III

A Board & C-Suite Issue

Section III

Why this is a board issue, too.

The Caremark line of cases, the duty of informed decision-making, and the federal securities overlay — three sources of legal rules that already apply to the quantum question.


The most common mistake an organization can make is to treat the Quantum Director as a technical problem that lives two or three layers below the boardroom. The truth is that hardening one's organization to the growing quantum risks is both a c-suite and board issue, just like other technical areas leadership must be educated on and oversee such as financial controls. While technical areas are administered by specialists, each is subject to a well-settled body of law that, at least in the case of private corporations, assigns the board a personal, non-delegable duty to oversee them.

A. The Oversight Duty · The Caremark Line of Cases

Directors of corporations owe two basic fiduciary duties: the duty of care and the duty of loyalty. A specific strand of the duty of loyalty — known as the Caremark duty, after the 1996 decision In re Caremark International — requires that directors put in place, and actually use, a reasonable system for monitoring the mission-critical risks facing the enterprise.

Two later decisions sharpened the doctrine: Stone v. Ritter (2006) confirmed that Caremark claims are loyalty claims, and Marchand v. Barnhill (2019) held that a board cannot simply take management's word for it on risks that go to the essential function of the business.

Why the Loyalty Characterization Matters

Most corporate charters contain a provision that shields directors from personal liability for ordinary negligence. That shield does not always apply to breaches of the duty of loyalty. A well-pled oversight claim can evade that protection. This is the feature of Caremark liability that makes it genuinely dangerous to personal balance sheets — and it is why it deserves board-level attention.

For a widening set of enterprises, cryptographic integrity is now precisely the kind of mission-critical risk that Caremark addresses. A bank whose authentication is no longer trustworthy does not merely lose revenue; it loses the ability to transact. A hospital whose patient records become readable does not merely face a fine; it faces a class-action lawsuit. A defense contractor whose signing keys can be forged ships a compromised update to every customer at once and will lose the government as a client. When the risk of security collapse becomes material, Caremark duties attach.

B. The Duty of Informed Decision-Making

A separate strand of fiduciary doctrine from Delaware — under Smith v. Van Gorkom and its progeny — requires directors to inform themselves of the material information reasonably available to them before approving a significant business decision. A board that approves a budget, a multi-year technology architecture, or a major vendor contract without any record of having considered post-quantum requirements could be shown to have made an uninformed decision on an information-security question of first-order consequence. In any subsequent litigation, the gap in the minutes may be the first exhibit at one's deposition.

C. The Federal Securities Overlay

Public-company directors and officers carry an additional layer of duty: accurate disclosure. The SEC's 2023 cybersecurity rule (formally, Item 105 of Form 8-K and Item 106 of Regulation S-K, discussed in detail in Section IV) requires public companies to describe their processes for assessing, identifying, and managing material cybersecurity risks, and to describe the board's oversight of those risks. Quantum transition is a cybersecurity risk: it is forward-looking, it is material for a large share of registrants, and silence about it is itself a choice — one that will likely be second-guessed after the fact.

This is not a document-only exercise. Under the Sarbanes-Oxley Act, the CEO and CFO personally certify both the accuracy of the annual report and the effectiveness of the disclosure controls that produced it. The Item 106 cybersecurity disclosures sit inside those certifications. A public-company CEO who signs a 10-K that omits a material quantum-transition risk — or that describes it in the language of a hypothetical when the internal record says otherwise — has signed a certification whose contents will be judged later on what the company actually knew at the time.

A disclosure that omits quantum risk is not prudent conservatism. It is a statement, by omission, that no such risk exists — and it will likely be read that way.