Cyber risks

The risk of companies falling victim to cyber attacks is on the rise. Although the types of attacks and their targets may vary greatly, they all have one thing in common – the potential to cause enormous damage to the economy. We take a 360° approach when advising our clients and bring together a wide range of expertise from different disciplines. This means you receive advice from a single source on preparing for and avoiding cyber attacks (“prevent”), detecting and immediately responding to attacks that have taken place (“react”) and pursuing claims in the medium and long term (“respond”).

Preparation (Prevent)

Cyber security and the protection of internal data and IT systems is a management task. Company managers will therefore always have to ask themselves whether their company is in a position to meet the regulatory requirements for cyber and data security and to minimise damage in the event of a cyber attack. There are special regulatory requirements for critical infrastructure operators and regulated industries. However, issues such as insurance, data protection and supply chain management also apply to all other industries.

Operators of critical infrastructure (section 8a of the German Act on the Federal Office for Information Security (BSI Act)) and digital services (section 8c of the BSI Act)

Critical infrastructure consists of organisations and facilities that have major significance for the community at large. Operators of critical infrastructure have special obligations to ensure the security of IT networks under sections 8a and 8b of the BSI Act. We will review jointly with you whether your company is to be classified as a part of the critical infrastructure.

If you are an operator of a critical infrastructure, we will also advise you on the special obligations under IT security law that affect your company, such as appointing a contact person to liaise with the Federal Office for Information Security (BSI), reporting IT incidents, implementing state-of-the-art IT security and providing proof of this to the BSI at two-year intervals.

Section 8c of the BSI Act places special obligations regarding IT security on providers of digital services. Digital services include online marketplaces, online search engines and cloud computing services. We review with you whether your company is to be classified as a digital service and advise you on how to comply with the special requirements for digital services.

Data protection requirements

The General Data Protection Regulation (GDPR) and the data protection laws of the federal and state governments regulate not only data protection, but also IT security. Data protection and IT security go hand in hand.

We advise your company on adapting your structures for organising and managing data protection or on adapting data protection documentation to meet the requirements of the GDPR and other federal and state data protection laws. Data protection contracts, company agreements, data protection organisation guidelines, internal data protection guidelines, declarations of consent and information to be provided to data subjects are particularly relevant. Together with you, we design, structure and implement organisational data protection structures and data protection management systems in your company, group or government body.

Emergency planning and management preparation

In order to minimise the damage caused by a cyber attack, it is crucial that all the people potentially involved are prepared as well as possible and know exactly what measures to take in the event of an emergency.

First of all, this includes having an effective emergency response plan tailored to the particular company. This should contain a description of the procedures to be followed in a critical situation, communication channels, contact information for important internal and external contacts, details of tasks assigned to the people responsible, rules for weekends, annual leave and public holidays as well as templates for any necessary reports and documentation.

However, an ERP on paper alone is of little help, since employees cannot be expected to put purely theoretical knowledge into practice in critical situations (which already put all those involved under huge pressure). To minimise damage in an emergency, it is essential to test the plan in real life. We can design a customised training programme based on the emergency response plan, your employee structure, industry and the specific features of your company.

Legal support for penetration tests

Many IT service providers offer measures to test the security of IT systems under the term “penetration test” or “legal hacking”. These are fictitious attacks coordinated with the company that put the company’s IT security to the test. The aim is to enable the company to better analyse its vulnerabilities afterwards.

Such tests undoubtedly make sense. What service providers do not offer, however, is legal support for such tests. For example, a penetration test normally leads to the service provider accessing data of third parties, especially suppliers or customers, with whom such a test is usually not agreed. Contractual confidentiality agreements may be breached here. Such tests also require consent under data protection law or documented considerations. All this requires careful preparation.

We support you in setting up, preparing and carrying out such penetration tests in order to increase IT security and to prevent the test from causing damage to the company.

Regulated industries

Critical infrastructure largely consists of regulated industries. In many cases, the legislator additionally regulates these industries through special laws. Regulations on IT security have therefore been partially integrated into the existing special laws for regulated industries such as Germany’s Telemedia Act (TMG), Telecommunications Act (TKG), Electricity and Gas Act (EnWG), Nuclear Energy Act (AtomG), Banking Act (KWG) and Insurance Regulation Act (VAG). We advise you on the legal requirements for IT security in regulated industries.

