On October 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted Ian McGinley, the Director of Enforcement for the Commodity Futures Trading Commission (CFTC), to announce updated enforcement guidance to CFTC staff on penalties, monitors, and admissions. Director McGinley’s remarks (available here) were followed by a fireside chat and moderated Q&A with questions from the audience, and later by a moderated panel of former CFTC enforcement directors and senior enforcement counsel. The updated staff guidance is available here. In this post, the panelists from the event offer additional commentary on the guidance.
Tag Archives: Peter Varlan
The Growing Risk of Director Liability for Cyberattacks
by Peter Varlan
Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark[1] claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.
The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability. Continue reading