Fiduciary duty

Fiduciary duty in cybersecurity

What is fiduciary duty in cybersecurity?

Fiduciary duty is a legal obligation for executives and boards to act in the best interests of stakeholders. In the cybersecurity context, this means protecting company data, disclosing material risks, and ensuring sound security practices.

Who is responsible?

A fiduciary is a person or entity with a duty to act in good faith and in the best interests of those they serve, whether clients, shareholders, or the organization itself. This obligation, well established in the financial industry, also applies to boards of directors, which must oversee risk on behalf of shareholders. In today’s environment, that responsibility includes cyber risk.

Why does fiduciary duty matter?
Data breaches have become much more frequent in recent years, and courts hold companies accountable, increasingly treating cybersecurity as part of corporate fiduciary duty. Shareholders and customers can claim leadership breached that duty if they fail to prepare for, disclose, or mitigate cyber risks. In Begich v. Sabo (California, 2025), shareholders alleged Compass Diversified’s leaders breached their fiduciary duties by allowing misleading financial statements tied to weak IT and security controls.  

Several high-profile cases have shown how failures in cybersecurity can spark claims that executives and boards breached their fiduciary duties

• Target (2013): Shareholders sued directors after hackers stole 40 million payment card records, alleging the board ignored warnings about weak security.

• Wyndham Hotels (2012–2015): The FTC sued after repeated breaches exposed customer payment data; courts affirmed companies must maintain “reasonable” cybersecurity.

• Yahoo (2016): Shareholders claimed executives breached fiduciary duties by failing to disclose massive breaches promptly; the company settled for $80 million.