Duties of the management

Exclusions for cyber attacks in D&O policies have not been typical up to now. Bearing this in mind, management teams should take preventive measures in line with their duty of care. The action to be taken depends on how sensitive their company is to attacks. There are detailed requirements in place for critical infrastructure operators. But other companies will also have to follow these guidelines in a scaled-down form so that their management does not have to face accusations that they have breached their duty of care due to poor organisation. A key aspect for the management is that this task (again, depending on the potential impact of cyber attacks) is likely to be part of their management duties and that its core contents cannot be delegated. A failure to carry out this task would then not only affect the board member or managing director responsible for information technology, but the body as a whole.

Service level agreements with IT services

Safeguarding against liability risks after cyber attacks also includes reviewing the provisions regarding security and liability in contracts with IT service providers. Contractual agreements with service providers often focus on the regulation of service components such as scope of service, availability and response times. As a rule, the service provider will only have fairly vague contractual maintenance obligations based on the state of the art. At least where large outsourcing contracts are concerned, liability will also often be limited in an individual contract to absolute liability ceilings or percentage-based shares in liability.

Usually, it is rare to be able to file claims successfully against IT service providers with regard to major damage following cyber attacks. The contracts should therefore be reviewed to see what requirements have to be met in detail and who bears the risk of changes occurring after the contract has been entered into.

Supply chain management

While securing your own company against cyber attacks is already a major challenge, this is by no means the end of the list of obligations. Depending on the industry, it may be necessary to ensure that your entire supply chain takes safeguards and adheres to certain security standards.

We help you establish the standards relevant to your supply chain and draft the legal documents needed to implement them. Legally compliant wording of contractual terms and conditions, technical specifications and audit rights is of particular importance. But designing related documentation that is usable in practice, setting up communication processes and, finally, archiving records in your own company are also real challenges.

Insurance cover

The business and industry-related insurance products usually held by companies do not cover the policyholder against all losses and expenses normally incurred during a cyber incident. The cyber insurance policies increasingly offered on the market fill important gaps in such coverage. They offer additional insurance cover for certain liability claims resulting from a cyber attack, damage to one’s own company (such as business interruptions) and the costs associated with such an attack, e.g. for IT forensics and data recovery. When taking out cyber insurance, companies have to check what specific risks are covered. For example, not all products offered also cover all variants of a denial-of-service attack. Generally, is it essential to look out for hidden exclusions. The same applies to mistakes made by employees, a relatively frequent occurrence in practice. Besides this, it is important to check what protection already exists under the conventional insurance policies maintained by the company before taking out a policy.

Crisis response (React)

In the event of a cyber attack, a rapid response is crucial. It is vital to take all the key protective measures quickly, especially to preserve data and evidence and to pursue claims for damages. While technical support is crucial, on its own it is not enough. Real protection can only be achieved with the help of an experienced partner who has the specific critical situation in mind but also seeks to minimise damage in the long term by securing and pursuing claims. When an attack takes place, there are also many regulatory requirements, such as the duty to report. These are at least as important as enforcing claims because of the threat of liability.

Reporting obligations for operators of critical infrastructure

Operators of critical infrastructure that fall under the Federal Office for Information Security Criticality Regulation are subject to special notification obligations. They are legally obliged to notify the Federal Office for Information Security of significant disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components and processes (IT disruption) that could lead or have already led to a failure or impairment of the critical infrastructure they operate. For example, notification is always required if a failure or impairment of the critical infrastructure operated has already occurred. If a failure or impairment is possible but has not (yet) occurred, a report may still be required in individual cases, e.g. if an unusual IT disruption is concerned. The initial report must be made without undue delay: the principle of speed before completeness therefore applies here as an exception. If a company does not comply with these obligations, it may be subject to fines and possibly further official measures.

We check whether your company is obliged to report the specific IT disruption. We advise and assist you in reporting to the Federal Office for Information Security and other state agencies and represent your company in dealings with the supervisory authorities such as the Federal Network Agency. If your company has not complied with a reporting obligation or has failed to do so correctly, completely or in time, we will represent your interests in the administrative fine proceedings before the Federal Office for Information Security and other supervisory authorities.

Accompanying technical support

Securing your company against cyber attacks will always require the support of technical experts. Often, every second counts, so ideally the option of technical support will have already been examined in advance as part of an emergency plan. Even if this has not been done, we assist with the rapid and tailored selection of technical service providers.

