| Editorial Board
Guest comment by Jürgen Weiss, Managing Director, ARES Cyber Intelligence.
Every day we see different headlines about “hacker attacks or cyberattacks” in the media. In many of these cases, the event happened weeks before. You will now ask yourself – why? In crisis management, we never pass information outside in an uncontrolled manner. This will have a negative impact on the general picture of the situation and the progress of the negotiations. We know from many of our operations that cybercriminals also follow the media closely in cases like this. As cyber experts, we are committed to affected businesses containing or minimizing the damage caused as quickly as possible. This minimization of damage also affects the liability of the GmbH management.
90 percent are not ready
In 90 percent of incidents, companies and management are only partially prepared or, in the worst case, unprepared. Roughly speaking, crisis or emergency plans have been developed, but in most cases these plans do not work in the event of cyberattacks. This causes stressful situations, decisions are made without sound foundations, and from the point of view of the entrepreneur, the worst-case scenarios are not evaluated. They are desperately trying to get rid of the problem quickly – paying the ransom should never be the first option!
Managers can be responsible
A manager’s liability for cyberattacks depends on the laws of the country in which the company operates and the specific circumstances of each case.
In general, a CEO can be held personally liable for cyberattacks if it can be shown that he was directly involved in the “incident” or failed to take appropriate action to protect the company’s systems and data.
For example, if the CEO was aware of vulnerabilities in a company’s cybersecurity systems and did nothing to fix them, he could be liable for any damage caused by a subsequent cyberattack.
In some cases, the manager can also be held liable for losses incurred by clients or other third parties as a result of a cyberattack. This may be the case, for example, when a manager is responsible for the security of personally identifiable information, such as credit card numbers, and fails to take adequate steps to protect that information.
There is also a risk that the managing director will be sued if he is not the 100 percent owner of the company for which he is in charge. In this case, after the financial damage to the company from a cyberattack, the general manager can be held liable if he does not prevent or reduce the damage done by having an effective cyber protection umbrella and obtaining appropriate cyber insurance. Omission of this precautionary measure will be seen as a breach of the statutory duty of care of the Director-General and give rise to corresponding liability.
Many are wondering if risks can be transferred via electronic insurance? The answer is no. As with the vehicle, the technical operational integrity, TÜV, of the IT system must be proven. Neither comprehensive nor liability insurance will pay anything if the requirements are not met.
Cyber security should be on the daily agenda, use an outside sparring partner for yourself. Plan your cyber security budget and arrange for ongoing security checks / vulnerability analyzes to be performed by professionals. Test your emergency plans and/or set up emergency plans and a crisis management team.
If you would like legal advice on this subject, you will find the contact address and more information in the information box.
Comments on LEADERSNET always reflect only the opinion of the respective author, and not that of the entire editorial team. In the sense of pluralism, we try to give space to different points of view – this is the only way to create a constructive discussion. Comments can be one-sided, flattering and caustic, but they do not claim to be objective.
“Total coffee aficionado. Travel buff. Music ninja. Bacon nerd. Beeraholic.”