Hacker attacks happen every day…
…and their effects are sometimes almost without damage. Most of the time, however, they are considerable and push SMEs to their entrepreneurial limits. Experience shows that the worse prepared the company management is, the greater the damage.
If the management level is even aware of the insecure IT environment, there is even a risk of personal liability, at the latest since the new NIS‑2 Directive. However, the obligations of the company and its management in connection with IT security are not regulated centrally by law. Instead, they arise from various regulations and standards, such as the GDPR.
In accordance with Section 91 (2) AktG, the management is required to take appropriate measures to ensure that developments that could jeopardize the company’s continued existence are identified at an early stage. Furthermore, in most cases, the functionality of the IT systems is necessary to maintain the company’s business operations. There is a dual responsibility, so to speak, as to why the IT security The core task of the management level is: On the one hand, because the functionality of the IT system must be protected as an operationally necessary component of the company, and on the other hand, because the management must ensure that the company complies with the GDPR and applicable special IT laws as part of its duty of legality.
Did you know that the organizational duties to protect IT systems are not only the responsibility of the member of management directly responsible for IT security, but are shared by all managing directors?
The Executive Board has overall responsibility here. The Executive Board as a collegial body must make the fundamental decisions as to which precautions and measures are to be taken to protect the IT systems.
What can you do?
In order to exclude personal liability, there are guidelines and key points that must be observed:
- The management level must initiate the use of suitable security measures and ensure that appropriate resources are available. The core objective at this level is to enable the company to recognize hazards.
- The security measures must be appropriate. The “business judgment rule” also plays a role here. Companies that operate extensively with sensitive data must take different measures than an industrial company that is only active in the B2B segment.
- The security measures should reflect recognized rules. These include the BSI’s IT baseline protection or certification and auditing specifications such as ISO27001 or Vds10000, the latter at least for small and medium-sized companies.
- The management level must monitor the entire process and also the further application.
However, the management is and remains ultimately responsible.
This applies all the more to the important and particularly important institutions addressed by the new IT security law.
What are your security measures? Do you know your Security gaps?
EN 
DE