1. Liability risks in the digital age
The number of cyberattacks is increasing worldwide. In 2023, a total of 134,407 cybercrime offenses were registered in Germany alone. A large dark field is suspected here. The figure given is therefore likely to represent only a fraction of actual crime.
With the rapidly growing threat of cybercrime, the liability risks for company managers are also increasing. It is well known that company management is responsible for the proper management of the company – and this also includes the internal IT organization and IT security. If measures before and during an IT security incident prove to be incomplete, the accusation of manager liability or organizational culpability is quickly raised. In the event of culpable omissions, managers can then be held liable for damages; a relatively new additional risk for managers.
Unlike an ordinary employee, who may be able to invoke the principles of internal damage compensation in the event of conduct in breach of duty, a manager is liable without limitation in connection with his professional activities in the event of breaches of duty, namely with his entire private assets. If, for example, he is proven to have culpably failed to monitor IT security, resulting in a successful cyberattack, this can have serious financial consequences for him personally.
2. responsibility of managers for cyber security
Managers are responsible for taking appropriate measures to prevent and limit damage in the event of cyber attacks. If they fail to do so, they can be held liable for any damage caused. This responsibility includes both the implementation of technical protective measures and the training of employees.
3. Legal conditions and consequences
German law provides that managers can be held accountable for breaches of their duty of care. This includes cyber-attacks and security breaches if it is proven that precautionary measures were not taken.
List of typical liability risks:
- Missing or inadequate compliance management system (CMS)
- Missing or inadequate risk management
- Insufficient IT security measures
- Lack of sensitization or training of employees
- Violation of data protection regulations (GDPR)
4. Best practices for minimizing risks
Managers should act proactively and implement clear security strategies, in particular risk management and CMS:
- Regular security audits
- Training for all employees
- Use of IT security experts
5. Cyber insurance as a “savior in times of need”?
Whether a cyber attack constitutes a liability case in the sense of the widespread D&O insurance is often very controversial. The insurer therefore initially only offers cover for the defense of the managers against the allegations of breaches of duty. The process then usually takes a long time and often ends with a settlement. The settlement amounts usually only cover a small part of the total loss.
Against this backdrop, cyber insurance policies are available that provide the company with IT, legal and PR specialists in an emergency in order to offer management high-quality support. In addition to the costs of restoring the data or IT systems, cyber insurance also covers the loss of earnings caused by the cyber attack. However, as with any insurance, an otherwise properly functioning risk management system must be in place beforehand. This is the basis of all compliance.
Managers are increasingly responsible for preventing cyber attacks and protecting their companies. Important measures include regular audits, employee training and cooperation with security experts. Preventive measures can significantly reduce the risk of liability.