Securities class action filings hit 225 in 2024, up from 208 in 2022, with the Disclosure Dollar Loss Index rising 23% to $438 billion. The direction of travel is clear: accountability is increasing, not decreasing.
This guide covers the three elements of the duty, how courts apply both objective and subjective standards, the business judgment rule's limits, the growing cyber oversight gap, and practical steps any director can take to demonstrate compliance.
TL;DR
- The duty of care, skill, and diligence is a core legal obligation of every director — executive, non-executive, and independent alike.
- Three components define it: informed engagement (care), applied expertise (skill), and active ongoing oversight (diligence).
- Courts apply both an objective standard (reasonable director) and a subjective one — your expertise raises your personal bar.
- Breach can mean personal financial liability, removal, disqualification, and derivative litigation.
- Technology and cyber risk fall squarely within this duty, and most boards are not yet meeting the expected standard.
What Is the Duty of Care, Skill, and Diligence?
This duty is a fiduciary obligation requiring directors to act with the competence and active engagement reasonably expected of someone in their role. Directors are expected to be informed decision-makers: asking hard questions, seeking expert input when the situation demands it, and exercising genuine judgment rather than deferring reflexively to management.
Where the Duty Is Codified
The legal anchors vary by jurisdiction, but the core standard is consistent:
| Jurisdiction | Provision | Standard |
|---|---|---|
| UK | Companies Act 2006, s.174 | Reasonable care, skill, and diligence — objective + subjective test |
| Delaware (US) | DGCL §141(a) | Board manages corporate affairs; case law supplies the care standard |
| Australia | Corporations Act 2001, s.180 | Reasonable person in the same role and circumstances |
| Canada | CBCA s.122(1) | Care, diligence, and skill of a reasonably prudent person |
The UK formulation is the most explicit: Section 174 requires both (a) the knowledge and skill reasonably expected of someone in the director's role and (b) the knowledge and skill the specific director actually has. That second limb — the director's own expertise — is what makes specialized knowledge a double-edged asset.
What the Duty Does — and Doesn't — Require
A common misconception: this duty doesn't demand infallibility or expertise in every domain. What it does require is substantive engagement — following up on red flags, commissioning independent input when in-house reporting feels incomplete, and being able to articulate the reasoning behind a board decision.
The duty focuses on the quality of decision-making, not intent alone. A director can be entirely loyal to the company and still breach this standard by failing to engage substantively. Loyalty and diligence are separate obligations.
The duty applies to all directors regardless of title. Executive, non-executive, and independent directors are each held to the standard appropriate to their role and background.
The Three Elements: Care, Skill, and Diligence
Duty of Care
Care means handling company business with the prudence an ordinarily competent director would apply. That translates to:
- Attending and preparing for board meetings — not just showing up
- Reviewing financial statements and strategic reports before voting
- Asking questions when material information is unclear or incomplete
- Not simply deferring to management on matters within the board's oversight remit
The key phrase is active engagement. A director who reads nothing before meetings, asks no questions during them, and votes in lockstep with management on major decisions is not exercising care — regardless of whether outcomes happen to be good.
Duty of Skill
Skill requires directors to apply the knowledge they actually possess and to recognize when the company needs expertise they don't have. That second part triggers an obligation to seek qualified advisors rather than act without qualified input.
The standard escalates with expertise. A director who holds themselves out as a financial expert, cybersecurity professional, or legal authority faces a higher bar in those domains than a generalist would.
The ASIC v Healey [2011] FCA 717 case — known as the Centro case — is the clearest illustration. Australian directors approved financial statements that misclassified approximately AU$2 billion of short-term debt as non-current and failed to disclose approximately US$1.75 billion in guarantees.
The court found they had breached their duty by approving documents without sufficient financial literacy to catch obvious errors — even though they had relied on management and auditors. Declarations of contravention were still issued.
Directors don't need to be accountants. They do need enough board-level financial literacy to recognize when something in front of them doesn't add up.
Duty of Diligence
Diligence means staying engaged between votes, not just showing up for them. In practice, it requires:
- Maintaining continuous oversight of the company's affairs, not just attending key votes
- Monitoring risk management systems and following up on delegated responsibilities
- Staying current with material developments in the company's industry, regulatory environment, and risk profile
Delegation is permitted — boards cannot and should not run operations. But delegation doesn't transfer accountability. Directors remain responsible for ensuring that monitoring mechanisms actually function. A director who delegates oversight and never checks whether it's working has not exercised diligence; they've just created distance from the problem.