Notification obligations under data protection law

After a cyber breach, the company must check without delay (usually within 72 hours) whether the incident has to be reported and to whom. If appropriate, it then has to report the attack to the competent authorities within this period.

Such a duty to notify normally arises from the applicable data protection laws, for example the EU General Data Protection Regulation (GDPR). Notification requirements may exist towards the supervisory authority, and where data is processed on behalf of a controller, towards the contractual partner as the controller under data protection law.

Ultimately, the company must always expect that a cyber attack will quickly become known to the public, especially if the personal data of consumers is affected. Proactively disclosing the incident can therefore also be the right step for reputational reasons.

We help you assess whether a duty to notify exists and, where applicable, whether and in what form customers and business partners should be proactively informed.

In the event of a discovered cyber attack, things have to move quickly. It is then primarily a matter of securing evidence as quickly as possible, recovering lost data and enforcing and securing claims against the damaging parties or third parties.

Prosecution and freezing of assets

Most attacks constitute criminal offences under German law. Denial-of-service attacks can be punishable as computer sabotage under section 303b(1)(2) of the German Criminal Code or as data manipulation under section 303a(1) and hacking as data espionage according to section 202a of the Code. Malware such as Trojans and ransomware can also be punishable as data espionage according to section 202a, data manipulation according to section 303a, computer sabotage according to section 303b or blackmail according to section 253 of the Code. In these situations, support is available from the prosecution authorities. Most of the federal states, including North Rhine-Westphalia, Bavaria and Baden-Württemberg, have now set up specialised public prosecution offices and their own units at the state criminal investigation offices. These units have a great deal of experience in cyber attacks and are able to intervene quickly and yet cautiously during investigative proceedings in order to ensure that the company’s IT systems continue to function to the greatest extent possible.

We are in close contact with the relevant investigative authorities and can judge whether it makes sense to involve them following a cyber attack. In such cases we provide assistance during the criminal proceedings in order to be able to safeguard and enforce the interests of the affected company in the best possible way.

If initiated quickly, criminal proceedings can also help trace and recover lost assets. Criminal procedure law meanwhile offers a wide range of possibilities, such as seizing assets, the benefits of which we evaluate and (where this makes sense) work to achieve with the prosecuting authorities.

In an international context, it is often necessary for foreign investigative authorities to be involved. This may lead to the German authorities starting procedures for mutual legal assistance or to foreign partner law firms being engaged to handle criminal prosecution and asset recovery in their jurisdictions. Whatever route is taken, we are there to support and coordinate these measures.

Obligations under insurance law

If the company has taken out an insurance policy to cover damage caused by a cyber attack, it has to meet certain obligations during the term of the policy, and especially if an insured event actually occurs. The company is typically required to report any cyber attack to the insurer without delay after becoming aware of it.

After falling victim to hackers, the company is faced by the challenge of providing its insurer with accurate and detailed information on all the facts needed to assess the claim and its legal implications. This often means the company for example having to report all the facts that might result in its responsibility towards a third party, i.e. that could trigger insured liability claims, within a week. Due to the complexity, there is a real danger that the company will not report potential liability risks towards business partners and third parties to the insurer because it fails to recognise them. However, if obligations are breached, the insurer may release itself from its obligation to pay out some or even all benefits depending on the degree of fault of the policyholder.

Disclosure under securities trading law and crisis PR

If a company affected by a cyber attack is listed on the stock exchange, it must report any breach without delay if it relates to inside information. In order to avoid further losses, such as liability for damages under section 97 of the German Securities Trading Act, the capital markets have to be informed without delay. This means that the issuer has to take organisational measures to bring about the necessary disclosure quickly. Postponing disclosure is only allowed in narrowly defined circumstances. The Federal Financial Supervisory Authority (BaFin) can also punish breaches by imposing fines. Where a breach is intentional, it may even result in the management board being held personally liable under section 826 of the German Civil Code. If the attack becomes public or there is a possibility that knowledge of it will enter the public domain, there is a risk of considerable reputational damage. This is why crisis communication towards clients, BaFin and the public should be considered at an early stage. We provide support in devising a communication and PR strategy.

