Functioning cybersecurity is a matter for the boss. The board of directors of a public limited company and no one else is responsible for this. This task can neither be delegated nor outsourced. If there is no adequate cybersecurity and a hacker attack causes damage to the company, the board is personally liable to the company (with his salary, his house, his savings, etc.) for all damages if he has not taken adequate care of functioning cybersecurity measures.
Many board members are not (fully) aware of this situation. By pointing to a division of labour in the board, cyber insurance for the company, the D&O insurance obligatory for executives or the lack of attractiveness of the company for hacker attacks, board members think they are safe and absolved of liability.
The staff and data protection officers tasked with setting up functioning cybersecurity in the company regularly fail with project plans and budget requests due to the misconceptions of relevant decision-makers. The requested projects and measures are only considered as cost items by the board. The dangers are either not recognised, negated or misjudged. However, the realisation that functioning cybersecurity protects the existence and functionality of the company just as much as the personal economic existence of the board of directors significantly increases their willingness to approve the budget.
Raising the board's awareness of the aforementioned circumstances is not only a sure way to the desired budget, but also an effective measure to secure the jobs of all employees against dangers resulting from damage to the company due to a hacker attack. Even if the board of directors is fully liable after a hacker attack, the damages are often so high that they cannot be compensated by recourse to the board of directors. The company and thus the jobs of all employees are exposed to a concrete threat to their existence.
In his lecture, in-house lawyer Ferdinand Grieger (Deutsche Gesellschaft für Cybersicherheit mbH & Co. KG) explains the basis of liability for AG board members and clears up the most common misunderstandings about exculpation with classic exculpation mechanisms. He thus provides you with the necessary, legally relevant arguments for the next budget negotiation. With these arguments, you can both push through your desired budget and create the very important awareness of the dangers from a lack of cybersecurity with the board. Not only the board alone, but the entire company, its employees, shareholders, customers, suppliers and related companies can thus be effectively protected from the existential dangers of a lack of cybersecurity.