Legal Standards and Protective Doctrines Directors Need to Know
The Dual Standard
Courts apply two overlapping tests:
- Objective standard: What would a reasonably competent director in that role have done?
- Subjective standard: What should this director — given their specific knowledge and experience — have done?
The subjective element cuts in one direction: it raises expectations for specialists, it doesn't lower them for generalists. A director who claims ignorance in their own domain of expertise cannot use that ignorance as a defense.
The Business Judgment Rule
The business judgment rule is the primary protection available to directors. Under Aronson v. Lewis (1984), courts presume directors acted on an informed basis, in good faith, and in the honest belief their decision served the company's best interests. When those conditions hold, courts won't second-guess the outcome — even a costly one.
Two Delaware cases mark the boundaries:
| Case | Facts | Outcome |
|---|---|---|
| In re Walt Disney Co. (Del. Ch. 2005) | Directors approved a $130M non-fault severance for Michael Ovitz after 14 months as president. Shareholders sued. | Rule applied. Directors acted in good faith without disabling conflicts. The costly result was a protected business judgment. |
| Smith v. Van Gorkom (Del. 1985) | Trans Union directors approved a major cash-out merger after a short meeting, without adequate information about intrinsic value. | Rule did not apply. Directors were held grossly negligent — the decision lacked an informed basis. |
What the Rule Won't Protect
The business judgment rule has real limits. It does not protect:
- Gross negligence in the decision-making process
- Willful ignorance of known material risks
- Failure to implement adequate monitoring systems
- Intentional dereliction of duty or conscious disregard for responsibilities
The pattern in failed cases is consistent: directors skipped the process, not just the outcome. Building documented oversight mechanisms — and being able to show the board engaged with them — is what keeps the protection intact when decisions are later challenged.
Consequences of Breaching the Duty of Care
The consequences are personal. The corporate structure does not automatically shield directors from liability for their own conduct.
Direct legal consequences include:
- Personal financial liability for losses the company suffers
- Removal from office
- Court-ordered disqualification from serving as a director
- Regulatory enforcement action in egregious cases
Shareholder-driven consequences include:
- Derivative litigation brought on behalf of the company against the director
- Prior decisions invalidated and contracts potentially voided
- Under DGCL §327 and Delaware Court of Chancery Rule 23.1, shareholders must satisfy demand or futility requirements — but when they do, the exposure is real
Reputational damage frequently accompanies even unsuccessful legal proceedings. Loss of board positions, damage to professional standing, and years of legal expense follow directors through processes they ultimately survive. That prospect alone shapes how careful directors behave — which is, in part, the point.
The Modern Governance Gap: Technology and Cyber Risk Oversight
Technology and cybersecurity now represent one of the most significant areas of board-level risk exposure. IBM's 2024 Cost of a Data Breach report puts the average global cost of a data breach at $4.88 million — up from $4.45 million the prior year. Verizon's 2024 DBIR analyzed 30,458 security incidents and 10,626 confirmed breaches. These are not edge cases.
The SEC's 2023 cybersecurity disclosure rule (Release No. 33-11216) directly connects board oversight to public company disclosure obligations. Under Regulation S-K Item 106(c)(1), registrants must describe the board's oversight of cybersecurity risks, identify any responsible committee, and explain the processes by which the board is informed. The SEC did not require companies to have a designated cybersecurity expert director — but it did require evidence of substantive oversight.
Where the Duty of Skill Is Directly Implicated
When a board cannot evaluate management's cyber posture, challenge security reporting, or assess whether disclosed risks are material, the duty of skill is at risk. The subjective standard means boards cannot outsource understanding — directors must engage with the information provided, even when that requires asking questions that reveal knowledge gaps.
