Cyber­se­cu­ri­ty com­pli­an­ce manage­ment: imple­men­ting legal cyber­se­cu­ri­ty requi­re­ments in a stra­te­gic manner

Cyber­se­cu­ri­ty as a Risk and an Opportunity

As a result, com­pa­nies should take pre­ven­ti­ve action in an effort to check for pos­si­ble risks and thre­ats and pro­tect their cor­po­ra­te struc­tures. Attacks may come in a wide varie­ty of forms. At the tech­ni­cal level, com­pa­nies face risks e.g. from mal­wa­re, iden­ti­ty theft, social engi­nee­ring and advan­ced per­sis­tent thre­ats, which seek to tar­get and obtain spe­ci­fic infor­ma­ti­on. But defi­ci­ent IT secu­ri­ty also poses legal risks, given the incre­a­sing amount of regu­la­ti­on. With nar­rower rules for the imple­men­ta­ti­on of IT secu­ri­ty requi­re­ments, even slight devia­ti­ons may result in seve­re fines or con­trac­tu­al pen­al­ties, even out­side the scope of data pro­tec­tion law. Moreo­ver, if an IT secu­ri­ty inci­dent actual­ly occurs, com­pa­nies will typi­cal­ly face war­ran­ty and dama­ge claims from cus­to­mers and data subjects.

Accord­in­gly, com­pa­nies ope­ra­ting on the mar­ket which plan to suc­cess­ful­ly digi­ti­ze must ensu­re not only that the tech­ni­cal requi­re­ments are imple­men­ted, but that the legal requi­re­ments are satis­fied as well. But doing so is much har­der than one may think, sin­ce the­re is no uni­form sta­tu­te at eit­her the natio­nal or Euro­pean level which defi­nes the gene­ral secu­ri­ty requi­re­ments for com­pa­nies in a bin­ding man­ner. Rather, the legal frame­work is com­pri­sed of many dif­fe­rent indi­vi­du­al regu­la­ti­ons, some of which app­ly to com­pa­nies in gene­ral and some of which app­ly only for spe­ci­fic indus­tries or products.

The use of digi­tal tech­no­lo­gies is a cri­ti­cal suc­cess fac­tor for com­pa­nies and a requi­re­ment for sur­vi­val on the mar­ket in near­ly every sec­tor. As a result, pro­ducts are beco­m­ing incre­a­singly digi­ti­zed and inter­con­nec­ted (e.g. in con­nec­tion with the IoT), and this is true of pro­duc­tion equip­ment as well (e.g. Indus­try 4.0 and Smart Fac­to­ry). The use and exchan­ge of data are no lon­ger limi­ted to indi­vi­du­al com­pa­nies, and are incre­a­singly taking place over the ent­i­re sup­ply chain. As pro­ces­ses beco­me more inter­con­nec­ted, ope­ra­tors are beco­m­ing more depen­dent on one ano­t­her: an IT secu­ri­ty inci­dent for a sin­gle sup­plier could affect the ent­i­re sup­ply chain, and may even affect the safe­ty of a pro­duct on the market.

Cyber­se­cu­ri­ty Com­pli­an­ce Manage­ment Redu­ces Legal Risks

As a result, com­pa­nies need a cyber­se­cu­ri­ty com­pli­an­ce manage­ment sys­tem, both for the com­pa­ny as a who­le and for spe­ci­fic pro­ducts, which iden­ti­fies the legal requi­re­ments and obli­ga­ti­ons app­li­ca­ble to the com­pa­ny and hel­ps with their sub­se­quent imple­men­ta­ti­on. For examp­le, the requi­re­ments con­si­de­red by the cyber­se­cu­ri­ty com­pli­an­ce manage­ment sys­tem may inclu­de rules for the pro­tec­tion of busi­ness secrets and know-how from indus­tri­al espio­na­ge. Here as well, digi­tiz­a­ti­on is play­ing an incre­a­singly signi­fi­cant role, e.g. in con­nec­tion with the use and pro­tec­tion of machine-generated data. Aspects of IT secu­ri­ty law are also com­ing to the fore right now, as have data pro­tec­tion risks sin­ce the intro­duc­tion of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). In accordance with Arti­cle 24(1) in con­junc­tion with Arti­cle 32(1) of the GDPR, com­pa­nies are requi­red to pro­vi­de ade­qua­te pro­tec­tion when pro­ces­sing per­so­nal data. The GDPR does not defi­ne any spe­ci­fic mea­su­res, so that the selec­tion of appro­pria­te mea­su­res falls wit­hin the company’s sphe­re of respon­si­bi­li­ty. Given the digi­tal trans­for­ma­ti­on of the auto­mo­ti­ve indus­try, more exten­si­ve regu­la­ti­ons are con­stant­ly being adop­ted for manu­fac­tu­rers and sup­pliers.

