Last month, the United States District Court for the Southern District of New York granted a motion to dismiss in In re Fed Ex Corp. Securities Litigation, a putative class action securities fraud case filed against FedEx following numerous disclosures in 2017 and 2018 regarding the impact of a Russian cyberattack on its recently acquired subsidiary, TNT Express Services B.V (“TNT”). The court held that the complaint failed to adequately plead that FedEx had made any material misrepresentations or had the requisite scienter. FedEx’s successful defense against the lawsuit highlights the importance for companies to consider their disclosure obligations following a cyber-incident and carefully tailor their disclosures to account for their risks and accurately reflect the consequences of the incident.
On June 28, 2017, FedEx announced that TNT’s computer systems had been infected by the NotPetya virus, which had spread throughout Europe and beyond that month. In that announcement, FedEx stated that TNT’s operations had been “significantly affected” due to the virus and warned that the financial impact of the disruption “could be material.” In subsequent disclosures over the next eighteen months, FedEx reported progress in restoring TNT’s systems and integrating it into FedEx but repeatedly warned of negative impacts on FedEx’s operations and future financial condition. Finally, in December 2018, FedEx disclosed that the company would not achieve its 2018 earnings targets until 2020. FedEx’s share price rose through March 2018 but then fell significantly in the last quarter of the year.
The complaint alleged that these disclosures were materially false in that they misrepresented the status of TNT’s recovery from the cyberattack and the negative impact on the company’s operations and future earnings. To establish scienter, the plaintiff alleged that the individual defendants were aware of facts that contradicted their public statements. The complaint alleged violations of Sections 10(b) and 20(a) of the Securities Exchange Act, SEC Rule 10b-5, and Item 303.
The S.D.N.Y. Decision
On FedEx’s motion to dismiss, the court agreed with the company that its disclosures were not false or materially misleading when made and rejected the complaint allegations of scienter as conclusory.
The court held that FedEx’s disclosures contained language, often bolded and italicized for emphasis, that warned investors about the potentially lingering negative effects of the cyberattack on the company’s operations and financial condition. The December 2017 quarterly report, for example, stated that the cyberattack “could negatively affect our results of operations and financial condition in the future, particularly if our continuing recovery efforts do not proceed as expected,” and that “not all customers are shipping at pre-attack levels. The July 2018 report likewise cautioned that “the failure to integrate successfully the businesses and operations of FedEx Express and TNT Express in the expected time frame and at the expected cost may adversely affect our future results.”
While focusing on cautionary statements like these found in the reports over the class period, the court emphasized that even the optimistic statements contained in the reports did not meet the requisite pleading standard for materially misleading statements. The court explained that reasonable investors are expected to understand that there are always factors that cut the other way, and Section 10(b) does not require companies to maintain a pessimistic outlook on disclosure forms. And, even if the statements were false or misleading, they would be protected as forward-looking statements covered by the safe harbor provision in the PSLRA.
Cyberattacks can have severe ramifications on the victim company. The economic loss associated with an incident can often be compounded by reputational damage, destruction of assets, operational impairment, lost revenue, and the expense of implementing remedial measures.
This case highlights the additional civil litigation risk that can result from a company’s disclosures. Public entities should stay vigilant on cybersecurity disclosure issues, including by taking into account the SEC’s cybersecurity guidance from 2018 (discussed here). As explained in the guidance, companies should tailor their disclosures to the particular cybersecurity incidents, including as it relates to “the concomitant financial, legal and reputational consequences.” They should also be mindful of their duty to correct or update prior disclosures as necessary to ensure they do not become materially inaccurate.
 No. 1:19-cv-05990, 17 (S.D.N.Y. Feb. 4, 2021)