The increasing legal regulation in the area of information security requires a variety of effective measures to protect the IT infrastructure. An information security management system (ISMS) based on internationally recognized standards (e.g. ISO 27001) contains the setup of procedures and rules within an organization to ensure the long-term security of information and to continuously improve it

We are happy to advise you on the holistic introduction of information security management systems. This includes, inter alia, support with risk assessments as well as the selection and implementation of suitable security measures and processes, including support with the procurement and implementation of technical solutions (e.g. SIEM, SOC, IDS, EDR, XDR services). We also support in the context of review and certification audits as an external point of contact

In recent years, the risk for companies of falling victim to security incidents has increased dramatically. The main focus here is on ransomware attacks, in which the entire IT infrastructure within a company or even an entire group of companies is encrypted. In this case, the affected companies or groups of companies regularly face considerable ransom demands, fines and/or significant reputational damage. In the event of a cyber attack, it is therefore essential to act quickly. Every hour that business processes are interrupted causes further damage to the affected companies.

We support in establishing preventive measures and processes to effectively detect and handle security incidents. This includes, inter alia, the implementation of comprehensive incident response and business continuity plans. Should an organization fall victim to a cyber attack, we will help with the incident and emergency response. We support in complying with legal reporting requirements and take over communication with regulatory authorities on your behalf. We also support in preparing and carrying out internal and external communication with customers and other parties affected by the incident.

If needed, we can draw on an extensive network of specialized partners in connection with the aforementioned services. This includes, for example, the provision of services in the areas of vulnerability management (e.g. penetration testing, vulnerability scans), crisis communication and forensic investigation.

At the background of the constant integration of new European and national requirements, including comprehensive sector-specific requirements, companies are often faced with the challenge of properly identifying the scope of application as well as implementing the applicable requirements. We support in determining whether a company falls within the scope of the respective legal requirements as well as identifying potential gaps with respect to a company's current IT security infrastructure (actual state) with the legally prescribed requirements (target state). On the basis of such gap-analysis, we then work with the company to define specific implementation measures and support during the implementation to close any existing gaps to ensure full compliance.

Companies regularly use the services of external service providers. This applies, inter alia, to the operation and maintenance of their own IT infrastructure. Using services providers regularly provides multiple benefits as it saves on internal resources and allows capacities to be scaled flexibly. In this context, companies often use external suppliers along their value chains, who also have access to company-owned information and systems. Accordingly, the risk of cyber attacks via the supply chain (so-called supply chain attacks) is constantly increasing.

In the context of information security, it is essential to establish appropriate measures and processes for the use of external service providers. An essential measure is the conclusion of suitable contractual agreements, which above all contain provisions to ensure proper security risk management (e.g. in the form of a security addendum to existing agreements). Depending on the applicable legal framework, companies are also subject to explicit legal requirements regarding the content of such contractual agreements (e.g. see the provisions on ICT third-party service provider management in DORA). This concerns, for example, the use of a company's own information and systems, the handling of security incidents and vulnerabilities as well as the liability of the service provider in the event of damages. Accordingly, clear responsibilities and obligations must be included in the contractual agreements.

We advise on the implementation of suitable policies and concepts for the use of external service providers to ensure adequate protection within the supply chain. This includes, inter alia, conducting risk assessments when using external suppliers as well as drafting and negotiating suitable contractual agreements with them.

The digitalization is constantly advancing. As a result, the risk of cyber attacks due to security vulnerabilities in software and hardware products is also increasing. European legislators are responding to this with various legal requirements to ensure the security of certain software and hardware products. This includes the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA), which contain various requirements for manufacturers, importers and distributors of the products covered. The CRA explicitly includes, inter alia, the implementation of a prescribed conformity procedure, the creation of technical documentation and the handling of vulnerabilities, including the provision of security updates. These requirements already apply during the design and development and also extend to the life cycle of the individual product after it has been placed on the market. In this respect, the parties involved may therefore have extensive obligations to ensure product safety, which they must comply with during the relevant development and life cycle.

We support in implementing measures and processes to ensure compliance with the applicable legal requirements. This includes, inter alia, supporting in conducting risk assessments when placing the covered products on the market, in conducting conformity procedures and in creating the technical documentation.

Operators of critical infrastructures (in the future: operators of critical entities) are subject to extensive legal requirements for information security. These requirements are significantly tightened by the NIS2 Directive and the CER Directive. As a result, operators of critical infrastructures have specific obligations to ensure that the critical infrastructures they operate are and remain functional. Otherwise, the risk of failure or disruption of critical infrastructures can have significant consequences for the population. In terms of content, this concerns the implementation of specific security measures and processes (e.g. implementation of systems for attack detection), compliance with requirements when using certain security-relevant components as well as compliance with obligations to provide evidence. Even below the critical infrastructure thresholds, a large number of companies and organizations are covered by sector-specific regulations and standards for information security, which they must comply with. This applies, inter alia, to the energy, finance, telecommunications, automotive and health care sectors. We support companies to ensure compliance with the applicable legal requirements and industry-specific security standards (e.g. B3S in Germany) as well as with communicating with the competent regulatory authorities.

An essential element of a functioning information security management system is the adequate training of one's own employees and management bodies in dealing with security risks. In addition, the training of employees and management bodies (for example in the area of cyber security) is more and more often stipulated as a statutory requirement.

We support in preparing and conducting appropriate training for employees and management bodies. Our training courses are specifically tailored to the needs of our clients and the respective training participants. In this respect, we offer various formats and content, depending on our clients‘ personal preference.

Cyber insurances are an important tool for absorbing the cost of any losses arising from a cyber attack. This becomes relevant, inter alia, if implemented protective mechanisms have not worked effectively. It is important to ensure that the scope of services provided by the selected cyber insurance is tailored to the company's specific situation and individual liability risk. Furthermore, it should be ensured that the company is insurable, i.e. that it fulfills the respective terms and conditions of the cyber insurance (e.g. by providing regular training of staff). If it does not, the worst case scenario is that the insurance does not pay out! The legal expertise of our consultants helps to identify which services are actually covered and how to proceed in the event of an insurance claim.

Information security is a matter for the management. It is therefore essential for the management to properly approve and monitor the implementation of appropriate security measures. Management bodies that fail to fulfill these duties may therefore face personal liability to the company. At the same time, the company itself may face severe fines if legal requirements for information security are not met due to misconduct by the management.

We advise management bodies on the implementation of suitable measures and processes to comply with the legal management obligations, on taking out D&O insurance and, if necessary, on legal defense against claims asserted.

Companies and organizations are increasingly exposed to liability risks in the area of information security. These may arise from cyber attacks or security vulnerabilities, for example, which can result in serious damage and heavy fines.

We advise on the assessment and enforcement of liability claims. This includes, for example, the enforcement of recourse claims against service providers and against the management bodies of a company. The latter applies, for example, if the management bodies fail to adequately approve and monitor compliance with the legal requirements for information security.

Another focus of our advice is on communication with supervisory authorities and defense against fines and other supervisory measures by the relevant regulatory authorities.

The central concept in information security is that of the “state of the art”. Especially when introducing technical and organizational measures in the area of IT and cyber security, but also of data protection, the interpretation of this concept is of central importance and at the same time highly complex from a legal point of view. In this respect, both the European and the German legislator regularly refer to the “state of the art” as a decisive implementation requirement. It is therefore essential that companies and organizations properly assign these to the state of the art when implementing appropriate measures and processes in practice. We are advising on various questions regarding the state of the art from an information security perspective.