A recent article by the D&O Diary comments on the FedEx securities class-action lawsuit, which is an example of management liability litigation stemming from a cybersecurity-related incident. In the lawsuit, a shareholder alleges that management at FedEx did not share the extent of disruption caused by a recent malware attack in a timely manner. The allegations in this lawsuit are similar to other cybersecurity-related securities lawsuits in recent years.
In 2016, FedEx completed an acquisition of TNT Express to grow its operations in Europe. In 2017, TNT systems were severely impacted by the “NotPetya” cyberattack that hit many companies across the globe. The cyberattack “spread a malware virus throughout TNT’s systems during a critical period of TNT’s integration into FedEx’s operations.” While the organization noted that the attack had impacted its financial performance in September 2017, it offered public reassurance that the systems had been fully restored. According to the complaint, the full extent of disruption from the malware was not disclosed until a year after the attack in December 2018.
The complaint filed against FedEx is similar to other complaints against other companies such as Marriot after the acquisition of its Starwood division and PayPal after the acquisition of a bill-pay system. Cybercriminals often target smaller companies that have recently been acquired by much larger organizations, since they are often in a fragile transitional period. Organizations need to properly consider cybersecurity aspects of the target company they intend to acquire.
Another main component of the lawsuit discusses the failure to fully disclose the impact of the breach in a timely manner to investors. One unique aspect about the FedEx complaint is the cyber incident did not disclose any private or sensitive information. The malware attack caused harm to the financial and operational aspects of TNT. The example demonstrates the importance of transparency to all shareholders, including investors, customers and the public, after a cyber incidence. Aligned with an approach of transparency, it is critical to ensure you are able to manage the media and public perception. This is magnified in the public setting given disclosure requirements to shareholders.
FedEx set an example for other large, public companies that it is possible to get hit with a D&O lawsuit due to a cybersecurity threat. This threat could be in the form of a data breach, malware attack or privacy violations. A critical lesson learned from this case is that all companies need to make sure that they are thorough in the diligence efforts prior to an acquisition. There are numerous examples of acquiring companies not properly considering cybersecurity aspects of their target companies.
Reach out to an advisor to discuss your cyber concerns whether you have recently acquired a new firm or are considering expanding through an acquisition.