Cyber­se­cu­ri­ty com­pli­ance manage­ment: imple­men­ting legal cyber­se­cu­ri­ty requi­re­ments in a stra­te­gic manner

Cyber­se­cu­ri­ty as a Risk and an Opportunity

As a result, com­pa­nies should take pre­ven­ti­ve action in an effort to check for pos­si­ble risks and thre­ats and pro­tect their cor­po­ra­te struc­tures. Attacks may come in a wide varie­ty of forms. At the tech­ni­cal level, com­pa­nies face risks e.g. from mal­wa­re, iden­ti­ty theft, social engi­nee­ring and advan­ced per­sis­tent thre­ats, which seek to tar­get and obtain spe­ci­fic infor­ma­ti­on. But defi­ci­ent IT secu­ri­ty also poses legal risks, given the incre­asing amount of regu­la­ti­on. With nar­rower rules for the imple­men­ta­ti­on of IT secu­ri­ty requi­re­ments, even slight devia­ti­ons may result in seve­re fines or con­trac­tu­al pen­al­ties, even out­side the scope of data pro­tec­tion law. Moreo­ver, if an IT secu­ri­ty inci­dent actual­ly occurs, com­pa­nies will typi­cal­ly face war­ran­ty and dama­ge claims from cus­to­mers and data subjects.

Accor­din­gly, com­pa­nies ope­ra­ting on the mar­ket which plan to suc­cessful­ly digi­ti­ze must ensu­re not only that the tech­ni­cal requi­re­ments are imple­men­ted, but that the legal requi­re­ments are satis­fied as well. But doing so is much har­der than one may think, sin­ce the­re is no uni­form sta­tu­te at eit­her the natio­nal or Euro­pean level which defi­nes the gene­ral secu­ri­ty requi­re­ments for com­pa­nies in a bin­ding man­ner. Rather, the legal frame­work is com­pri­sed of many dif­fe­rent indi­vi­du­al regu­la­ti­ons, some of which app­ly to com­pa­nies in gene­ral and some of which app­ly only for spe­ci­fic indus­tries or products.

The use of digi­tal tech­no­lo­gies is a cri­ti­cal suc­cess fac­tor for com­pa­nies and a requi­re­ment for sur­vi­val on the mar­ket in near­ly every sec­tor. As a result, pro­ducts are beco­ming incre­asing­ly digi­ti­zed and inter­con­nec­ted (e.g. in con­nec­tion with the IoT), and this is true of pro­duc­tion equip­ment as well (e.g. Indus­try 4.0 and Smart Fac­to­ry). The use and exch­an­ge of data are no lon­ger limi­t­ed to indi­vi­du­al com­pa­nies, and are incre­asing­ly taking place over the enti­re sup­p­ly chain. As pro­ces­ses beco­me more inter­con­nec­ted, ope­ra­tors are beco­ming more depen­dent on one ano­ther: an IT secu­ri­ty inci­dent for a sin­gle sup­pli­er could affect the enti­re sup­p­ly chain, and may even affect the safe­ty of a pro­duct on the market.

Cyber­se­cu­ri­ty Com­pli­ance Manage­ment Redu­ces Legal Risks

As a result, com­pa­nies need a cyber­se­cu­ri­ty com­pli­ance manage­ment sys­tem, both for the com­pa­ny as a who­le and for spe­ci­fic pro­ducts, which iden­ti­fies the legal requi­re­ments and obli­ga­ti­ons appli­ca­ble to the com­pa­ny and helps with their sub­se­quent imple­men­ta­ti­on. For exam­p­le, the requi­re­ments con­side­red by the cyber­se­cu­ri­ty com­pli­ance manage­ment sys­tem may include rules for the pro­tec­tion of busi­ness secrets and know-how from indus­tri­al espio­na­ge. Here as well, digi­tiza­ti­on is play­ing an incre­asing­ly signi­fi­cant role, e.g. in con­nec­tion with the use and pro­tec­tion of machine-generated data. Aspects of IT secu­ri­ty law are also coming to the fore right now, as have data pro­tec­tion risks sin­ce the intro­duc­tion of the Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR). In accordance with Artic­le 24(1) in con­junc­tion with Artic­le 32(1) of the GDPR, com­pa­nies are requi­red to pro­vi­de ade­qua­te pro­tec­tion when pro­ces­sing per­so­nal data. The GDPR does not defi­ne any spe­ci­fic mea­su­res, so that the sel­ec­tion of appro­pria­te mea­su­res falls within the company’s sphe­re of respon­si­bi­li­ty. Given the digi­tal trans­for­ma­ti­on of the auto­mo­ti­ve indus­try, more exten­si­ve regu­la­ti­ons are con­stant­ly being adopted for manu­fac­tu­r­ers and sup­pli­ers.

