a corporate culture that tolerates such behaviour. Attributing this to the corporate culture inherently implicates the leadership. Although the Chief Information Security Officer (CISO) is currently bearing the brunt, the ethical climate was established by the entire executive management. Such corporate failings are not a matter of technical inadequacies but rather a reflection of leadership deficiencies.