On February 4, 2021, Judge Ronnie Abrams of the Southern District of New York granted a motion to dismiss putative class action claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) and Rule 10b-5, against a global logistics and shipping company (the “Company”) and certain of its executives. In re FedEx Securities Litigation, No. 19-cv-05990 (S.D.N.Y. Feb. 4, 2021). Plaintiffs alleged defendants made materially false and misleading statements concerning the financial impacts to the Company resulting from a cyberattack affecting a recently acquired European shipping subsidiary (the “Subsidiary”). The Court granted defendants’ motion to dismiss plaintiffs’ consolidated class action complaint (the “CAC”) with prejudice.

According to the CAC, the Company acquired the Subsidiary, a package delivery company based in Europe, on May 25, 2016. The acquisition was promoted as strengthening the Company’s presence in the region and further increasing the Company’s express shipping business revenue. The Company reported a “primary area of focus” was to integrate the Subsidiary, which it estimated would take four years. The Company stated in a March 2, 2017 press release that it was committing to increasing the operating income of the express shipping business segment to $1.5 billion in FY 2020, and that the integration of the Subsidiary was a “key driver” of this initiative. On June 28, 2017, the Company announced that a Russian cyberattack in Europe had “significantly affected” the Subsidiary and its operations. In the same press release, the Company noted that it could not measure the financial impact of the disruption, but noted that “it could be material.” In September 2017, the Company shared a quarterly earnings report disclosing that the cyberattack negatively impacted the financial results by about $300 million, but the Subsidiary’s services had “resumed during the quarter and substantially all [its] critical operational systems have been restored.” According to the CAC, the Company allegedly made a number of misleading statements on earnings calls and in quarterly financial reports over the next year that obscured the purported financial and operational challenges the Company was facing as a result of the effects of the cyberattack on the Subsidiary. The CAC claims this led to a stock drop when an alleged corrective disclosure was made in December 2018.

The Court addressed the alleged misstatements in turn, grouping them into four categories: (1) references to the operating income improvement target; (2) statements regarding the Company’s progress in restoring the Subsidiary’s operations in the wake of the cyberattack; (3) reassurances about the retention of the Subsidiary’s customer base; and (4) statements concerning the pace and cost of the Subsidiary’s integration.

The Court held that plaintiffs had not adequately pled that defendants’ statements were false or misleading. With respect to the first category of purported misstatements, the Court observed that the “majority of those statements merely expressed the Company’s commitment to that target, without making any express assurances about its viability,” and none of the alleged omissions contradicted defendants’ “continued adherence to a years-long target for the income improvement.” The Court added that these statements were accompanied by “numerous disclosures” addressing the “ongoing effects” of the cyberattack and the risks “inherent in the [Subsidiary] integration process,” among others. Citing the Supreme Court’s Omnicare decision, the Court found that the alleged failure to disclose additional contradictory facts did not render the statements misleading “to a reasonable person reading the statement fairly and in context.” In connection with plaintiffs’ allegations, based on purported statements by a confidential witness, that “there was significant doubt within the Company about its ability to meet the [operating income improvement] target by 2020,” the Court held that these allegations were “vague and conclusory.” The Court further noted that the confidential witness had only “heard of the alleged doubt from his circle of colleagues” in his role as a relationship manager at the Subsidiary and that such allegations did not “permit the Court to reasonably attribute the doubt to any of the individual defendants” who were “high-level executives of the American parent company.” The Court also noted that, in any event, the statements concerning income targets were forward-looking and protected under the PSLRA’s safe harbor and accompanied by meaningful cautionary statements.

Concerning the second category of alleged misstatements regarding the restoration of the Subsidiary’s operations after the cyberattack, the Court found that defendants made “numerous disclosures” about the effect the cyberattack had on disabling the Subsidiary’s international shipments at the time, including “immediately acknowledg[ing]” the impact of the attack. Moreover, the Court noted, the Company’s and the individual defendants’ statements were “carefully hedged” with reports that “substantially all” of the Subsidiary’s “critical” system functions had been restored, and that systems were “near-normal,” which prevented an inference that a reasonable investor would “conclude that recovery efforts were complete.” The Court added that while Section 10(b) “obligated the Company to be complete and accurate in its representations, it did not require [d]efendants to project a pessimistic outlook on the degree to which [the Subsidiary’s] services had been disrupted.”

As to the third category of alleged misstatements concerning the retention of the Subsidiary’s customer base, the Court agreed with defendants that the Company “disclosed the losses to its customer base and shipping volumes” as a result of the attack. The Court also found that plaintiffs’ allegations related to this category were “insufficient to demonstrate that [the Company] misled investors with more optimistic statements” because the confidential witness’ allegations were “silent as to when these alleged customer defections occurred” or whether the customers ultimately returned.

The Court similarly held that plaintiffs failed to adequately allege falsity concerning the last category of statements about the process of integration. The Court observed that plaintiffs appeared to “conflate the Company’s efforts to integrate” the Subsidiary with the “progress of that integration.” The Court noted that the Company made disclosures that it was “accelerating the integration process” as a result of the attacks. As such, the Court could not reasonably infer that an investor would mistakenly conclude that the cyberattack had in fact accelerated the integration itself. Moreover, defendants’ statements “tout[ing] the progress of integration” amounted to nothing more than inactionable puffery.

Although the Court concluded that plaintiffs failed to adequately allege any materially false or misleading statements, the Court went on to also hold that plaintiffs failed to adequately allege scienter. The Court observed that plaintiffs’ allegations of scienter were conclusory and that the CAC was “devoid of any allegations that the individual defendants acted with any motive.” The Court similarly found statements from a confidential witness unpersuasive because they failed to implicate the individual defendants or demonstrate that they had any knowledge contrary to what they represented to the public.

The Court further held that defendants did not violate Item 303 of Regulation S-K because plaintiffs failed to allege material misstatements and scienter. The Court further dismissed plaintiffs’ control-person liability claims under Section 20(a), having found no requisite violation of the Exchange Act that would establish such a claim. The Court denied plaintiffs’ request for leave to amend, concluding that an amendment would be futile.