General requirement for IT controls
Evidence for the need to establish IT controls can be quickly found in the example of the damage caused by CrowdStrike because this could have been avoided by testing the software updates at customer enterprises. Accordingly, no faulty software would have been rolled out without further controls.
A second example: A managing director of a family enterprise, with only around 60 employees, was personally ordered to pay €800,000 in damages (ruling of the Nuremberg Higher Regional Court Of 30.3.2022, case reference: 12 U 1520/19). He had failed to specify that for the officers holding a general power of attorney (Prokuristen) the four-eyes principle had to apply in respect of the fuel card management software.
Both examples stand for a lack of IT controls within the scope of an internal IT compliance management system (IT CMS). All too frequently, IT is still managed according to motto of: “It’s working, so it’ll be ok.”
Recommendation: However, if an IT CMS is used then if an infringement still occurs it would be possible to exclude culpability (and thus liability to for damages). This follows, in particular, from marginal no. 2.6 sentence 6 of the Administrative Regulations Governing the Application of the German Fiscal Code (Anwendungserlass zur Abgabenordnung, AEAO) relating to Section 153 of the German Fiscal Code.
Definition of an IT CMS
As part of the company-wide CMS, an IT CMS is based on a risk management system (RMS) to which, for example, the areas of tax, employment law and occupational health and safety also belong. Here, an IT CMS is understood to mean all the IT measures/controls, structures and processes that have been put in place in a company (or other organisation). The aim is to ensure conformity with regulations for IT-dependent matters, including legally binding and ethically based rules.
Requirements for an IT CMS
In this section, we briefly explain selected requirements that could strongly affect the implementation or operation of an IT CMS.
Replacement of the current ERP system
Experience shows that, in practice, nearly all ERP system changeovers (SAP, Navision, etc.) do not run on budget and on time nor do they satisfy the regulatory requirements. This should be headed off via the internal control system (ICS) for the roll-out of IT systems so that the new ERP system can be properly implemented, monitored, documented and subsequently operated.
Tightening up of legal requirements
The draft of the German Cyber Security Act (NIS2 Implementation and Cyber Security Strengthening Act) was adopted by the Federal Government on 24.7.2024 and is thus going through the legislative process.
Up to now, only the NIS1 Directive for ‘critical infrastructure’ had to be complied with. Under the new Act - which goes much further - a considerable number of companies will now be expressly required to implement, approve and monitor an RMS in the area of IT security. The delegation of these monitoring responsibilities away from the company’s management is expressly excluded here. Currently, a mechanical engineering company with more than 50 employees would, for example, fall within the scope of application. Research organisations and purely digital services, such as providers of online platforms, could likewise be covered.
Please note: Personal liability could arise, for instance, even in cases of software products developed in-house where compliance has not been ensured, for example, if in future these products are brought to market without the requisite CE marking.
Requirements that are passed on into the supply chain
Apart from the tightening up due to legislation and case law, an indirect obligation will arise that will have a direct effect on customer acquisition activities and customer relationship management. More and more customers expect their suppliers to be able to show that they have a CMS.
If, in a specific case, a choice has to be made between two suppliers of which only one is able to show that they have an Information Security Management System (ISMS) in accordance with ISO/IEC 27001, then it is likely that this supplier would be the preferred option because this could constitute evidence of important measures in the context of the IT CMS.
Please note: The same would apply if there is a choice of several cloud providers of which just one satisfies the C5 criteria catalogue (Cloud Computing Compliance Criteria Catalogue) published by the German Federal Office for Information Security (evidence for IT CMS).
Events likely to lead to damage and multiplication of damage
Every single CMS should aim to identify events where there is a risk of damage then carry out a pertinent analysis in order to be able to take risk reduction measures in good time. Without the appropriate measures simple errors could result in extensive damage.
Practical example: A software provider with 10,000 customers enables e-invoices to be generated by using its software. Some time later, the fiscal administration carries out audits at the first customers that have started using the software and is of the view that the software manufacturer has not complied with specific requirements under the German ‘Principles of Proper Keeping and Retention of Accounts, Records and Documents in Electronic Form and for Data Access’. For the software manufacturer the error will be ‘multiplied’ because every customer will be able to assert a claim for recourse. The software manufacturer would have been well-advised to carry out an audit in accordance with the auditing standard 880 of the Institute of Public Auditors in Germany (Institut der Wirtschaftsprüfer, IDW), which is an independent external certification for IT CMS in respect of software development. The error would then have been identified at an early stage. Then again, such a certificate would nurture customer confidence and help with marketing in order to differentiate from other product suppliers.
Recommendation: Carry out an IT CMS Quick Check
Cyber and D&O insurance cover would not be sufficient to mitigate the effects of an inadequate IT CMS, but should rather be used as a flanking measure at most. In order to gain a first impression of the situation in a company we would instead recommend an IT CMS Quick Check. In this way, with a reasonable amount of effort, the management will be able to get an overview of the status quo. Furthermore, it will be possible to provide guidance as to which short-term measures can be taken to balance out the potential liability deficits.
The appropriate scope of an IT CMS Quick Check will ultimately depend on the individual case. In the course of this, there should be a particular focus on the issues that are presented below, like a checklist, in Table 2 under (1) – (8).