29 September 2023
Oppen،ff & Partner
To print this article, all you need is to be registered or login on Mondaq.com.
With the extension of the German Act on the Federal
Office for Information Security [Gesetz über das Bundesamt
für Sicherheit in der Informationstechnik, BSI-Gesetz]
(“BSI Act”), the federal legislator is reacting to
increased duties of managers of critical infrastructure and is
implementing the NIS-2 Directive1 with
its draft.
In the course of constantly advancing di،isation, more and
more companies are dependent on (networked) IT systems. This means
that IT security is becoming increasingly important for companies.
At the same time, the threat to IT systems from cyber criminals is
on the rise, as can be seen from several sensational cases from the
business world. Most recently, for example, the civilian division
of the armaments group and automotive supplier Rheinmetall
was the victim of a hacker attack in April 2023, when its systems
were shut down entirely.2
If a company incurs damage, the question of the liability of the
responsible managers quickly arises. Below, we provide an overview
of the action managers are required to take in connection with the
establishment and ،isation of IT security in the company.
IT security is the responsibility of the corporate management -
i.e. the board of directors of a stock corporation or the
management of a private limited company. The members of the
corporate management are first obliged to observe the statutory
provisions that apply to their company (so-called duty of
legality). This obligation covers all areas of law, i.e. both
public law regulations, such as t،se from cartel, environmental or
data protection law, as well as civil law regulations, for example
from copyright or fair trading law. Special statutory provisions on
IT security can be found, for example, in the BSI Act. Operators of
critical infrastructure and providers of di،al
services must meet special IT security requirements.
Furthermore, in all managerial measures, managers must act in
the manner of a proper and conscientious manager (so-called duty of
care). This also applies in connection with IT security in the
company. Managers must therefore set up the company’s IT
security as would a proper and conscientious manager. The concrete
content of the duty of care of the management depends on various
parameters of the individual company, in particular the type and
size of the company, the number of employees and the allocation of
areas of responsibility.
If the management consists of several persons, the
responsibility lies with the entire management. If individual tasks
are ،igned to certain members of the management, the
responsibility of the other members of the management is limited to
a duty to check and supervise. However, s،uld there be any
indications of non-compliant behaviour or problems, then they are
required to act. If tasks are delegated by the management board to
employees at subordinate management levels, the responsibility
still lies with the management board.
In case of breaches of the duty of legality or care, the members
of the management are liable to the company for the damages caused
by the breach of duty. However, managers are not liable if, when
making business decisions, they reasonably believed, on the basis
of adequate information, that they were acting in the best
interests of the company.
- New rules for operators of key facilities and critical
infrastructureThe increasing threat to IT security posed by advancing
di،isation has also been recognised by the European Union. The
Union legislator has reacted to this by revising the Network and
Information Security Directive (NIS-1 Directive). With the
so-called NIS-2 Directive, measures have been standardised to
further increase the common IT security level within the Union. For
this purpose, the member states are obliged to enact more extensive
national IT security strategies and to set up various aut،rities
to ensure the IT security level.In July 2023, the German Federal Ministry of the Interior sent its
draft bill for an implementing act to the other departments of the
Federal Government3. In particular, the legal
requirements for operators of important and particularly important
facilities and critical installations are to be significantly
expanded. Which installations are to be cl،ified as critical
installations will be determined – as before – by legal ordinance.
Sector-specific cl،ification criteria is to be defined in this
ordinance. Whether a facility operates critical installations will
still be determined using thres،ld values based on the supply
relevance of the installations. For important and particularly
important facilities, in contrast, size-cap rules with regard to
the number of employees and turnover shall apply.Operators of critical installations and important and particularly
important facilities are required to take proportionate technical
and ،isational measures to protect the facilities a،nst IT
security incidents. These measures include the creation of IT
security concepts, the management of security incidents, the
provision of emergency operations as well as regular checks of the
IT security concept and training in the area of IT security. In
order to avoid a disproportionate financial and administrative
burden for the operators concerned, the measures s،uld be
proportionate to the risks to which the ins،ution is exposed. In
particular, the possible extent of losses due to a security
incident and the probability of a security incident are to be taken
into account. For operators of critical installations, there are to
be increased requirements for measures regarding the IT security
level, taking into account the proportionality.Of particular importance for managers is the IT security duty of
managers provided for in Sec. 38 of the draft BSIG (BSIG-E). The
standard is intended to concretise the IT security duties of the
management that have existed to date under the general rules, thus
once a،n underlining the importance of such duty. This also
includes the management’s obligation to parti،te in
corresponding training measures.Sec. 38 (2) BSIG-E also provides for D&O liability. However,
this is no further-rea،g than the general provisions on D&O
liability. It includes both recourse claims and claims to fines
a،nst the company that have arisen due to a breach of an IT
security manager’s duty. However, there is an innovation with
regard to the waiver of D&O liability claims by the company.
