As the digitalisation of processes and the complexity of the IT landscape increase, so does the risk of cyber attacks. The Federal Office for Information Security has identified ransomware cyber attacks as the main IT security threat for companies and public authorities in Germany.
The statistics of the losses from data theft, industrial espionage and sabotage in Germany in 2023 alone (source: Statista) paint an alarming picture: the overall losses amount to more than 200 billion euros, with reputational damage (35 billion euros), breakdown of/damage to IT systems and operational downtimes (35 billion euros) and the cost of legal disputes (30 billion euros) being the biggest contributors.
A global survey in 2023 revealed that around 58 per cent of the companies surveyed in Germany had at least once been the victim of a cyber attack. On average, around 53 per cent of the surveyed companies in the various countries stated they had experienced at least one cyber attack in the past 12 months.
Luther’s multi-disciplinary cyber security and data protection practice helps clients address cyber security risks and manage attacks. Our team, consisting of over forty experts, can handle all challenges faced by our clients in the areas of cyber security, incident response, data protection and, where applicable, embedded AI. As experienced “cause (or cyber) coaches”, we provide practical, technical and operational advice during and after ransomware and other cyber attacks. With our first-hand experience, we operate at the interface between technology, cyber security and data protection on behalf of our clients.
Our advisory services can be divided into four areas:
Cyber incident prevention (cyber audits to develop an understanding and create awareness, documentation, training courses), (crisis) response to cyber incidents (launching an emergency plan, securing relevant assets, involving the emergency team, communicating B2B and with public authorities, etc.), pursuing claims and litigating to enforce claims (ensuring compliance with personnel and technical requirements, insurance, etc.), and regular audits to ensure processes and systems are futureproof.
The legal IT security requirements change continuously and may differ from industry to industry. They are not only determined by statutory law, but also by industry-specific security standards, technical standards, contractual relations and liability risks. Our experts in IT security law can identify the legal requirements applicable to your company, and also what action needs to be taken with regard to those requirements. Thanks to our knowledge of the industry and our understanding of complex corporate structures, we know that the legal requirements must be implemented in a reliable yet pragmatic manner to allow your company to grow in times of digital transformation.
Our cyber security audit comprises a comprehensive range of advisory services for the performance of a legal assessment of the processes and systems currently in place at your company to secure your company’s data. The implementation of technical, operational and organisational IT security measures is important to adequately protect your company from damage by cyber attacks. We can support you throughout this process, from initial gap analysis to the implementation of policies, instructions for action, training courses and other legal, operational and organisational measures. Through our network of experts, we also maintain connections with technical consultants, who can assist with the identification and implementation of technical measures.
The protection of personal data is closely related to the implementation of legal IT security requirements. This is because cyber incidents often involve personal data, which, in turn, gives rise to special obligations regarding how to deal with such incidents. Conversely, cyber security is always also a means of protecting personal data. As a result, in particular the implementation of technical and organisational measures can produce a synergy effect between cyber security and data protection.
Cyber incidents may result in heavy fines or other regulatory measures being imposed by (data protection) supervisory authorities. Our specialised team can, therefore, also advise you when communicating with supervisory authorities and with regard to how to defend against regulatory measures, in and out of court.
Further information about our range of advisory services related to implementing the requirements of data protection law is available here.
Recent new regulations at European level place particular emphasis on supply chain security. The companies concerned are required to ensure IT security also within their supply chains. Against this background, our team of experts develops effective strategies to protect your company from cyber risks in the supply chain.
Some of the new cyber security regulations also regard products with digital components. To protect users from cyber risks, manufacturers must take cyber security into account already when designing and developing such products. Our specialised team can assist you in this respect throughout the product cycle, from development to approval and certification, distribution and, where applicable, compliance with requirements during the product lifecycle.
In the financial and insurance sectors, national industry-specific regulations on regulatory requirements for IT and IT outsourcing have been in place for several years now, in particular in the form of supervisory notices (Supervisory Requirements for IT in Financial Institutions - BAIT, Supervisory Requirements for IT in Insurance Undertakings - VAIT, Minimum Requirements for Risk Management - MaRisk, Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings - MaGo, EBA Guideline on Outsourcing Agreements, Guidance on Outsourcing to Cloud Service Providers, etc.). The Digital Operational Resilience Act (DORA) is the first EU-wide uniform legal framework for effective cyber security and information and communication technology (ICT) risk management in the financial sector. DORA aims to strengthen the resilience and security of the entire European financial sector, as well as creating uniform and consistent requirements for the financial sector in terms of cyber security, ICT risks and digital operational resilience. Important fields of action include ICT governance, ICT risk management, ICT incident management, digital operational resilience testing and ICT third-party risk management. Working in interdisciplinary teams, we have been supporting the financial sector for many years in its digital transformation, including providing holistic advice on the implementation of the regulatory requirements for IT security and related compliance requirements.
Cyber incidents cannot always be prevented by taking preventive measures. Attackers manage to penetrate IT systems by exploiting undiscovered vulnerabilities or human error. Our experts in the fields of data protection and IT security law can provide immediate, competent support in the event of a cyber incident, for example, by assisting your company with the implementation of statutory reporting requirements and when communicating with public authorities and stakeholders.
Cyber attacks frequently lead to complex claims situations involving multiple parties within the (often international) supply chain.
A cyber attack can cause significant damage and huge financial losses, from the cost of restoring the IT systems to normal use to damage to the company’s reputation and loss of profits. You may be able to assert claims for damages against other parties involved, such as service providers, manufacturers and many others, provided they are partly responsible for the cyber incident.
Your company may also, however, be subject to third-party claims for breach of contract, for example, if business processes can no longer by adhered to as a result of the cyber attack. Customer data may also be affected by the attack. There may even be a risk of mass claims due to data breaches, which are becoming more frequent.
Our Complex Disputes experts work with you to develop the ideal litigation strategy in each particular case to efficiently resolve complex disputes in such claims situations before (arbitration) courts and also out of court and achieve the best possible outcome for you, defend claims and secure claims vis-à-vis third parties.
Legal requirements will continue to change on an ongoing basis and differ from industry to industry. This concerns statutory law as well as industry-specific security standards, technical standards, contractual relations and liability risks. Our “futureproof processes and systems” audit comprises a comprehensive range of advisory services for the performance of regular legal checks on your company’s processes and systems in place from time to time to secure your company’s data. In these regular audits, we focus on gap analyses and also give recommendations for the implementation of policies, instructions for action, training courses and other legal, operational and organisational measures.
Implementation projects in the field of IT security are often highly complex and require a combination of various legal and other external competencies. Our experience has shown that in order for legal work to be carried out effectively and in a timely manner in such projects, the projects must be recorded, planned and managed in line with the company’s goals and in consultation with the stakeholders.
We ensure this happens by employing specialists with the relevant know-how to work at the interface between content and organisation and perform the following project-supporting tasks as controllers: (continuous) evaluation and definition of transformation goals and requirements; legal project organisation and management of all internal and external resources involved in the project; project planning (defining work packages, resources, input and output formats); project control (transparent open issues, risks, times and expenditures); and project communications (exchange of information, jour fixe management and documentation).
We regard legal project management as an important discipline and task that can and should be performed by legal project managers with specialised legal knowledge, rather than by lawyers. This ensures you get a highly cost-effective approach for each area of expertise.
Key Contact >>