Cyber-security related incidents frequently grab the news headlines but the NotPetya cyberattack in June 2017, the largest reported cyberattack in history, demonstrated the impact such attacks can have on otherwise unconnected businesses and organisations. The Ukraine was the main target of Russia's malware virus but the crippling effects were felt globally, bringing banks, governments, hospitals and other organisations to a complete standstill for several days.
The risk that management liability lawsuits would follow NotPetya and other cyber-related incidents has, understandably, been a top concern for those organisations affected. The latest securities class action brought against FedEx and certain of its directors and officers brings this prospect into sharp focus.
FedEx cyber-security follow-on class action
FedEx acquired TNT, a Netherlands-based logistics company, in June 2016 to significantly expand its international operations. One year later, TNT was crippled by the NotPetya cyberattack and its systems were paralysed at a critical stage of its integration with FedEx's European operations.
FedEx investors, who purchased at least 500 FedEx shares in the "class period" between 19 September 2017 and 18 December 2018, have filed a class action against FedEx and certain of its directors (collectively the defendants) to recover a 12 percent fall in share value. The investors allege that during the class period, the defendants gave false assurances that the impact from NotPetya was minimal, that customer volumes were being restored to pre-attack levels, that the integration of TNT was progressing successfully and that FedEx was on track to see operating income rise by $1.2bn (as forecasted) as a result of the TNT acquisition. It is also alleged that FedEX failed to disclose important information regarding TNT's deteriorating business and its failure to stay on track to meet financial targets.
The class action was filed in June 2019 in the Southern District of New York and it is still very much in its infancy.
Is the FedEx securities class action a sign of more to come? In recent years, we have not seen the wave of cyber-related securities lawsuits being brought against companies and their directors that some predicted. Most likely this is because the ability to prosecute a successful cyber-related securities class against a company and its senior managers depends on more than whether a company has suffered a cyberattack or not. Securities claims require the investors to show that representations or statements made by the company/its management were misleading and/or false and they have suffered a loss as a result. It is the misleading representations and the subsequent fall in share price (usually when news breaks that the company is in a poorer financial state than previously stated) that provide the necessary "hooks" for investors to bring a successful securities lawsuit.
The events in the FedEx dispute (arguably) have those essential hooks. The complaint is about far more than the fact that TNT was crippled by the NotPetya cyberattack which, possibly under different circumstances, would have brought TNT's systems down for a few days but perhaps not have lead to any long term irrecoverable impact on its/FedEX's business or share values. The investors can point to representations by FedEx that its acquisition of TNT would increase operating income; representations that TNT had recovered from NotPetya and the attack had no residual impact; and representations that the integration of TNT and FedEx had been successful. They can argue these representations induced or enticed them to purchase shares which they would not have purchased if the "true" position had been stated. And they can show they have suffered a loss because the revelation that FedEx's financial position had deteriorated resulted in a 12% fall in share value.
All this is not to say that the FedEx complaint will succeed, but the point is that a cyberattack without more, is unlikely to be sufficient to bring a successful securities lawsuit against a company and its directors and officers. Indeed, NotPetya is believed to have been the largest cyberattack in history – it caused massive disruption across the globe - and yet, so far, there have been no other reported securities lawsuits brought against publicly listed companies arising from this cyberattack. Of course, others may follow if they can fit the mould.
The number of securities class actions being filed in the US courts is at an all-time high and this trend is now spreading to Europe. Described by some as "icebergs", securities class actions are often large, heavy, dangerous and slow-moving, and from a director's perspective, D&O insurance is critical to protect them against the costs of defending this expensive litigation and paying judgment awards or settlements.
FedEx's acquisition of TNT, the NotPetya cyberattack and the fall in share price covered at least a 30 month period from June 2016 to December 2018. Multiple D&O policies and multiple carriers may be affected, and the insurers notified will want to be satisfied that any presentation of the risk was fairly made to them or that liability issues were first appreciated in their policy period.
Most securities class actions settle to avoid the expense of litigation. It will be interesting to see what happens in the FedEx lawsuit and whether this influences how other cybersecurity securities lawsuits are run going forward.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.