Cyber attacks on companies: Who is liable in case of an incident?

If companies fall victim to a cyberattack, there is the question of who is liable. In the event of inadequate protection, the legal situation is clear: decision-makers can be held liable with their private assets. An interview with Dino Huber (CEO), Ferdinand Grieger (CLO) and Andreas Pankow (CEO Switzerland) of DGC on the duties and responsibilities of senior management in IT security, the legal consequences of cyber attacks on companies and successful measures that can help decision-makers avoid the liability trap.

Why is it more important today than ever that managing directors, board members and supervisory board members take a close look at the topic of IT security and cyber attacks on companies?

Dino Huber: Cyber attacks pose a substantial threat to companies of all sizes across all industries. Economic damage caused by hackers has continuously reached new highs in recent years: One example is the attack with the extortion Trojan NotPetya, which caused the international shipping company Møller-Mærsk to lose almost 300 million US dollars. During the pandemic, the number of security incidents continued to increase rapidly – also due to increased remote work in home offices and neglecting security measures in favor of ongoing business operations. That should give decision makers pause for thought.

Ferdinand Grieger: In the event of a successful cyber attack on a company and if confidential data is stolen, there is a risk of damage to the company’s reputation, loss of revenue and claims for damages from customers, suppliers and business partners on the basis of contractual and legal claims. Since cyber attacks usually also have implications under data protection law, there is also a risk of severe fines or at least opportunity costs due to investigations by the authorities. Members of the management board and supervisory board of a stock corporation may be personally liable for damages caused by successful hacker attacks – as stipulated by the German Stock Corporation Act. The liability of a GmbH managing director results from the GmbH Act. Cyber security is therefore a responsibility of the boss that cannot be delegated.

What are the challenges that business leaders should prepare for in terms of IT security and the rapidly advancing digital transformation?   

Andreas Pankow: For managers, the fact that digitalization is placing increasingly higher demands on IT security due to its rapid development is proving to be a complex double task. Digital transformation and the use of new technologies offer considerable potential for positioning the company for the future and competitiveness. At the same time, new risks from the cyber world must be considered with equal attention and increasingly complex processes, systems and products must be fully protected. Decision-makers are therefore well advised to ensure that cyber security is an integral part of their corporate strategy. In this way, they will be able to counter threats from the network with foresight and fully leverage the potential of digitalization.

Ferdinand Grieger: Many decision-makers are still unaware of this dual challenge and the resulting complex tasks. In many cases, there is still the misguided belief that they can exempt themselves from liability by referring to a lack of departmental responsibility, to cyber insurance or to outsourcing IT to external service providers. Cyber security, however, is the responsibility of the entire board of management. A liability-relevant transfer to only one member or to an external service provider is hardly possible. Insurance solutions often have extensive exclusions of liability and thus gaps in coverage in the event of damage. The legal situation is clear: If a company is not adequately protected in the event of a hacker attack, all management members are liable.
Therefore, they should tackle the extensive tasks, which range from organizational and monitoring duties to measures to protect the IT infrastructure to planning appropriate and damage-reducing responses to a cyberattack that has occurred, better today than tomorrow. In order to comply with reporting obligations to authorities, insurance companies or affected persons in a timely manner, an emergency concept is also required, which should be developed with experienced security experts.

What concrete measures can decision-makers take to minimize liability risks in the event of cyber attacks on companies?

Dino Huber: Today, company managers need a defensible information security management system to avoid the liability trap – and there are now recognized standards for this. However, it is hardly possible to completely banish the diverse risks from the web – powerful tools and processes must be implemented for the complete security of a company. In addition to simulated hacker attacks (pentests), which are used to check the company’s own cyber security and discover possible points of attack, and the sensitization of employees through security awareness trainings, the company’s own IT infrastructure should be subject to constant monitoring. The use of vulnerability scanners represents an initial measure to prevent cyber attacks. Our IT security tool cyberscan.io® meets the market’s demand for such a solution.

Andreas Pankow: When selecting a vulnerability scanner, decision-makers should focus on quality “Made in Germany”: This can be relevant for reasons of legal security with regard to the findings obtained through scans. It is also important that the analysis of cyber security with the help of a vulnerability scanner is carried out permanently and recurrently at intervals appropriate to the company. The scans should have a certain “depth” and include a darknet analysis, for example. In addition, the results obtained, including the risk rating, should be presented clearly and comprehensibly so that companies can identify the status quo of their own cyber security and consider appropriate countermeasures.

Are there other quality criteria that should be taken into account when choosing a vulnerability scanner for the benefit of maximum security?

Dino Huber: In order to comprehensively identify cyber risks, it is important that information from a variety of renowned sources converges in a dedicated vulnerability database. Our self-learning database already contains more than seven million bulletins, which are matched with our customers’ data at the click of a button. Last but not least, the support of experienced security experts pays off, as they can guarantee a qualified results analysis of the identified vulnerabilities and successful implementation of measures.
If the aforementioned aspects are taken into account when choosing an IT security tool, damage caused by hacker attacks as well as the demands made on the management staff responsible for cyber security can be prevented.
Professional vulnerability management is also worthwhile for insurance reasons: A qualified and constant vulnerability analysis can help to assess the insurability of certain risks for companies and insurance companies in a more binding and secure way.

If the worst-case scenario has happened: Is it necessary to report a cyber attack to the public or authorities? How should companies proceed?

Ferdinand Grieger: Under certain circumstances, companies are obliged to report a successful cyber attack. If they fail to do so, they violate the Europe-wide Market Abuse Regulation (MAR) to prevent insider trading. Similar regulations are also found in the USA and Switzerland. If a company has branches in these countries, these regulations must also be taken into account. In the case of cyber attacks, the situation for the management boards of German stock corporations is unpleasant: On the one hand, it is necessary to comply with the requirement of immediacy arising from MAR and, on the other hand, to fully clarify the facts underlying an attack in order to determine whether a reportable situation exists at all.

To make matters worse, the General Data Protection Regulation (Art. 33 GDPR) also exerts further time pressure (wording: “without undue delay and, if possible, within 72 hours”). Provided that a personal data breach has occurred.
In this situation in particular, companies are dependent on specialists who can clarify facts that may be relevant to reporting in a professional manner, in compliance with all levels of secrecy, without gaps and in a timely manner. Cooperation with the public prosecutor’s office and the police should also take place when dealing with cyber attacks. The important work of the German Federal Office for Information Security (BSI) also depends on reliable reporting of IT security incidents.

Ultimately, companies must be ready for such situations by preparing in advance and strictly adhering to a catalog of measures and a flowchart in order to take all essential aspects into account.

Thank you very much for the interesting interview!