IT secu­ri­ty requi­re­ments may also ari­se e.g. from tax regu­la­ti­ons, such as the Tax Code. Com­pa­nies also should not lose sight of indi­rect IT secu­ri­ty requi­re­ments, such as tho­se ari­sing from pro­duct lia­bi­li­ty claims or the law gover­ning war­ran­ties for defects, which was hea­vi­ly amen­ded recent­ly by the Digi­tal Con­tent Direc­ti­ve.

Depen­ding on the indus­try and the pro­duct, the­re may also be spe­ci­fic regu­la­ti­ons for eco­no­mic acti­vi­ties which invol­ve ele­va­ted risk. In the­se cases, law­ma­kers con­sider the gene­ral regu­la­ti­ons to be insuf­fi­ci­ent and insist upon the satis­fac­tion of stric­ter mini­mum stan­dards in are­as whe­re the risk is par­ti­cu­lar­ly high, sub­ject to clo­ser supervision.

One exam­p­le is that of the sta­tu­to­ry requi­re­ments for ope­ra­tors of cri­ti­cal infra­struc­tu­re which, in accordance with § 8a(1) Sen­tence 1 of the BSI Act, are requi­red to take “ade­qua­te orga­niza­tio­nal and tech­ni­cal pre­cau­ti­ons” in cases invol­ving ele­ments with cri­ti­cal func­tions. Pur­su­ant to § 8a(3) of the BSI Act, they are also sub­ject to clo­ser super­vi­si­on by the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI). Germany’s IT Secu­ri­ty Act 2.0, which is curr­ent­ly going through the legis­la­ti­ve pro­cess, will include a who­le series of rele­vant and exten­si­ve chan­ges rela­ting to cri­ti­cal infrastructure.

Ano­ther exam­p­le, this time in the field of health care, are digi­tal health appli­ca­ti­ons and pre­scrip­ti­on health apps, for which spe­cial regu­la­ti­ons have been adopted with the ent­ry into effect of the Digi­tal Care Act on 19 Decem­ber 2019. Digi­tal health appli­ca­ti­ons requi­re appr­oval from the Fede­ral Insti­tu­te for Drugs and Medi­cal Devices (BfArM) for which, in accordance with § 139e(2) Sen­tence 2 of Book V of the Social Code, appli­cants are requi­red to fur­nish docu­men­ta­ti­on that the digi­tal health appli­ca­ti­on ensu­res “data secu­ri­ty con­sis­tent with the sta­te of the art.” In order to fur­ther spe­ci­fy the requi­re­ments, the Fede­ral Minis­try of Health has adopted the Digi­tal Health Appli­ca­ti­ons Ordi­nan­ce pur­su­ant to § 139e(9) of Book V of the Social Code. This Ordi­nan­ce tigh­tens pro­vi­si­ons of the GDPR, e.g. rela­ting to data trans­fers to third count­ries, as well as crea­ting exten­si­ve IT secu­ri­ty requi­re­ments via § 4(1) of the Ordi­nan­ce in con­junc­tion with Annex 1.

Con­clu­si­on and First Steps Towards Cyber­se­cu­ri­ty Compliance

Given the com­ple­xi­ty of the cur­rent legal situa­ti­on, and the exis­tence of hid­den or indi­rect IT secu­ri­ty requi­re­ments in some cases, redu­cing legal cyber-risks will be a gro­wing chall­enge for com­pa­nies. Com­pa­nies should coun­ter this risk by estab­li­shing a cyber­se­cu­ri­ty com­pli­ance manage­ment sys­tem. In doing so, we typi­cal­ly take the fol­lo­wing steps tog­e­ther with our clients:

  • iden­ti­fy­ing appli­ca­ble laws and requi­re­ments for each com­pa­ny and product;
  • deri­ving cyber­se­cu­ri­ty requirements;
  • weig­hing risks;
  • deve­lo­ping, adap­ting and docu­men­ting a com­pre­hen­si­ve IT secu­ri­ty concept;
  • con­side­ring legal inter­ac­tions (e.g. report­ing duties, as well as pro­tec­tion of secrets);
  • taking legal mea­su­res to pro­tect the IT secu­ri­ty con­cept (e.g. through non-disclosure agree­ments as well as IT legal inci­dent respon­se);
  • con­ti­nuous moni­to­ring for new regu­la­ti­ons (ear­ly iden­ti­fi­ca­ti­on) and rou­ti­ne super­vi­si­on of implementation.

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.