Management liable for cyberattacks

Hacker attacks happen every day...

...and their effects are sometimes almost without damage. Most of the time, however, they are considerable and push SMEs to their entrepreneurial limits. Experience shows that the worse prepared the company management is, the greater the damage. 

If the management level is even aware of the insecure IT environment, there is even a risk of personal liability, at the latest since the new NIS 2 directive. However, the obligations of the company and its management in connection with IT security are not regulated centrally by law. Instead, they arise from various regulations and standards, such as the GDPR. According to Section 91 (2) AktG, the management is required to take appropriate measures to ensure that developments that could jeopardize the continued existence of the company are identified at an early stage. Furthermore, in most cases, the functionality of the IT systems is necessary to maintain the company's business operations. There is a dual responsibility, so to speak, as to why IT security is a core task of the management level: on the one hand, because the functionality of the IT system must be protected as an operationally necessary component of the company, and on the other hand, because the management must ensure that the company complies with the GDPR and applicable special IT laws as part of its duty of legality.

Did you know that the organizational duties to protect IT systems are not only the responsibility of the member of management directly responsible for IT security, but are shared by all managing directors? This is because the management has overall responsibility in this area. As a collegial body, the management must make the fundamental decisions as to which precautions and measures are to be taken to protect the IT systems. 

What can you do?

In order to exclude personal liability, there are guidelines and key points that must be observed:

• The management level must initiate the use of suitable security measures and ensure that appropriate resources are available. The core objective at this level is to enable the company to recognize hazards.
• The security measures must be appropriate. The "business judgment rule" also plays a role here. Companies that operate extensively with sensitive data must take different measures than an industrial company that is only active in the B2B segment.
• The security measures should reflect recognized rules. These include the BSI's IT baseline protection or certification and auditing specifications such as ISO27001 or Vds10000, the latter at least for small and medium-sized companies.
• The management level must monitor the entire process and also the further application. 

However, the management is and remains ultimately responsible. This applies all the more to the important and particularly important facilities addressed by the new IT security law. What do your security measures look like? Do you know your security gaps?

Current contributions

• Over 80% critical security vulnerabilitiesSeptember 17, 2024
  Alarming results from our IHK cooperation on IT security at companies! Which critical security gaps were found in our pentests?
• "Find & Fix" campaign to get to know each otherSeptember 12, 2024
  Protect your company and find out which security gaps or vulnerabilities exist in your IT.
• New DEFENDERBOX featureSeptember 9, 2024
  After each pentest (penetration test) with the DEFENDERBOX, our customers receive an email informing them of the status of the result.
• DEFENDERBOX NIS-2 compliantSeptember 9, 2024
  Our DEFENDERBOX is NIS-2 compliant, i.e. the DEFENDERBOX reports document exactly all pentests that are valid as NIS-2 certification for the NIS-2 audits.
• Targeted by cyber criminalsSeptember 5, 2024
  If law firms fall victim to blackmail cyber attacks, the damage is particularly high. This is why ransoms are often paid. Investments in cyber security and insurance offer protection.

Do you want to know how secure your company is? Try it out! Click here for a test installation of DEFENDERBOX.
The trial offer is valid until
30. September 2024.