Cybersecurity oversight has officially entered the realm of board level fiduciary responsibility. In several 2025 decisions, the Delaware Court of Chancery made clear that cybersecurity is a mission critical risk for most companies. In the aftermath of these decisions, directors of Delaware corporations now face heightened expectations for monitoring, documenting and addressing cybersecurity risks as part of their oversight duties.

The duty of oversight for board members originates from the decision in In re Caremark International Inc. Derivative Litigation and was later affirmed in Stone v. Ritter. These cases established that directors may be liable if they fail to implement systems for reporting and monitoring corporate risk or ignore red flags. Historically, Caremark claims were difficult to plead and rarely succeeded.  However, recent decisions have expanded the application of the duty of oversight to include  cybersecurity risks, especially in industries where data protection is central to operations.

In 2025, the Court of Chancery emphasized that cybersecurity risks qualify as mission critical for companies that store consumer data, operate online platforms or rely heavily on digital infrastructure.  In addition, the Court has concluded that boards must receive regular cybersecurity briefings and may not delegate oversight entirely to management. Documenting oversight efforts means that recordkeeping is more essential than ever.  The absence of board minutes documenting cybersecurity discussions may support an inference of oversight failure.  Moreover, failure to respond adequately to known vulnerabilities could constitute a red flag under the Caremark standard.

Although the Court did not impose strict liability on directors involved in these 2025 cases, it nonetheless signaled that cases in 2026 and beyond may have different outcomes if directors fail to demonstrate active oversight supported by tangible evidence.  Many California companies are incorporated in Delaware. Therefore, these decisions apply directly to their boards regardless of where their primary operations or headquarters are located. In order to insulate boards from liabilities, companies must ensure that board committees have clear cybersecurity responsibilities and that documentation reflects active engagement.  To that end, boards must incorporate cybersecurity into their quarterly (or even monthly) agendas.

Also, directors should require management to present regular and recurring updates on vulnerabilities, incidents and mitigation efforts.  Boards should also take an active role in reviewing third party risk management programs, and ensure that management maintains an incident response plan and tests it regularly.  As part of their record keeping efforts, boards should also maintain detailed minutes reflecting discussions and decisions that revolve around and relate to data security.

Clearly, cybersecurity has become a core governance issue with direct implications for fiduciary duty.  Delaware courts expect directors to maintain informed and active oversight, and companies that build strong governance frameworks and document their practices will be best positioned to mitigate litigation and regulatory risk moving forward.

This publication is published by the law firm of Ervin Cohen & Jessup LLP. The publication is intended to present an overview of current legal trends; no article should be construed as representing advice on specific, individual legal matters. Articles may be reprinted with permission and acknowledgment. ECJ is a registered service mark of Ervin Cohen & Jessup LLP. All rights reserved.