Firemen’s Retirement System of St. Louis v. Sorenson (2021) — Delaware Chancery (Marriott / Starwood)¶
Table of contents¶
- Executive Summary
- Regulatory and Legal Outcomes
- Security Technical Summary
- Understanding Regulatory and Court Orders
- Case Pack Documents
- Facts and Timeline
- References
Executive Summary¶
Stockholders filed derivative litigation against Marriott fiduciaries alleging oversight and diligence failures related to the Starwood breach and post-acquisition integration. The Delaware Court of Chancery ruled on demand futility and the sufficiency of oversight allegations in a 2021 opinion frequently cited for board cybersecurity governance.
Regulatory and Legal Outcomes¶
Delaware Chancery¶
Firemen’s Retirement System of St. Louis v. Sorenson, C.A. No. 2019-0965-LWW — opinion.
Security Technical Summary¶
Summary¶
The underlying incident involves a large hospitality reservation database compromise tied to Starwood systems and Marriott’s integration posture. M&A cyber diligence and board monitoring are central governance themes.
Engineering takeaways¶
- Diligence-to-integration tracking for identity, logging, and patch programs.
- Board dashboards with meaningful metrics, not only generic risk language.
Understanding Regulatory and Court Orders¶
Understanding regulatory and court orders
| Document | Source | Key content |
|---|---|---|
| Firemen’s … v. Sorenson | Del. Ch. | Derivative pleading and oversight in cyber context |
Case Pack Documents¶
| Case Document | Summary | Writing Scenario |
|---|---|---|
| Executive and board | ||
| Board Pack | High-level security status and top risks for the board. | CISO delivers a board security brief to the Board Audit Committee. |
| Executive Security Risk Summary | Consolidated security risks and mitigation for executives. | Security Director prepares executive risk summary for CEO and leadership. |
| Security Program Status Report | Program health, metrics, and progress for leadership. | Lead Security Engineer submits status report to Security Director and CISO. |
| Strategic Security Initiative Justification | Business case for a major security initiative. | CISO presents business case for program investment and remediation. |
| Regulatory and compliance | ||
| Regulatory Security Explanation | Explain security posture and controls to a regulator. | Security lead submits explanation of program and compliance posture. |
| Compliance Justification Document | Justify how controls meet a requirement or framework. | Lead Security Engineer maps controls to legal or regulatory requirements. |
| Controls -> Evidence Map | How controls are implemented and evidenced. | Security or control owner maps controls to evidence for regulator or auditor. |
| Governance Response Memo | Respond to an audit or regulatory request on governance. | CISO submits governance response memo for oversight review. |
| Legal-technical | ||
| Detailed Narrative of Events | Chronological factual narrative for legal or regulatory use. | Security or legal prepares chronology for counsel or regulator. |
| Security Architecture Explanation for Legal Review | Explain architecture and controls for counsel. | Lead Security Engineer produces architecture memo for General Counsel. |
| Risk Register | Justify risk acceptance or mitigation for legal or audit. | Security Director maintains risk register for leadership and audit. |
| Security Decision Documentation | Record a significant security decision and rationale. | Security Director documents decision record for board and counsel. |
| Policy and governance | ||
| Security Policy Draft | Draft or update an enterprise security policy. | Security Director drafts policy for CISO, Legal, and board review. |
| Security Governance Memo | Define or clarify governance roles and escalation. | CISO issues internal governance memo to leadership. |
| Security Program Justification | Justify program scope, resourcing, or structure. | CISO presents program justification to CEO and board. |
| Internal Security Directive | Directive or mandate from leadership on security. | CISO issues internal directive on priority control requirements. |
| Public communication | ||
| Security Public Statement | Draft for press or public breach or incident statement. | CISO drafts public statement for consumers and partners. |
| Customer Security Explanation | Explain a security topic or incident to customers. | CISO drafts formal customer explanation for affected users. |
| Security Transparency Report Section | Section for an annual or ad-hoc transparency report. | CISO drafts security section of transparency report for external audiences. |
| Operational (case-pack specific) | ||
| Audit Packet Checklist | What to produce within 48 hours for evidence readiness. | Checklist for audit or regulator request. |
| Implementation Checklist | 0-30 / 30-60 / 60-90 day execution plan. | Security or program owner executes plan for leadership or board. |
Facts and Timeline¶
- 2021 — Chancery opinion on derivative claims (see opinion for dates and details).
References¶
Primary: Delaware opinion download