With the extension of the German Act on the Federal Office for Information Security [Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, BSI-Gesetz] ("BSI Act"), the federal legislator is reacting to increased duties of managers of critical infrastructure and is implementing the NIS-2 Directive1 with its draft.

In the course of constantly advancing digitisation, more and more companies are dependent on (networked) IT systems. This means that IT security is becoming increasingly important for companies. At the same time, the threat to IT systems from cyber criminals is on the rise, as can be seen from several sensational cases from the business world. Most recently, for example, the civilian division of the armaments group and automotive supplier Rheinmetall was the victim of a hacker attack in April 2023, when its systems were shut down entirely.2

If a company incurs damage, the question of the liability of the responsible managers quickly arises. Below, we provide an overview of the action managers are required to take in connection with the establishment and organisation of IT security in the company.

IT security is the responsibility of the corporate management - i.e. the board of directors of a stock corporation or the management of a private limited company. The members of the corporate management are first obliged to observe the statutory provisions that apply to their company (so-called duty of legality). This obligation covers all areas of law, i.e. both public law regulations, such as those from cartel, environmental or data protection law, as well as civil law regulations, for example from copyright or fair trading law. Special statutory provisions on IT security can be found, for example, in the BSI Act. Operators of critical infrastructure and providers of digital services must meet special IT security requirements.

Furthermore, in all managerial measures, managers must act in the manner of a proper and conscientious manager (so-called duty of care). This also applies in connection with IT security in the company. Managers must therefore set up the company's IT security as would a proper and conscientious manager. The concrete content of the duty of care of the management depends on various parameters of the individual company, in particular the type and size of the company, the number of employees and the allocation of areas of responsibility.

If the management consists of several persons, the responsibility lies with the entire management. If individual tasks are assigned to certain members of the management, the responsibility of the other members of the management is limited to a duty to check and supervise. However, should there be any indications of non-compliant behaviour or problems, then they are required to act. If tasks are delegated by the management board to employees at subordinate management levels, the responsibility still lies with the management board.

In case of breaches of the duty of legality or care, the members of the management are liable to the company for the damages caused by the breach of duty. However, managers are not liable if, when making business decisions, they reasonably believed, on the basis of adequate information, that they were acting in the best interests of the company.

  1. New rules for operators of key facilities and critical infrastructure

    The increasing threat to IT security posed by advancing digitisation has also been recognised by the European Union. The Union legislator has reacted to this by revising the Network and Information Security Directive (NIS-1 Directive). With the so-called NIS-2 Directive, measures have been standardised to further increase the common IT security level within the Union. For this purpose, the member states are obliged to enact more extensive national IT security strategies and to set up various authorities to ensure the IT security level.

    In July 2023, the German Federal Ministry of the Interior sent its draft bill for an implementing act to the other departments of the Federal Government3. In particular, the legal requirements for operators of important and particularly important facilities and critical installations are to be significantly expanded. Which installations are to be classified as critical installations will be determined - as before - by legal ordinance. Sector-specific classification criteria is to be defined in this ordinance. Whether a facility operates critical installations will still be determined using threshold values based on the supply relevance of the installations. For important and particularly important facilities, in contrast, size-cap rules with regard to the number of employees and turnover shall apply.

    Operators of critical installations and important and particularly important facilities are required to take proportionate technical and organisational measures to protect the facilities against IT security incidents. These measures include the creation of IT security concepts, the management of security incidents, the provision of emergency operations as well as regular checks of the IT security concept and training in the area of IT security. In order to avoid a disproportionate financial and administrative burden for the operators concerned, the measures should be proportionate to the risks to which the institution is exposed. In particular, the possible extent of losses due to a security incident and the probability of a security incident are to be taken into account. For operators of critical installations, there are to be increased requirements for measures regarding the IT security level, taking into account the proportionality.

    Of particular importance for managers is the IT security duty of managers provided for in Sec. 38 of the draft BSIG (BSIG-E). The standard is intended to concretise the IT security duties of the management that have existed to date under the general rules, thus once again underlining the importance of such duty. This also includes the management's obligation to participate in corresponding training measures.

    Sec. 38 (2) BSIG-E also provides for D&O liability. However, this is no further-reaching than the general provisions on D&O liability. It includes both recourse claims and claims to fines against the company that have arisen due to a breach of an IT security manager's duty. However, there is an innovation with regard to the waiver of D&O liability claims by the company. Under the general rules, a waiver or settlement by the company with the management is generally permissible in a private limited company (GmbH). In stock corporations (AG), waivers or settlements with the management board regarding D&O liability claims are only possible three years after the claim has arisen on the basis of a resolution of the general meeting. In the future, regardless of the company's legal form, it shall no longer be able to waive D&O liability claims against the management if the D&O liability is based on a breach of an IT security duty.
  2. Practical consequences

    In the future, it will be even more important for managers to take cyber risks into account. The following guide aims to support managers in fulfilling their duties in connection with IT security:
  • Companies should appoint a person responsible for IT security at management level and delegate the responsibility to one person in order to ensure a targeted control of the IT security area. The person in charge does not necessarily have to be an IT expert. What is more important is that he or she is given the time and financial capacities to fulfil the extensive duties.
  • Operationally, managers should first conduct a comprehensive risk assessment for their company. This serves to understand potential risks and threats and to assess the impact of a security incident on the company's business operations and reputation.
  • Based on the risk analysis, the management should develop a comprehensive cyber security strategy. This strategy should include clear guidelines and procedures for identifying, preventing, detecting and responding to security incidents. It should also ensure that sufficient resources are available to implement the cyber security strategy.
  • The cyber security strategy must then be implemented by the management in the company's daily routine. This includes ensuring that the software used in the company, the IT systems as well as firewalls are regularly updated. It is also advisable to set up an incident response team to be able to react quickly and appropriately to possible security incidents.
  • It must also be ensured that the company's employees are informed about the importance of IT security and sensitised to possible threats. Training should be provided to ensure that employees can recognise threats and react accordingly.
  • Managers need to monitor compliance and implementation of the cyber strategy and security measures in place to ensure they are effective and can withstand current threats. This includes conducting regular attack simulations to identify and address any vulnerabilities.
  • In addition, managers should check to what extent they can obtain insurance cover for a cyber attack. In their own interest, managers should also check their existing D&O insurance policies to see whether the insurance covers D&O liability with regard to any breaches of duty in the area of IT security.

Our experts from the ENUR Netwerk für Unternehmensresilienz specialise in advising medium-sized companies on IT security issues. We would be happy to advise and support you in setting up your IT security organisation.

Footnotes

1. Richtlinie (EU) 2022/2555 des Europäischen Parlaments und Rates vom 14. Dezember 2022 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau in der Union, zur Änderung der Verordnung (EU) Nr. 910/2014 und der Richtlinie (EU) 2018/1972 sowie zur Aufhebung der Richtlinie (EU) 2016/1148 (NIS-2-Richtlinie).

2. https://www.handelsblatt.com/unternehmen/industrie/ruestungskonzern-rheinmetall-wird-opfer-eines-hackerangriffs-staatsanwaltschaft-ermittelt/29095792.html

3. Referentenentwurf des Bundesministeriums des Innern und Heimat für ein NIS-2-Umsetzungs- und Cybersicherheitsstärlungsgesetz – NISUmsuCG vom 20. Juli 2023, abrufbar unter https://intrapol.org/wp-content/uploads/2023/07/230703_BMI_RefE_NIS2UmsuCG.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.