A hacker attack often means a lot of damage not only for the company. Managing directors are also personally liable for damages if they fail to meet regulatory requirements.
No company works purely analog anymore: bank transfers, appointment bookings, customer contact – they are all central elements in a company"s day-to-day business and thus simultaneously represent a potential risk for IT security and solvency.
The probability of a company falling victim to a hacker attack is quite high. Attacks occur 24/7 all over the world. The decisive question is how high the potential damage is, which in turn depends on how well IT infrastructure and security are developed, how well employees are trained and how resilient the company is.
The size of a company, on the other hand, plays no role in the question of how likely it is to become the victim of an IT security incident. Since many attacks are now semi-automated, the more relevant factors are how open the company"s access points are and how easily hackers can spread throughout the IT infrastructure.
In the event of a serious ransomware attack, the company may, in the worst case, no longer be able to function and may have to pay additional ransom to the blackmailers. In the worst case, the company is no longer able to resume operations after the attack because business-critical data (e.g. construction plans, customer data, accounting data) has been lost, making it no longer economically viable to resume operations. Insolvency thus marks the end of the attack.
No company can afford to repeatedly have to shut down operations due to hacker attacks. If nothing is done to ensure IT security, this can also be seen as a negligent risk of insolvency and management can be held to blame. In such a case, piercing the corporate veil can occur if they have not fulfilled their duty to avert damage from the company and the losses could have been avoided with a good IT security strategy. Of course, not every managing director needs to be informed about the latest technical innovations in detail. But they should at least have a basic knowledge of the levers for improving their own IT security, have it regularly checked from the outside, see IT security as a task for the entire company and provide the IT department with sufficient resources.
If a managing director can be shown to have acted with gross negligence, for example by ensuring inadequate protection against hacker attacks, shareholders could hold him personally responsible and claim damages. The definition of negligence in such cases is currently a much-debated topic. One important point of reference is the BSI baseline protection, which, however, can be interpreted very broadly. The question of whether managing directors can be held responsible for security breaches usually depends on the size of the company and the individual circumstances. However, the BSI"s baseline protection has been around for quite some time, and the longer companies fail to implement the associated requirements, the more critical the assessment of the decision becomes, which is seen as negligent. This can be illustrated with a specific example: in a company with around 100 employees, failure to implement multi-factor authentication (MFA) is now considered negligent. In such cases, the managing director could be held personally liable. The applicable regulations for such cases are constantly changing and ultimately depend on the respective court ruling. Nevertheless, it is clear that the legal standards – and thus the expectations of entrepreneurs – are increasingly rising, also due to the growing threat of cybercrime.
