Defense against cyber-attacks
We help our clients prepare their infrastructure and business processes for criminal attacks by hackers. In the event of successful attacks, we provide comprehensive advice on response options, crisis communication, and compensation claims.
Criminal hackers attack the IT infrastructure of companies thousands of times every day. Successful attacks can lead to loss of data or even render the affected company inoperable for weeks or months. Ransomware attacks, in which ruthless attackers try to extort large ransom sums from their victims, pose a particular threat. Unfortunately, they are often successful.
Pohlmann & Company provides comprehensive advice on all issues of preventive as well as reactive cyber defense. We assist our clients in their preparatory efforts, such as creating contingency plans and processes, and determining specific regulatory requirements.
When an attack has occurred or is still ongoing, we advise on mitigation measures and regulatory obligations, represent our clients before law enforcement authorities, and assist with actions to secure and prosecute claims.
- To minimize damage from cyber-attacks, every potentially involved person should be well prepared and know exactly what measures to take in the event of an emergency.
- Preparedness is guaranteed by a functioning emergency plan that is individually tailored to your company. The plan contains a description of the processes in the event of a crisis, alternative communication channels in the event of disrupted IT communication, contact information for internal and external contacts, task assignments to responsible persons, as well as templates for all necessary notifications and documentations for authorities as well as for customers.
- However, the best emergency plan is of little help if your employees have not internalized it and cannot apply it in the event of a crisis. Therefore, it is particularly important to test the emergency plan in practice in order to minimize damage in the event of an emergency. Based on the emergency plan, the employee structure, your industry, and the specifics of your company, we will be happy to work with you to develop a customized training program so that you are optimally prepared for cyber-attacks.
- The usual insurance products regularly do not cover all the damage and expenses incurred in the event of a cyber-attack. Cyber insurances make an important contribution to closing such insurance gaps. They provide further insurance coverage for certain liability claims that may result from a cyber-attack, self-damage (such as business interruption), and the costs associated with such an attack, e.g. cost for IT forensics and data recovery. Even if there is no specific insurance coverage through cyber insurance, other insurance policies can take effect, e.g. business liability insurance of IT service providers or business interruption insurance.
- In an emergency, it is crucial to fulfill insurance law obligations and to involve the insurer at an early stage, for example when deciding whether law enforcement authorities should be involved or what technical support should be called upon. We provide you with comprehensive advice on insurance law requirements and on measures to safeguard claims against the insurer.
- Organizations and facilities of particular importance to the state, whose failure or impairment could result in lasting supply chain disruptions, significant disruptions to public safety or other dramatic consequences, are defined by law as “critical infrastructures” (CRITIS). Operators of critical infrastructures are subject to special obligations regarding IT security in accordance with Sections 8a and 8b of the German Act on the Federal Office for Information Security (BSIG). These obligations are dynamic and evolve with the progress of technology.
- We advise you as an operator of a critical infrastructure on your special IT security notification obligations. In particular, we check whether your company is obliged to report specific IT malfunctions. We advise and accompany you in reporting to the BSI and other supervisory authorities such as the Federal Network Agency (Bundesnetzagentur).
- Depending on the industry, it may be necessary for your company not only to take care of its own IT security, but also to take protective measures and maintain a certain security standard throughout its supply chain. These duties are often driven by contractual commitments.
- We support you in securing your rights vis-à-vis suppliers and customers, for example in implementing reporting obligations and contractually owed mitigation measures, as well as in defending claims for damages due to disrupted supply chains.
- In the event of a cyber-attack, things have to move quickly. The main task here is to secure evidence as quickly as possible, recover lost data, and prepare possible recourse claims against the damaging party or third parties. The vast majority of attacks constitute criminal offenses under German law. In these cases, the assistance of law enforcement agencies may be called upon. Most German states, including Northrhine-Westphalia, Bavaria, Baden-Württemberg, and Hesse, maintain focal prosecution offices for the prosecution of cybercrimes. These have a great deal of experience in cyber-attacks and can intervene quickly and with the necessary understanding of the exceptional situation.
- In addition, German criminal law now offers effective options for comprehensive asset protection. It may also be possible to clarify payment flows with the help of investigating authorities. We are in contact with the relevant authorities and, in the event of an attack, can quickly assess whether it makes sense to get them involved.
- If the investigating authorities demand the handover of sensitive data, such as log files, we ensure that the procedure is conducted in accordance with the law and complies with the essential bases for authorization under criminal law. We ensure that companies do not violate their obligations by hastily obeying law enforcement authorities.
- Successful crisis management also requires well thought-out crisis communication. Business partners, customers, investors, and authorities must be informed in a legally compliant and appropriate manner. Significant damage, particularly in the form of loss of reputation and impaired investor confidence, can occur as a result of incorrect or ill-considered communication. This applies in particular to listed companies that are subject to ad-hoc-publicity.
- Our team will advise you on the legal obligation to issue an ad hoc announcement and, if necessary, on its content. In the context of general crisis communication, we advise you on the legal framework and, if necessary, put you in touch with proven communication consultants.
- After a cyber-attack occurs in which a company must fear that personal data will be affected, exfiltrated, or even published, the company must immediately – at the latest within 72 hours – notify the incident to the responsible supervisory authority. Processors are subject to analogous notification obligations vis-à-vis the controller. For operators of critical infrastructures and digital services, there are more extensive notification obligations to the Federal Office for Information Security pursuant to Section 8b of the German Act on the Federal Office for Information Security (BSIG).
- In addition, there are special legal notification obligations, for example for operators of public telecommunications networks and providers of publicly accessible telecommunications services, for operators of energy supply networks and energy plants, and for holders of nuclear licenses. We provide support in the evaluation of notification obligations and, if necessary, in their implementation.
- IT security is a matter for the management: The executive bodies are responsible for the appropriate design of security measures. The measures depend on the sensitivity of the respective company. Where operators of critical infrastructures are concerned, there are particularly detailed requirements. But other companies will also have to follow these guidelines in a scaled-down form so that their management does not have to charges of not having exercised the necessary due diligence.
- If an incident occurs, accusations of a violation of the duties of a corporate body are a real possibility. Often, a D&O insurance policy can also take effect here; exclusions in D&O conditions for cyber attacks are not yet common across the board.
- In consultation with the company and supervisory bodies, we examine possible board culpability and provide support in securing and enforcing claims.
- Companies that pay the ransom demanded by attackers in ransomware attacks keep this secret for good reason. It would be desirable for society at large that no ransoms are paid in order to dry up the market for such attacks. However, in individual cases, the economic pressure to give in to a ransom demand can be immense. This is a unique decision of the affected company.
- As legal advisers, we can support you in coming to such a decision with legal certainty. For example, in the case of a fine payment, there may be a risk of criminal liability for alleged financial support of a criminal organization, as well as the risk of a violation of EU or US sanctions laws, especially in the case of country-specific embargoes. We will review with you, with an open mind, the specific legal framework applicable to your company and the concrete situation and the possibility of a discretionary decision in accordance with the Business Judgement Rule, the necessary involvement of supervisory bodies and shareholders as well as involved insurers, in order to enable you to arrive at a legally sound decision.