Cybersecurity

Many companies have an insurance policy in place which may also cover cyber damage. It is essential to involve the insurance provider at an early stage in these situations so that the requirements under insurance law are met. At the same time, many policies also contain the obligation to involve certain named specialist service providers who take on a coordinating role.

We help you identify the right time to report the incident and communicate with insurance providers.

The reporting deadlines are sometimes very short, and the competent authorities take them very seriously. The various laws contain different definitions of IT security incidents which have to be borne in mind. The common factor in most of these laws is that the protective goals of confidentiality, integrity, authenticity and/or availability of data must have been compromised. Under some laws, a duty to report is only triggered once additional conditions apply.

You can find a list of all reporting duties here  >

For commercial enterprises there is also a central police agency serving as a point of contact for cyber crime, the Zentrale Ansprechstelle Cybercrime der Polizeien (in German only), which can be contacted in connection with a cyber crime offence.

It is often in a company’s interests to inform the law enforcement authorities. The authorities are able to help investigate the cyber attack by exercising their public powers to investigate.

One of the most frequent forms of cyber attack are ransomware attacks, where the attackers goal is to blackmail the victims into paying a sum of money. They either encrypt the data or threaten that otherwise they will publish it.

The companies affected then have to decide whether to pay the ransom or whether there are other solutions open to them (for example backups that are not affected). From a legal point of view, there are several aspects to bear in mind when possibly paying a ransom:

Criminal and sanctions law: it is possible that they may be seen as promoting a criminal organisation or money laundering. This has to be weighed up against reasons serving as a justification or excuse.

If it is clear where the attackers are from, it is necessary to look into whether there is a risk that the company will breach foreign trade law and be subject to a penalty.

Business judgment rule: the governing bodies have to look into whether arranging for a ransom to be paid is compatible with their duties as directors and officers (the “business judgment rule”).

We help you answer all these questions by providing reliable expert opinions.

When some cyber attacks take place, it may be necessary to publish an ad hoc disclosure under capital markets law. We assist you in reviewing whether such a disclosure is necessary and advise you on what exactly to report.

A successful cyber attack may not only impact your company but also your customers, potentially leading to claims for damages.

We help your company defend itself against such claims, both in and out of court. Where needed, we carry out internal investigations to secure evidence and develop a strategy for responding to customer complaints.

Our expertise covers alternative dispute resolution, litigation before national courts, arbitration proceedings, conducting and coordinating mass proceedings, and conducting large-scale proceedings and collective redress such as German actions for collective declaratory judgments.

Apart from taking care of new, more extensive cyber security obligations which come into force, the management should make sure that compliance structures which meet the requirements are in place.

We identify the relevant statutory rules and regulations for you and support you in implementing the required compliance measures.

Irrespective of applicable legal statutes such as NIS2 or CRA, management bodies are required to implement cyber security in their companies. This also includes having a good knowledge of the legislation and current developments – for instance by taking part in training seminars. In this way you can avoid damage and liability on the part of the company, and likewise avoid being held liable yourself as a member of the management. The more specific the legislative requirements are, the less room for discretion members of the management have. 

Thanks to our global network, Lex Mundi, and our partnerships with people who are experts in their own fields, including IT security specialists, data protection officers, forensic experts and crisis communication consultants, we are able to offer you seamless advice and support across specialist areas and national borders.

Over the last few years, legislators at both the European and national levels have issued new cyber security rules. Recent examples include the NIS2 Directive, the Cyber Resilience Act (CRA), the German Critical Infrastructure Umbrella Act (KRITIS-Dach-Gesetz), DORA, RED and the AI Regulation. These regulations each cover different areas. We help you review whether you fall under these legal statutes.

Apart from implementing compliance measures in a company’s own business, the need to guarantee an appropriate level of cyber security in the supply chain is increasingly taking centre stage. Depending on the industry, it may be necessary to ensure that your entire supply chain puts safeguards in place and maintains a certain level of security.

We take a hybrid approach to help you implement such contractual projects. Apart from designing boilerplate contracts, for more critical services we revise your existing contracts to ensure that they are tailored to the specific purpose. This is a suitable course of action above all for large-scale projects, for example where companies fall under NIS2 or when implementing DORA, where it is necessary to incorporate new cyber security requirements into a large number of contracts.

We also assist you in identifying and implementing specifications focusing on the cyber security of the products you manufacture or offer. This may include legal reviews of the certification framework for products, services and processes in the field of information and communication technology based on the Cyber Resilience Act.

Moreover, new requirements exist specifically for automobile manufacturers with regard to the cyber security of vehicles. New vehicle types and new vehicles must have a certified cyber security management system, which is a prerequisite for type approval.

The insurance products for industries normally maintained by companies do not insure the policyholder against all losses and expenses often arising during a cyber incident. Cyber insurance closes up important gaps in coverage. It offers additional insurance cover for certain liability losses resulting from a cyber attack, first-party losses (such as business interruption) and the costs associated with such an attack, e.g. for IT forensics and data recovery.

We review the terms and conditions of your cyber insurance policies and make sure that you have all-round protection for a cyber security incident. For example, not all variants of a denial-of-service attack are insured under all products available on the market. As a general rule, it is vital to look for hidden exclusions of coverage. The same applies as regards mistakes made by employees, which is often the case in practice. Before signing a policy, it is also important to check what coverage is already provided by the conventional insurance policies held by the company.

Besides requiring technical measures to be implemented, cyber security rules also oblige companies to implement adequate organisational measures. This includes creating a clear and robust IT security governance system within the company. It is important to specifically define which specific roles in the company are responsible for which specific tasks. This cyber security governance system must be clear and comprehensible, and therefore operationally feasible, and should be incorporated into the existing governance frameworks.

We work with you to design and implement the organisational structures for IT security and an IT security management system. In the process, you also profit from our broad expertise on data and AI governance.

When the rules in the NIS2 Directive and DORA soon come into force, the duties of the management will be defined in even more detail. Specifically, managers as well as staff will have to take part in training on a regular basis. The authorities are already making clear that they take these requirements seriously.

Apart from customised training programmes, we also offer standard products for your company to ensure that the legal requirements to take part in training are complied with and documented to prevent accusations that organisational structures breach the duty of care in a worst-case situation.

In order to minimise the damage caused by a possible cyber attack, it is crucial that all the people potentially involved are prepared as well as possible and know exactly what action to take in a worst-case situation.

We use our wide-ranging experience gained from many cyber attacks and data privacy breaches in diverse industries and lines of business to prepare your company as ideally as possible. We supply tailor-made solutions for your business contingency plan so that you can keep a cool head if an incident actually occurs.

Such a contingency plan comprises a description of the procedures in the event of a crisis, communication channels, contact information for important internal and external contacts, assignment of tasks to the people responsible, arrangements for weekends, annual leave and public holidays as well as templates for any necessary reports and documentation.