Pursuit of claims (Respond)

Of course, it only makes sense to rapidly secure data and claims if claims are also brought against the perpetrators or third parties and claims by any other parties involved, especially customers, are effectively averted. We also support you in the long term in securing and recovering assets by conducting civil litigation, assisting in criminal proceedings and providing insurance-related advice. Crisis response is just the first step in this process, as it is often not possible to obtain compensation for the losses from the actual attackers. However, the potential claims to be examined do not end there. Claims against service providers, insurers and governing bodies are possible. Apart from this, there is often a need to defend oneself against claims from third parties.

Bringing claims against those involved

A key task following a cyber incident is identifying and pursuing claims by the company whose systems have been breached against the perpetrator or perpetrators. These perpetrators may be from inside or outside the firm. Against outside parties, tort claims mainly come into consideration, but in practice these can usually only be successfully enforced for “CEO fraud”. Where internal parties such as employees are concerned, contractual claims can be brought. In practice, combinations of internal and external parties are relevant if the breach is made possible (whether unintentionally or intentionally) by employees or planted assistants. A sub-category of this group of cases is claims against employees of the company affected, which in the meantime have even led to economically significant recovery in exceptional cases.

Prosecuting claims against perpetrators is often complex, especially if attacks originate from abroad, and calls for experience in the field of international procedural law and cross-border preservation of evidence. In this context, international legal assistance or requests for information under international conventions may also become relevant.

Directors’ and officers’ liability and D&O insurance

Finally, another aspect to be considered is the liability of the management according to section 93(2) of the German Stock Corporation Act and section 43(2) of the German Limited Companies Act for the economic consequences of a cyber attack. Making a claim against the management and the D&O insurer behind it, which is usually economically powerful, is a feasible option if the loss incurred is not adequately covered by other insurance policies, as is often the case. As far as can be seen, no judgments on this have yet been handed down. In the USA, however, the first settlements in D&O liability lawsuits have become public.

Criminal asset recovery and restitution

The revised law on criminal asset recovery not only provides for an obligation of the prosecuting authorities to secure assets, this at the beginning of preliminary investigative proceedings where possible; it also contains far-reaching arrangements making it easier for the injured party to receive compensation from the assets secured in this way. Notably, there is no need to enforce a claim under civil law if it is already clear from the criminal judgment and the confiscation that the injured party has a claim.

We examine and evaluate for you whether it makes sense to secure and enforce a claim with the help of criminal procedural regulations and whether such a path is advisable in isolation or alongside civil law claims. The findings of the investigating authorities can also be used to enforce claims under civil law, not only against the perpetrators but also against third parties such as any service providers or credit institutions involved.

Pursuing claims against service providers

In addition to claims against the perpetrator itself, contractual or tortious claims for damages by the compromised company against service providers may be considered if the software used in the company does not comply with the state of the art in science and technology or has security vulnerabilities. Software that a company has purchased and implemented to protect itself against cyber attacks must have complied with the state of the art in science and technology when it was placed on the market. Warnings must be issued about any vulnerabilities that have emerged. If necessary, the gaps must be closed by updates. In this context, obligations of manufacturers to monitor their products are relevant in practice because security software must be updated on a continuous basis to keep pace with advances in potential malware. Recognised market standards can be used as a benchmark to assess whether parties involved in the IT product have fulfilled their obligations properly.

Insurance cover

An important aspect of compensation for damage suffered is the timely and formally correct filing of claims for insurance cover under existing business liability, property and cyber insurance policies. In certain situations, this may require extensive processing and compilation of the facts as well as a legal review of what specific damage is insured under which insurance product or what damage it would also be advisable to claim for. Insurers often offer partially overlapping protection for the same or similar risks in different insurance segments. Companies should therefore carefully check which losses should be claimed for, and to what extent, before making insurance claims.

Defending against customer claims

A successful cyber attack may have an impact not only on the affected company, but also on the company’s customers. This can trigger claims for damages by the customer against the company.

We act for your company in and out of court to defend it against claims brought by customers. Where necessary, we carry out internal investigations to establish the facts of the case and to secure evidence that can be used in court. We can develop a strategy with you in response to customer complaints (whether existing or anticipated). Our expertise covers alternative dispute resolution, litigation before national courts, arbitration proceedings, conducting and managing mass actions, handling large-scale proceedings, and collective legal protection such as defending against model declaratory actions.