Information Security

Information security is an essential component of risk management and is aiming to ensure the security of confidentiality, integrity and availability of information. The focus is on identifying and assessing risks, implementing appropriate protective measures as well as continuous monitoring and improving to ensure a high level of security. Core areas of information security include IT and cyber security, in particular the security of information technology networks and systems against vulnerabilities and cyber threats. The area of information security is characterized by a complex regulatory environment, consisting of international and national standards and norms (e.g. ISO 27001, BSI IT-Grundschutz) as well as an increasing legal regulation. In addition, there is a strong link to other areas of law, such as data protection.

 

Overview of our Services

Risk Management & ISMS

The increasing legal regulation in the area of information security requires a variety of effective measures to protect the IT infrastructure. An information security management system (ISMS) based on internationally recognized standards (e.g. ISO 27001) contains the setup of procedures and rules within an organization to ensure the long-term security of information and to continuously improve it

We are happy to advise you on the holistic introduction of information security management systems. This includes, inter alia, support with risk assessments as well as the selection and implementation of suitable security measures and processes, including support with the procurement and implementation of technical solutions (e.g. SIEM, SOC, IDS, EDR, XDR services). We also support in the context of review and certification audits as an external point of contact

Handling of Security Incidents

In recent years, the risk for companies of falling victim to security incidents has increased dramatically. The main focus here is on ransomware attacks, in which the entire IT infrastructure within a company or even an entire group of companies is encrypted. In this case, the affected companies or groups of companies regularly face considerable ransom demands, fines and/or significant reputational damage. In the event of a cyber attack, it is therefore essential to act quickly. Every hour that business processes are interrupted causes further damage to the affected companies.

We support in establishing preventive measures and processes to effectively detect and handle security incidents. This includes, inter alia, the implementation of comprehensive incident response and business continuity plans. Should an organization fall victim to a cyber attack, we will help with the incident and emergency response. We support in complying with legal reporting requirements and take over communication with regulatory authorities on your behalf. We also support in preparing and carrying out internal and external communication with customers and other parties affected by the incident.

If needed, we can draw on an extensive network of specialized partners in connection with the aforementioned services. This includes, for example, the provision of services in the areas of vulnerability management (e.g. penetration testing, vulnerability scans), crisis communication and forensic investigation.

Addressee Assessments and Gap-Analysis

At the background of the constant integration of new European and national requirements, including comprehensive sector-specific requirements, companies are often faced with the challenge of properly identifying the scope of application as well as implementing the applicable requirements. We support in determining whether a company falls within the scope of the respective legal requirements as well as identifying potential gaps with respect to a company's current IT security infrastructure (actual state) with the legally prescribed requirements (target state). On the basis of such gap-analysis, we then work with the company to define specific implementation measures and support during the implementation to close any existing gaps to ensure full compliance.

Supply Chain Security

Companies regularly use the services of external service providers. This applies, inter alia, to the operation and maintenance of their own IT infrastructure. Using services providers regularly provides multiple benefits as it saves on internal resources and allows capacities to be scaled flexibly. In this context, companies often use external suppliers along their value chains, who also have access to company-owned information and systems. Accordingly, the risk of cyber attacks via the supply chain (so-called supply chain attacks) is constantly increasing.

In the context of information security, it is essential to establish appropriate measures and processes for the use of external service providers. An essential measure is the conclusion of suitable contractual agreements, which above all contain provisions to ensure proper security risk management (e.g. in the form of a security addendum to existing agreements). Depending on the applicable legal framework, companies are also subject to explicit legal requirements regarding the content of such contractual agreements (e.g. see the provisions on ICT third-party service provider management in DORA). This concerns, for example, the use of a company's own information and systems, the handling of security incidents and vulnerabilities as well as the liability of the service provider in the event of damages. Accordingly, clear responsibilities and obligations must be included in the contractual agreements.

We advise on the implementation of suitable policies and concepts for the use of external service providers to ensure adequate protection within the supply chain. This includes, inter alia, conducting risk assessments when using external suppliers as well as drafting and negotiating suitable contractual agreements with them.

Product Compliance

The digitalization is constantly advancing. As a result, the risk of cyber attacks due to security vulnerabilities in software and hardware products is also increasing. European legislators are responding to this with various legal requirements to ensure the security of certain software and hardware products. This includes the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA), which contain various requirements for manufacturers, importers and distributors of the products covered. The CRA explicitly includes, inter alia, the implementation of a prescribed conformity procedure, the creation of technical documentation and the handling of vulnerabilities, including the provision of security updates. These requirements already apply during the design and development and also extend to the life cycle of the individual product after it has been placed on the market. In this respect, the parties involved may therefore have extensive obligations to ensure product safety, which they must comply with during the relevant development and life cycle.

We support in implementing measures and processes to ensure compliance with the applicable legal requirements. This includes, inter alia, supporting in conducting risk assessments when placing the covered products on the market, in conducting conformity procedures and in creating the technical documentation.

Critical Infrastructures

Operators of critical infrastructures (in the future: operators of critical entities) are subject to extensive legal requirements for information security. These requirements are significantly tightened by the NIS2 Directive and the CER Directive. As a result, operators of critical infrastructures have specific obligations to ensure that the critical infrastructures they operate are and remain functional. Otherwise, the risk of failure or disruption of critical infrastructures can have significant consequences for the population. In terms of content, this concerns the implementation of specific security measures and processes (e.g. implementation of systems for attack detection), compliance with requirements when using certain security-relevant components as well as compliance with obligations to provide evidence. Even below the critical infrastructure thresholds, a large number of companies and organizations are covered by sector-specific regulations and standards for information security, which they must comply with. This applies, inter alia, to the energy, finance, telecommunications, automotive and health care sectors. We support companies to ensure compliance with the applicable legal requirements and industry-specific security standards (e.g. B3S in Germany) as well as with communicating with the competent regulatory authorities.

