Cyber attacks are a matter for the boss
Managing directors are legally responsible for ensuring that IT and information security is not just treated as an IT issue, but as a business risk. Omitted or inadequate protective measures can lead to personal liability in the event of damage - from financial losses to criminal liability.
If the management level is even aware of the insecure IT environment, there is even a risk of personal liability, at the latest since the new NIS-2 Directive. However, the obligations of the company and its management in connection with IT security are not regulated centrally by law. Instead, they arise from various regulations and standards, such as the GDPR.
The Management Board is § Section 91 (2) AktG to take appropriate measures to ensure that developments that could jeopardize the continued existence of the company are identified at an early stage. Furthermore, in most cases, the functionality of the IT systems is necessary to maintain the company's business operations. There is a dual responsibility, so to speak, as to why the IT security The core task of the management level is: On the one hand, because the functionality of the IT system must be protected as an operationally necessary component of the company, and on the other hand, because the management must ensure that the company complies with the GDPR and applicable special IT laws as part of its duty of legality.
Did you know that the organizational duties to protect IT systems are not only the responsibility of the member of management directly responsible for IT security, but are shared by all managing directors?
The Executive Board has overall responsibility here. The Executive Board as a collegial body must make the fundamental decisions as to which precautions and measures are to be taken to protect the IT systems.
What can you do?
In order to exclude personal liability, there are guidelines and key points that must be observed:
- The management level must initiate the use of suitable security measures and ensure that appropriate resources are available. The core objective at this level is to enable the company to recognize hazards.
- The security measures must be appropriate. The "business judgment rule" also plays a role here. Companies that operate extensively with sensitive data must take different measures than an industrial company that is only active in the B2B segment.
- The security measures should reflect recognized rules. These include the BSI's IT baseline protection or certification and auditing specifications such as ISO27001 or Vds10000, the latter at least for small and medium-sized companies.
- The management level must monitor the entire process and also the further application.
However, the management is and remains ultimately responsible. Because Cybersecurity is not an IT add-on - it is a management and compliance issue.
This applies all the more to the important and particularly important institutions addressed by the new IT security law.
What are your security measures? Do you know your Security gaps?
