The current significance of Directive (EU) 2022/2555 on cyber resilience (NIS-2), especially for the C-Level, is still underestimated. As a result of the new regulation, there is an immediate need for action here; no further implementing legislation is required in the core areas that concern the responsibility of management bodies. Responsibility and liability for insufficient precautions to avert cyber risks already exist on the basis of the current legal situation. NIS-2 “only” defines the standards of diligence, but in a level of detail that has not been customary at the legislative level.
Hacking as a business model
Many think a “hacker” is a “nerd” who sits behind his computer and spies on others on the World Wide Web in order to penetrate their systems. Far from it! Hacking is a (not even new) business sector with extensive infrastructure. A business model with everything that goes with it. Hacking software can be bought in the “hacking supermarket” on the dark web, hacking campaigns are prepared by hacking agencies. Negotiation for ransom payment is done through trusted middlemen/women and payment by cryptocurrency.
The business model also includes negotiation, and hackers (usually) end up supplying the decryption key to strengthen their business model (“hacker ethics”, so to speak).
Besides the blackmail model, there are also other business models, such as spying on trade secrets. In this case, the intrusion often remains unnoticed for a long time (at least until the hackers are sure that they have the relevant data and have possibly also secured corresponding routes for more convenient intrusion in the future). Then this business model is often combined with the previous one. In parallel, the data is sold for profit.
And beyond that, there are of course a multitude of variations of the diverse business models of hackers.
Who is at risk?
If a company now has relevant data (i.e. data that can be exploited) or an IT infrastructure whose ongoing availability is important for the functioning of the company, then such a company (albeit involuntarily) part of the potential “clientele”.
Analysis of hacker attacks shows that hackers are often organised like companies and proceed systematically. This means that they sometimes conduct broad “campaigns” with a scattering effect or individual attacks, which they prepare accordingly, also by obtaining information on their attack targets.
An attack is not necessarily aimed directly at a company’s ICT system. The attack often begins with the procurement of information on ICT systems, sometimes starts in the personal environment or tries to find a gateway through various forms of social or business contacts.
The actual attack on the ICT systems is then often downstream and can affect any device that is connected in the respective system (including mobile phones).
However, the ultimate goal is always to penetrate the ICT systems. If such an attack is successful, it is usually too late to avert damage and then it is usually only a matter of minimising damage.
But cyber incidents do not only endanger the company itself, rather the entire environment is at risk – employees, customers, contract partners, companies in the supply chain and in one or the other case this also has wider social effects.
The damage caused by cyber incidents is substantial and in some cases threatens the very existence of the companies affected.
Damage is primarily caused by loss of data and secrets, shutdown of ICT or production systems, damage to reputation, claims for damages or penalties by authorities. The ransom demands themselves are usually not particularly relevant in comparison.
Liability of the of the C Level
Governing bodies are liable for taking adequate precautions against corporate risks in general. A cyber incident may constitute such a risk, and if so, management bodies are liable for any damage made possible by their negligence according to general legal provisions (§ 25 GmbHG or § 84 AktG). This is because management bodies are personally responsible for the organisation of their company, especially for risk management and the internal control system (the internal control system is regulated by §§ 22 GmbHG and § 82 AktG). These regulations do not differentiate according to risk type and apply generally and therefore to every relevant risk in relation to a company and hence also to cybersecurity.
New regulations through NIS-2
The new regulations on cyberresilience in Europe in the form of Directive (EU) 2022/2555 (“NIS-2”), among other things, set out precisely this responsibility and define, what is now particularly important for management bodies, the standard of care to be observed.
The paradigm shift is that the diligent conduct of the manager is now precisely circumscribed. For courts, such a definition of due diligence is consequently an obvious concretization, at least in the context of cybersecurity, and in relation to other risks, it is a good basis for an analogous application.
In themselves, the due diligence standards set out in NIS-2 are not really new. They are broadly in line with what jurisprudence and literature have already demanded in relation to the standard of care of a prudent businessman (business manager) and in relation to cybersecurity they are in line with the relevant norms and standards (such as ISO 27001).
Thus, management bodies must train themselves with regard to cyber risks and also ensure that their employees are trained. In addition, they must, among other things, identify the cyber risk for their company, develop an emergency plan and a catalogue of measures, and ensure implementation and control. The protection of business partners, the supply chain and the general public must also be taken into account.
What is the Liability
Those management bodies that do not observe or implement these standards of care are liable for damages suffered by the company. Unless special regulations are applicable, this liability is governed by the provisions of the GmbHG or AktG. The liability provisions of § 25 GmbHG and § 84 AktG stipulate that managing directors or board members must behave like diligent businessmen (business managers). Otherwise they are liable for the damage caused by faulty conduct. This standard of care is further specified by the above-mentioned regulations in NIS-2. This is a high standard of care and, combined with the reversal of the burden of proof also provided for by law, leads to a high hurdle for the responsible persons to prove that the necessary care was taken and that the damage was unavoidable in the case of a cyber incident.
It is also important to note that this responsibility is personal and cannot be delegated in essence and represents an overall responsibility shared by all managing directors or board members. It is therefore not enough to hire a CISO or to entrust a management body with the topic.
Rather, it requires an ongoing engagement with the topic and the active participation of the management bodies. This does not mean that management bodies must become cybersecurity experts, but they must be able to assess the risk correctly and take the necessary precautions at the organisational level.
Responsibility of supervisory boards
This responsibility – somewhat mitigated, but nevertheless – also applies to supervisory board members.
The responsibility of members to supervisory boards is complex in other respects. On the one hand, it is the responsibility of supervisory boards to question whether appropriate measures have been taken with regard to cybersecurity.
In the event of damage as a result of a cyber incident, the supervisory board members are obliged to examine and, if necessary, enforce any claims against the executive board, otherwise they themselves would become liable. In this context, the aforementioned reversal of the burden of proof must be taken into account.
Management bodies must also bear in mind that in the event of a cyber incident, the D&O insurance may not protect them, because it is likely a grossly negligent or intentional breach that occurs if these standards of care are not met. In addition, many insurance companies currently limit their liability for damages from cyber incidents in general.
Audit of annual financial statements
Since the risk management and internal control system must also be evaluated in the course of the audit of annual financial statements and, above all, the aspects relevant to financial standing must be taken into account, cyber risks will in future also be particularly relevant in the audit of annual financial statements.
What is to be done now?
The regulations concerning risk management in companies have been in force for a long time. NIS-2 (also in force since January 2023) merely specifies in detail the necessary diligence in this context. Such diligence needs to be applied immediately and without any further lead time. It is therefore important for the affected institutions to obtain an overview of what the relevant risk is as quickly as possible and then initiate the necessary measures.
NIS-2 also lists concrete governance and security measures to be implemented in the company. These include specific measures such as training and informing employees, risk assessment, developing a contingency plans and a list of measures to be implemented, creating appropriate policies regarding cyber risks (but also IT risks), taking care of implementing such policies and measures, and so on.
It is also important to take into account that cybersecurity measures affect all areas of the company and not only IT.
At Benn-Ibler, we have been working intensively on the topic of cybersecurity and liability since 2016. Our partner Dr Stefan Eder is a regular speaker at relevant conferences and is particularly active in training courses for management bodies.
In the context of cybersecurity issues, we advise on risk analysis, preparation of action plans, preparation of policies and all legal aspects related to cyber risks.
We have extensive in-house expertise in ICT (and lawyers with IT backgrounds) and work with cybersecurity specialists.