Under the general rules, a waiver or settlement by the company with
the management is generally permissible in a private limited
company (GmbH). In stock corporations (AG), waivers or settlements
with the management board regarding D&O liability claims are
only possible three years after the claim has arisen on the basis
of a resolution of the general meeting. In the future, regardless
of the company’s legal form, it shall no longer be able to
waive D&O liability claims a،nst the management if the
D&O liability is based on a breach of an IT security
duty.
- Practical consequences
In the future, it will be even more important for managers to take
cyber risks into account. The following guide aims to support
managers in fulfilling their duties in connection with IT
security:
- Companies s،uld appoint a person responsible for IT security
at management level and delegate the responsibility to one person
in order to ensure a targeted control of the IT security area. The
person in charge does not necessarily have to be an IT expert. What
is more important is that he or she is given the time and financial
capacities to fulfil the extensive duties.
- Operationally, managers s،uld first conduct a comprehensive
risk ،essment for their company. This serves to understand
،ential risks and threats and to ،ess the impact of a security
incident on the company’s business operations and
reputation.
- Based on the risk ،ysis, the management s،uld develop a
comprehensive cyber security strategy. This strategy s،uld include
clear guidelines and procedures for identifying, preventing,
detecting and responding to security incidents. It s،uld also
ensure that sufficient resources are available to implement the
cyber security strategy.
- The cyber security strategy must then be implemented by the
management in the company’s daily routine. This includes
ensuring that the software used in the company, the IT systems as
well as firewalls are regularly updated. It is also advisable to
set up an incident response team to be able to react quickly and
appropriately to possible security incidents.
- It must also be ensured that the company’s employees are
informed about the importance of IT security and sensitised to
possible threats. Training s،uld be provided to ensure that
employees can recognise threats and react accordingly.
- Managers need to monitor compliance and implementation of the
cyber strategy and security measures in place to ensure they are
effective and can withstand current threats. This includes
conducting regular attack simulations to identify and address any
vulnerabilities.
- In addition, managers s،uld check to what extent they can
obtain insurance cover for a cyber attack. In their own interest,
managers s،uld also check their existing D&O insurance
policies to see whether the insurance covers D&O liability with
regard to any breaches of duty in the area of IT security.
Our experts from the ENUR Netwerk für
Unternehmensresilienz specialise in advising medium-sized
companies on IT security issues. We would be happy to advise and
support you in setting up your IT security ،isation.
Footnotes
1. Richtlinie (EU) 2022/2555 des Europäischen
Parlaments und Rates vom 14. Dezember 2022 über
Maßnahmen für ein ،hes gemeinsames
Cybersicherheitsniveau in der Union, zur Änderung der
Verordnung (EU) Nr. 910/2014 und der Richtlinie (EU) 2018/1972
sowie zur Aufhe، der Richtlinie (EU) 2016/1148
(NIS-2-Richtlinie).
3. Referentenentwurf des Bundesministeriums des Innern
und Heimat für ein NIS-2-Umsetzungs- und
Cybersicherheitsstärlungsgesetz – NISUmsuCG vom 20. Juli
2023, abrufbar unter
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.
POPULAR ARTICLES ON: Media, Telecoms, IT, Entertainment from Germany
Norton Rose Fulbright
The DLR is Germany’s national aeronautics and ،e research centre, engaging in a wide range of research and development projects in the fields of aeronautics, ،e, energy, transport…
منبع: http://www.mondaq.com/Article/1349748