Signs a board is operating below the expected standard:
- Receiving "all-green" dashboards without understanding what sits behind them
- Treating cyber briefings as compliance theater rather than decision-making inputs
- Unable to distinguish between operational security metrics and strategic risk indicators
- No defined escalation thresholds — so decisions get invented during incidents
- No tested incident response — plans exist on paper but have never been pressure-tested
What Meaningful Cyber Oversight Looks Like
Boards that fulfill their duty in this domain can answer three questions: Are we safe enough? Are we improving fast enough? Are we ready for a bad day?
That requires:
- Clear decision rights — what the board owns versus what management owns
- Stable metrics — trend indicators tied to material business impact, not technical activity counts
- Escalation thresholds defined in advance — so that when something crosses a line, the response doesn't have to be invented under pressure
The question boards should be able to ask at every briefing: "What changed since our last meeting, and what does that mean for our risk posture?"
When a board can't confidently answer those questions, an independent advisor can close the gap between what management reports and what the board needs to understand. Tyson Martin's board advisory practice — built on enterprise leadership at AWS, Home Depot, and Best Buy — provides independent oversight that complements the in-house CISO rather than replacing them, translating technical risk into board-level decisions with clear owners and defined tradeoffs.
His contributions to the NACD, World Economic Forum Centre for Cybersecurity, and NRF CISO Executive Committee bring that same governance lens directly to the boardroom.
Practical Steps Directors Can Take to Fulfill This Duty
Build the Habit of Informed Preparation
The gap between an engaged director and a passive one shows up before the meeting starts:
- Read board materials before attending — not during the meeting
- Arrive with questions prepared — particularly on financial results, strategic risks, and management recommendations
- Treat board meetings as decision forums, not briefings — if the meeting is just receiving information, something is wrong with the agenda
- Follow up between meetings on delegated responsibilities and prior commitments
Document Decisions and the Reasoning Behind Them
In litigation or regulatory review, the absence of documentation creates an adverse inference — that oversight was not exercised. Board minutes and resolutions should capture:
- The information reviewed before a decision
- Advisors consulted and questions raised
- The reasoning behind significant approvals
- A decision log that records who approved what, and why
Consistency matters as much as completeness. A steady, documented oversight rhythm demonstrates ongoing governance — not just a burst of attention when something goes wrong.
Recognize Expertise Gaps and Act on Them
Directors with skill gaps in material risk domains — financial, legal, or technological — have two options: seek personal development or ensure the board has access to independent expert advisors.
Engaging an external board advisor where the board lacks sufficient expertise is a direct exercise of the duty of care. Recognizing the limits of your own knowledge and acting on them is exactly what the duty requires.
For technology and cyber risk, that may mean structured director education, an independent board-level advisor who can validate management's reporting, or both. The standard is not mastery. It's enough fluency to ask the right questions, challenge assumptions, and recognize when something doesn't add up.
Frequently Asked Questions
What is the duty of care for directors?
The duty of care requires directors to act with the prudence, attention, and informed judgment of a reasonably competent person in their role. That means active engagement with company affairs, genuine review of material information, and substantive participation in decision-making — not passive attendance.
What are the seven duties of a director?
Directors are commonly held to duties of care, skill and diligence, loyalty, obedience, good faith, confidentiality, and disclosure. The duty of care, skill, and diligence is among the most fundamental and most frequently litigated, as it governs the quality of every decision a board makes.
What is the difference between the objective and subjective standard for a director's duty of care?
The objective standard asks what a reasonably competent director in that role would have done. The subjective standard holds directors to the level of their own expertise — meaning a director with specialist knowledge in finance or cybersecurity is held to a higher bar in that domain than a generalist would be.
Can a director be personally liable for breaching their duty of care?
Yes. Directors can face personal financial liability for company losses caused by their breach, removal from office, and disqualification from future directorships. The corporate structure does not shield directors from the consequences of their own failure to exercise reasonable care.
How does the business judgment rule protect directors?
The rule protects directors from liability for decisions made in good faith, on an informed basis, and without personal conflicts of interest. It does not protect against gross negligence, willful ignorance, or failure to implement adequate oversight systems, as Smith v. Van Gorkom established.
What does fulfilling the duty of diligence look like in practice?
Diligence means active, ongoing engagement: attending and preparing for meetings, following up on delegated responsibilities, monitoring risk management systems, and staying informed about material developments. Showing up and voting does not satisfy the duty. Directors are expected to provide continuous oversight, not periodic appearances.
