Corporate oversight is trending. Developed by courts during a predigital era, the duty of oversight is meant to protect shareholders against corporate malfeasance, while still giving directors enough leeway to take marketplace risks. Just as the law imposes a special fiduciary duty on those who are given trust, corporate law imposes a special fiduciary duty on directors in confronting risks to corporations. Over the years, this principle has garnered remarkably broad support among advocates for greater corporate accountability.
This Article seeks to disrupt the consensus for the standard of assessment of the duty of oversight by identifying lurking tensions, as well as reasons to doubt a uniform conception of risk in oversight liability. Although some harms to corporations could have been minimized if directors had taken more seriously their responsibility to actively oversee corporate affairs, the emergence of cybersecurity as a central corporate concern suggests that directors are overly cautious with cyber risks and are motivated by the fear of liability. This Article questions whether the current duty of oversight is adequate for the problem of assessing corporate decision making in hindsight and questions whether the standard has been reinvigorated with directors’ assessment of emerging cybersecurity risks as claimed by some scholars. In so doing, this Article calls attention to the costs of reinvigorating the duty of oversight in U.S. corporate governance—a trend that effectively abrogates the business judgment rule, which would not be consistent with the scale and scope of modern cybersecurity or practical for implementation towards other disruption risks.
The evolution of the duty of oversight invites an enervating complacency towards assigning personal liability to directors for business performance and risk taking and points to a premature abandonment of more robust visions of the business judgment rule. Current iterations of the oversight duty create risk aversion among directors, while failing to incentivize effective corporate protections in an era of cybersecurity. The business judgment rule better strikes the balance between technological risk-taking, corporate safety, and director liability. This Article takes a skeptical view of the current conception of the duty of oversight and argues for a reinvigoration of the business judgment rule as a better theory of liability to balance risk taking and decision making made with good faith and in the best interests of the corporation.
“It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.”
- attributed to Mark Twain
“There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”
- John Chambers (former CEO of Cisco Systems)