Retail and Consumer Goods10.02.2021 Newsletter
Cyber security in times of digitisation: what precautions managing directors should take
Many trading companies are digitising their work processes. However, besides simplified processes and increased accessibility, there are also numerous risks: According to a survey by the German Association for Information Technology, Telecommunications and New Media [Bundesverband Informationswirtschaft, Telekommunikation und neue Medien], approximately 75% of all of the companies questioned suffered a so-called cyber attack in 2018/2019. Medium-sized companies in particular were a popular target. Therefore, managing directors are increasingly having to deal with the question of how they can protect their own company and who bears the liability in case of failures.
Our expert Sebastian Gutmann explains what GmbH managing directors should pay particular attention to.
Sufficient IT security level through recognised standards
Besides the special rules of the General Data Protection Regulation (GDPR) and the German Ordinance on Determining Critical Infrastructure according to the BSI Act [Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz, KritisVO], there are fundamentally no statutory obligations requiring businesses to secure their IT. However, this lack of obligations does not protect companies against a loss of revenue or damage claims resulting from cyber attacks, e.g. production downtime due to server crashes.
In particular the recognised technical standards and specifications of specialist authorities and industry associations serve as practical guidance for a sensible, risk-appropriate IT infrastructure. Such a standard, the so-called IT baseline protection [IT-Grundschutz], is issued by the German Federal Office for Information Security [Bundesamt für Sicherheit in der Informationstechnik, BSI]. Its methodology is holistic. The aim is to increase information security in companies. The methodology is holistic because it is not only based on purely technical aspects, but also and especially aims to create the personnel and organisational prerequisites for a permanent review of IT security. The BSI's IT baseline protection essentially consists of various documents, each of which contains instructions on structuring and further developing IT infrastructure in companies.
An introduction hereto is available in the form of the Baseline Protection Guide [Leitfaden zur Basis-Absicherung], which also provides a comprehensible introduction to smaller companies that have not yet intensively approached the issue. Guidance for setting up an Information Security Management System (ISMS) is provided by BSI Standards 200-1 and 200-2.
In addition to the BSI’s IT baseline protection, supplementary guidelines have been issued by various industry associations, e.g. the Guideline State of the Art in IT Security [Handreichung zum Stand der Technik in der IT-Sicherheit] of the IT Security Association Germany [Bundesverband IT-Sicherheit e.V.]
IT security means permanent development
The permanent implementation of any safety standard is not a one-time event, however, as this requires a continuous development and review process. The topic of IT security needs to be initiated, managed and controlled by the managing director himself at the highest management level. The necessary steps can regularly be delegated to a central employee, the IT Security Officer.
Liability and compensation for damages in case of cyber attacks
In case of external attacks, it is unfortunately rarely possible to apprehend the actual attackers. Furthermore, own employees who involuntarily contribute to the success of cyber attacks through negligent behaviour are only liable for damages in case of increased negligence.
For this reason, the only "tangible" opponent of a claim is often the company's own managing director. A claim can be asserted against him if he has negligently failed to adequately protect the company’s IT.
In addition to preventive protection - at best by observing the BSI standards - other protection options are conceivable:
If the company concerned has a so-called D&O insurance policy, i.e. an insurance policy taken out by the company to cover the liability risks of its management bodies, damages can sometimes be claimed through this insurance. The relevant policies generally do not contain any exclusions for cyber attacks.
It can also make sense to take out cyber insurance. Cyber insurers are particularly advantageous because they not only reimburse operating profit and ongoing costs, but in some cases even provide or finance teams of experts to identify the sources of damage and restore the IT system (so-called assistance services). In individual cases the latter can be much more helpful than the mere payment of financial benefits.
Conclusion:
Because of the considerable potential for damage, medium-sized and small companies in particular are well advised to intensively address the subject of IT security. Nationally and internationally recognised security standards provide useful guidance for setting up a suitable and risk-appropriate management system for IT security.