IT secu­ri­ty requi­re­ments may also ari­se e.g. from tax regu­la­ti­ons, such as the Tax Code. Com­pa­nies also should not lose sight of indi­rect IT secu­ri­ty requi­re­ments, such as tho­se ari­sing from pro­duct lia­bi­li­ty claims or the law gover­ning war­ran­ties for defects, which was hea­vi­ly amen­ded recent­ly by the Digi­tal Con­tent Direc­ti­ve.

Depen­ding on the indus­try and the pro­duct, the­re may also be spe­ci­fic regu­la­ti­ons for eco­no­mic acti­vi­ties which invol­ve ele­va­ted risk. In the­se cases, law­ma­kers con­si­der the gene­ral regu­la­ti­ons to be insuf­fi­ci­ent and insist upon the satis­fac­tion of stric­ter mini­mum stan­dards in are­as whe­re the risk is par­ti­cu­lar­ly high, sub­ject to clo­ser supervision.

One examp­le is that of the sta­tu­to­ry requi­re­ments for ope­ra­tors of cri­ti­cal infra­st­ruc­tu­re which, in accordance with § 8a(1) Sen­tence 1 of the BSI Act, are requi­red to take “ade­qua­te orga­niz­a­tio­nal and tech­ni­cal pre­cau­ti­ons” in cases invol­ving ele­ments with cri­ti­cal func­tions. Pur­suant to § 8a(3) of the BSI Act, they are also sub­ject to clo­ser super­vi­si­on by the Federal Office for Infor­ma­ti­on Secu­ri­ty (BSI). Germany’s IT Secu­ri­ty Act 2.0, which is cur­r­ent­ly going through the legis­la­ti­ve pro­cess, will inclu­de a who­le seri­es of rele­vant and exten­si­ve chan­ges rela­ting to cri­ti­cal infrastructure.

Ano­t­her examp­le, this time in the field of health care, are digi­tal health app­li­ca­ti­ons and pre­scrip­ti­on health apps, for which spe­cial regu­la­ti­ons have been adop­ted with the ent­ry into effect of the Digi­tal Care Act on 19 Decem­ber 2019. Digi­tal health app­li­ca­ti­ons requi­re appro­val from the Federal Insti­tu­te for Drugs and Medi­cal Devices (BfArM) for which, in accordance with § 139e(2) Sen­tence 2 of Book V of the Social Code, app­li­cants are requi­red to fur­nish docu­men­ta­ti­on that the digi­tal health app­li­ca­ti­on ensu­res “data secu­ri­ty con­sis­tent with the sta­te of the art.” In order to fur­ther spe­ci­fy the requi­re­ments, the Federal Minis­try of Health has adop­ted the Digi­tal Health App­li­ca­ti­ons Ordi­nan­ce pur­suant to § 139e(9) of Book V of the Social Code. This Ordi­nan­ce tigh­tens pro­vi­si­ons of the GDPR, e.g. rela­ting to data trans­fers to third coun­tries, as well as crea­ting exten­si­ve IT secu­ri­ty requi­re­ments via § 4(1) of the Ordi­nan­ce in con­junc­tion with Annex 1.

Con­clu­si­on and First Steps Towards Cyber­se­cu­ri­ty Compliance

Given the com­ple­xi­ty of the cur­rent legal situa­ti­on, and the exis­tence of hid­den or indi­rect IT secu­ri­ty requi­re­ments in some cases, redu­cing legal cyber-risks will be a gro­wing chal­len­ge for com­pa­nies. Com­pa­nies should coun­ter this risk by estab­li­shing a cyber­se­cu­ri­ty com­pli­an­ce manage­ment sys­tem. In doing so, we typi­cal­ly take the fol­lowing steps tog­e­ther with our clients:

  • iden­ti­fy­ing app­li­ca­ble laws and requi­re­ments for each com­pa­ny and product;
  • deri­ving cyber­se­cu­ri­ty requirements;
  • weig­hing risks;
  • deve­lo­ping, adap­ting and docu­men­ting a com­pre­hen­si­ve IT secu­ri­ty concept;
  • con­si­de­ring legal inter­ac­tions (e.g. repor­ting duties, as well as pro­tec­tion of secrets);
  • taking legal mea­su­res to pro­tect the IT secu­ri­ty con­cept (e.g. through non-disclosure agree­ments as well as IT legal inci­dent respon­se);
  • con­ti­nuous moni­to­ring for new regu­la­ti­ons (ear­ly iden­ti­fi­ca­ti­on) and rou­ti­ne super­vi­si­on of implementation.

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.