Training of Employees and Management

An essential element of a functioning information security management system is the adequate training of one's own employees and management bodies in dealing with security risks. In addition, the training of employees and management bodies (for example in the area of cyber security) is more and more often stipulated as a statutory requirement.

We support in preparing and conducting appropriate training for employees and management bodies. Our training courses are specifically tailored to the needs of our clients and the respective training participants. In this respect, we offer various formats and content, depending on our clients‘ personal preference.

Cyber-Insurance

Cyber insurances are an important tool for absorbing the cost of any losses arising from a cyber attack. This becomes relevant, inter alia, if implemented protective mechanisms have not worked effectively. It is important to ensure that the scope of services provided by the selected cyber insurance is tailored to the company's specific situation and individual liability risk. Furthermore, it should be ensured that the company is insurable, i.e. that it fulfills the respective terms and conditions of the cyber insurance (e.g. by providing regular training of staff). If it does not, the worst case scenario is that the insurance does not pay out! The legal expertise of our consultants helps to identify which services are actually covered and how to proceed in the event of an insurance claim.

Duties and Liability of Directors and Officers (D&O)

Information security is a matter for the management. It is therefore essential for the management to properly approve and monitor the implementation of appropriate security measures. Management bodies that fail to fulfill these duties may therefore face personal liability to the company. At the same time, the company itself may face severe fines if legal requirements for information security are not met due to misconduct by the management.

We advise management bodies on the implementation of suitable measures and processes to comply with the legal management obligations, on taking out D&O insurance and, if necessary, on legal defense against claims asserted.

Litigation and Enforcement

Companies and organizations are increasingly exposed to liability risks in the area of information security. These may arise from cyber attacks or security vulnerabilities, for example, which can result in serious damage and heavy fines.

We advise on the assessment and enforcement of liability claims. This includes, for example, the enforcement of recourse claims against service providers and against the management bodies of a company. The latter applies, for example, if the management bodies fail to adequately approve and monitor compliance with the legal requirements for information security.

Another focus of our advice is on communication with supervisory authorities and defense against fines and other supervisory measures by the relevant regulatory authorities.

State of the Art

The central concept in information security is that of the “state of the art”. Especially when introducing technical and organizational measures in the area of IT and cyber security, but also of data protection, the interpretation of this concept is of central importance and at the same time highly complex from a legal point of view. In this respect, both the European and the German legislator regularly refer to the “state of the art” as a decisive implementation requirement. It is therefore essential that companies and organizations properly assign these to the state of the art when implementing appropriate measures and processes in practice. We are advising on various questions regarding the state of the art from an information security perspective.

Public Procurement

When procuring IT products and services, including IT security services, public clients are faced with increasing challenges in relation to information security as they must ensure compliance with the complex legal requirements in this area. At the same time, public clients have to take care to find trustworthy and qualified IT (security) service providers that meet the high security standards and specific requirements. In addition, further challenges regularly arise (e.g. coordination of various interest groups within public administration and given budget constraints). We therefore effectively support public clients in preparing and executing public tenders.

Labor and Work Constitution Issues

IT and cyber security are playing an increasingly important role in the context of labor and works constitution law. This particularly concerns the introduction of new digital (security) solutions, because the increasing use of digital technologies also increases the risk of cyber attacks, data loss and system failures. Employers must therefore ensure that all digital systems and processes are optimally secured against threats in order to protect sensitive company, customer and employee data. At the same time, the rights of employees and their representative bodies (e.g. works council, employee representation) must be guaranteed when introducing new digital (security) solutions. In addition, numerous other issues related to IT and cybersecurity may arise that are relevant in the context of labor and works constitution law (e.g. implementation of IT security measures and policies). We support companies with our interdisciplinary team of experts in all labor and works constitution law issues related to IT and cybersecurity.

Artificial Intelligence

The use of AI systems is more of a hot topic than almost any other, as they offer numerous opportunities and possibilities. However, the increasing prevalence of AI systems is also accompanied by a wide range of challenges in the area of information security. This concerns both the IT and cybersecurity of the AI systems themselves, as well as the use of AI to improve a company’s security infrastructure and the potential misuse of AI as an attack tool. The introduction of the new EU AI Regulation has for the first time provided a harmonized legal framework specifically for the security of AI systems. This framework must be aligned with existing legal requirements. Our team of experts provides comprehensive support to companies from an IT security perspective, starting with the development of AI systems and extending to their distribution, provision and use.

Current topics

NIS2-Directive

Overview about the EU-wide requirements on IT-security.

read more

Digital Operational Resilience Act (DORA)

Overview about IT-security requirement in the financial sector.

read more

Cyber Resilience Act (CRA)

Overview about IT-security requirement in the financial sector.

read more

Excellent Expertise

Our team of advisors consists of internationally recognized experts with many years of experience in the field of IT and cybersecurity law.

Outstanding Specialisation

Our experts have internationally recognized certifications in the field of IT and cyber security (TÜV, ICO) and specialize in a range of industries and sectors.

Extensive Network

We are active in various industry associations and working groups in the field of IT and cyber security (e.g. Bundesverband für IT-Sicherheit e.V. - “TeleTrusT”, Free Software Foundation Europe). In addition, we have an extensive network of cooperation partners, consisting of technical IT security consultants and providers of technical security solutions.

Selected memberships

Contact

Do you have any questions? Then please feel free to contact us.

Send eMail

 

Newsletter

To the newsletter registration

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.