It has been largely assumed boards of directors are largely insulated from the personal consequences of major corporate disasters. Protected by the “business judgment rule” and corporate charters, directors have historically been shielded from liability for operational failures that occur on their watch. That shield is cracking without any additional burdens being placed on directors. Simply put, directors are expected to act like directors.
Recent court decisions have delivered a stark warning: the rules have changed and the personal stakes have never been higher. The shift in legal interpretation signals a new era of corporate governance in that passive supervision is no longer a defensible position. Courts now expect directors to be actively engaged, informed, and responsive, especially when it comes to risks that are fundamental to the company’s business. This article explores four supremely impactful lessons for corporate directors from this new era of heightened accountability.
A Public Disaster Can Become a Legal “Red Flag” a Board Cannot Ignore
Under Delaware’s influential Caremark doctrine, directors have a duty to monitor their organizations. A board can be held liable for a bad faith breach of this duty in two ways by(1) “utterly failing to implement any reporting or information system” or (2) “consciously failing to monitor or oversee its operations” after a system is in place, which includes ignoring clear warnings (a “red-flag” claim).While this standard has existed for decades, the In re Boeing Company Derivative Litigation case gave it a powerful new application. Following two fatal crashes of its 737-Max aircraft, the board was sued for failing its duty of oversight. The court found that the board had failed to respond to the first crash, which served as an unmistakable “red flag” of a mission-critical safety failure.
This finding establishes a critical, and for many boards, an alarming precedent in that the Court found that the first fatal crash was clearly a red flag because it was widely reported in the media, those reports reached the board, and the board ignored them. Mission-critical failures that are matters of public knowledge should result in directors being on notice of the “red flags.” This makes sense in the Court is stating directors are held to a minimal standard of reading the newspaper or Apple News for a couple of minutes each day.
Therefore, directors cannot simply wait for internal reports to act; they have a duty to respond. The real-world cost of this failure was immense: the derivative litigation was ultimately settled for $237.5 million.
You May Not Liable for Bad Cybersecurity—Get Yourself Educated
For years, shareholder lawsuits based solely on a company having deficient cybersecurity consistently failed. As the Delaware court’s decision in the SolarWinds case illustrated, even a “minimal cybersecurity program” was often enough to shield directors when plaintiffs could not prove the board itself was aware of specific internal deficiencies.
This is no longer the situation per the Boeing case referenced above. Everyone knows cybersecurity is a monumentally important issue in 2026. Therefore, directors should consider themselves obligated to educate themselves to make well-reasoned decisions on this issue.
It is also important to note a new framework reframes this challenge by shifting the focus from operational failures (the bad cybersecurity itself) to disclosure failures . Under this approach, director liability arises when a company makes “materially misleading statements about its cybersecurity quality” and the board knowingly fails to oversee the accuracy of those statements. This reframes the issue entirely, shifting the legal battleground from the server room to the C-suite’s public filings.
The act of making false statements about cybersecurity to customers or regulators creates liability in addition to the technical deficiencies. Directors must accept and appreciate such deception can lead to “corporate headaches” including regulatory enforcement, litigation, and significant customer flight when the truth is revealed.
Your Board Minutes Are Now Exhibit A
The conclusion that Boeing’s board ignored a public “red flag” was more than mere speculation. Investigators did not find any internal inquiry or other action in Boeing’s own records. In the world of oversight litigation, a plaintiff’s first weapon is often a formal demand for a company’s “books and records” under Delaware’s Section 220. In these situations, a perceived absence of board activity can be more incriminating than a flawed decision.
The Boeing case provides a stark example. The Court highlighted that the corporate records produced “do not reveal evidence of any director seeking or receiving additional written information” about airplane safety even after the first catastrophic crash. This lack of documented engagement supported the claim that the board had consciously failed in its duty. Yet again, directors are being subject to a more than reasonable expectation—asking questions after what PR professionals presumably call “Holy Crap!” moments.
Conversely, a well-documented history of engagement could be a director’s best defense. A robust record of board-level oversight activity should prove viable derivative claims do not exist to proactively avoid litigation. This underscores the critical importance of meticulously documenting a Board’s inquiry into all issues in minutes, reports, and other official records.
A Lawsuit Once Considered ‘Dead on Arrival’ Is Making a Comeback
For decades, Caremark claims accusing directors of failing their duty of oversight nearly impossible to win. One court notes the Caremark standard is “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” Unsurprisingly, these lawsuits were rarely filed and even more rarely survived a motion to dismiss.
The first major turning point was the Delaware Supreme Court’s 2019 decision in Marchand vs Barnhill . The case involved Blue Bell Creameries, which suffered a fatal listeria outbreak. The Court was incredulous when stating the Board could be liable because it had no committee or board-level process to address food safety. After all, this is a food company. Food safety is an obviously “essential and mission-critical” risk for an ice cream company.
While the Marchand decision “reinvigorated” these lawsuits by focusing a Board’s failure to oversee patently obvious risks that are fundamental to the company’s existence and operations. Since that ruling, shareholder lawsuits are now surviving dismissal and leading to significant settlements.
Conclusion: Do Your Job as a Director
Courts are reminding directors their fiduciary duties are not enormous obstacles to overcome; therefore, it is inexcusable for failing to make any real effort to meet them. That said, I believe most directors take their responsibilities seriously for the benefit of their companies.
Unfortunately, companies of all sizes have directors who fail to meet their minimal tasks. For this reason, Board should seek out Chairmen who will do more than periodically remind their fellow directors of their fiduciary duties in a memorandum. They should be ready to address directors who are not meeting or barely meeting their fiduciary duties. And yes, this might include voting a director off of a Board who consistently fails to do the job. It is easy foresee Chairmen or other directors being held personally liable for failing to ensure directors are meeting their fiduciary duties in subcommittees or the entire Board itself.
Finally, directors should already know the “mission-critical” risks are both general and specific to your company. You may want to ask them annually what they think the mission critical risks are. You may also want to ask your CEO, CFO< and COO to list what they think the company’s mission critical risks are on an annual basis for sharing with the Board. Finally, big news stories + tragic outcomes = missional critical risks. It is a simple equation.
David Seidman is the principal and founder of Seidman Law Group, LLC. He serves as outside general counsel for companies, which requires him to consider a diverse range of corporate, dispute resolution and avoidance, contract drafting and negotiation, and other issues. He can be reached at david@seidmanlawgroup.com or 312-399-7390.
This blog post is not legal advice. Please consult an experienced attorney to assist with your legal issues.
Photo credit: Citolino
