Gibson Dunn partner Eduardo Gallardo has a most interesting post at the CLS Blue Sky Blog on the titular question. He concludes:
In light of the emphasis that the SEC and other regulators have placed on cybersecurity issues, the increasing amount of litigation over cybercrime, and the guidelines offered by Caremark and its progeny, boards should assess whether cybersecurity is “mission critical” to their business and, if so, should proactively incorporate cybersecurity issues into their oversight functions.
I think that, given the direction of case law in Delaware, he's probably right; so go read the whole thing.
On the other hand, as a policy matter, I deplore the direction of Delaware law in this area. A revised version of my paper Don’t Compound the Caremark Mistake by Extending it to ESG Oversight is now up at SSRN. The abstract follows:
Since the foundational decision in In re Caremark Intern. Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996), Delaware corporate law has required boards of directors to establish reasonable legal compliance programs. Although Caremark has been applied almost exclusively with respect to law and accounting compliance, the original Caremark decision contemplated applying the oversight duty to the corporation’s “business performance.” Accordingly, there is no doctrinal reason that Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management.
The question thus arises as to whether Caremark should be extended to board failures to exercise oversight with respect to environmental, social, and governance (ESG) factors. Obviously, where existing legislation or regulations impose compliance obligations in ESG-related areas, such as human resources, the environment, or worker safety, Caremark already applies. As such, boards must “ensure that compliance and monitoring systems are in place” to oversee corporate compliance with those laws.
Many ESG issues are not yet the subject to legal requirements, however. The question addressed in this Article is whether the board’s Caremark obligations should be extended to encompass oversight of corporate performance with such issues. In other words, should the board face potential liability not just for failing to ensure that the company has adequate reporting and monitoring systems in place to insure compliance with ESG-related legal requirements, but also to monitor ESG risks in areas where corporate compliance would be voluntary or aspirational.