IT-CMS Quick Check
By having an IT compliance management system (IT CMS) in place, managing directors and companies can prevent the risk of being held liable for failures in the area of IT compliance.
Every SME has an obligation - ruling
The managing director of a family business with around 60 employees was personally ordered to pay EUR 800,000 in damages for failing to set up an internal compliance management system (CMS), specifically a four-eye principle for critical processes and areas that could cause damage. This was despite the fact that a disloyal employee had caused the damage with criminal energy by manipulating the internal software and booking system.
This ruling made people sit up and take notice, especially as it has been clear since this decision by the Higher Regional Court of Nuremberg at the end of 2022 at the latest that practically every company must set up a compliance management system if management liability is to be avoided. The ruling reads as follows
"From the duty of legality follows the obligation of the managing director to set up a compliance management system, i.e. to take organizational precautions to prevent the commission of legal violations by the company or its employees."
The ruling is based on Section 43 (2) GmbH (similar to: Section 93 (2) AktG). The reference to the GmbH and AG should not be misleading: The regulation is to be applied analogously to other company forms.
The decision of the OLG Nuremberg is not entirely surprising. For some time now, Section 130 OWiG has already standardized a fine of up to EUR 1 million if supervisory measures are omitted "which are necessary to prevent infringements of obligations in the business or company".
The judgment is based on Section 43 (2) GmbH (similar to: Section 93 (2) AktG). The reference to the GmbH and AG should not be misleading: The regulation is to be applied analogously to other company forms.
The decision of the OLG Nuremberg is not entirely surprising. For some time now, Section 130 OWiG has already standardized a fine of up to EUR 1 million if supervisory measures are omitted "which are necessary to prevent violations of obligations in the business or company ".
Exemption from liability through a compliance management system
An internal control system (ICS) should be set up for IT systems due to the GoBD (principles for the proper management and storage of books, records and documents in electronic form and for data access), which are relevant for practically every company. The use of accounting systems such as SAP or DATEV is common. Nevertheless, the use of these systems must be properly implemented and monitored and adequately documented. If such internal control systems are used, this can exclude culpability (and thus liability for damages) in the event of a breach of law that nevertheless occurs. For example, No. 2.6 sentence 6 AEAO to Section 153 AO states that
"If the taxpayer has set up an internal control system that serves to fulfill tax obligations, this may, if necessary, constitute an indication that may speak against the existence of intent or recklessness, ..."
According to the BGH (judgement of 09.05.2017, Ref. 1 StR 265/16), a proper compliance management system can also have a liability-reducing effect if a fine is to be imposed for violations that have nevertheless occurred:
"For the assessment of the fine, it is also important to what extent [the company] ... has installed an efficient compliance management system that [is] designed to prevent legal violations".
When setting up a compliance management system, it is important that it is a serious system that is actually "lived".
Increasing tightening of laws
The requirement for a compliance management system results from an increasing number of legal regulations:
For example, Section 38 BSIG-E, which is planned to implement the current NIS2 Directive, explicitly requires certain companies (so-called "important entities") to establish, approve and monitor a cyber security risk management system. Delegating these monitoring tasks away from the management is expressly prohibited. Regular, personal training of the management is also prescribed. Any waiver of recourse against managing directors, e.g. in the managing director's employment contract, is null and void.
The companies covered by the implementation of this NIS2 Directive and the BSIG-E are defined in extensive annexes. For example, a mechanical engineering company that manufactures milling machines or certain other machine tools is currently covered if it has more than 50 employees or, alternatively, if its annual turnover and annual balance sheet exceed EUR 10 million. The same applies to manufacturers of light bulbs, wristwatches, electric motors, USB cables, refrigerators, bicycles and many more. Research and purely digital services may also be covered, e.g. providers of online marketplaces, i.e. platforms that "bring together" suppliers and buyers.
A similar situation arises from Art. 5 DORA (Digital Operational Resilience Act) for companies in the financial sector, in which the following can be read: "The governing body has ultimate responsibility for the management of ICT risks". "ICT" stands for information and communication technologies.
Personal liability can also arise, for example, if products are not compliant, such as if they are placed on the market without the necessary CE marking. In this respect, reference should be made to the upcoming Cyber Resilience Act (CRA), according to which almost all software will have to bear a CE mark from 2027. At the same time, criminal offenses are often relevant here, which under German criminal law always relate to natural persons, i.e. to the management or other actors, but never to the company.
Passed-through requirements in the supply chain
In addition to the tightening of the law and case law, there is an indirect obligation that has a direct impact on acquisition and customer relationships. An increasing number of customers will demand that their suppliers have an adequate compliance management system or risk management system, either out of concern for their own liability or due to legal requirements that apply to them. In some cases, this may have been imposed on them by their customers for the entire supply chain.
For example, a company may not be directly covered by the NIS2 Directive or the German BSIG-E. However, as an automotive supplier, the company's customer may require compliance with and proof of various requirements. In this respect, even more far-reaching standards may be relevant. In the example from the automotive sector, UNECE regulations R155 and R156 stipulate the establishment of a "Cybersecurity Management System" (CSMS) or a "Software Update Management System" (SUMS), whereby it is important that the suppliers can also provide corresponding proof of IT security. For the suppliers concerned, it may then be a good idea to have a separate cybersecurity management system in accordance with ISO/SAE 21434 and a software update management system in accordance with ISO 24089 - or at least individual measures from these. So if you want to retain customers and win new ones, you are increasingly required to be able to demonstrate measures in the areas of compliance management systems and risk management.
Conversely, it may be important for companies to ensure that they have an adequate compliance system and sufficient safeguards when selecting their own suppliers and service providers, in view of the above-mentioned aspect of liability exemption. As an individual audit of these arrangements with suppliers is generally impractical or can only be carried out for particularly critical suppliers, voluntary certification and voluntary compliance with standards will become increasingly important. If, for example, only one of two potential suppliers can demonstrate an Information Security Management System (ISMS) in accordance with ISO/IEC 27001, this supplier should be preferred. The same will apply if there are several cloud providers to choose from, only one of which meets the BSI's C5 criteria catalog (Cloud Computing Compliance Criteria Catalog).
In certain areas, it will even be mandatory in future that only products with so-called cyber security certification in accordance with EU schemes may be used.
Cyber and D&O insurance alone does not help
It is advisable to take out cyber insurance and D&O insurance for the benefit of the management and the company. However, it needs to be considered very carefully whether this actually provides sufficient protection. As a rule, there is none if there is intentional conduct. However, this can quickly be the case if the management has not set up and monitored a compliance management system or a risk management system despite the now clear legal requirements. Likewise, insurance can hardly provide any relief in the event of criminal offenses.
Damaging events and multiplication of damage
In addition to avoiding management liability, a compliance management system or risk management system should be able to identify processes that could cause damage so that these in particular can be checked and monitored for damage risks and damage can be kept away from the company. Without such measures, simple mistakes can result in massive damage.
A practical example: A company has imported a certain office product from China and sold it en masse in Germany for EUR 1 per item. After two years, the owner of a design registered in Germany comes forward and demands compensation and the destruction of all office supplies, millions of which have been sold in the meantime. With regard to a single office product, the damage is minimal. The problem arises from the "multiplication" of the damage caused by the mass-marketed articles. The conflicting design right would have quickly become apparent during a summary review of the design register.
Another example: A software provider with a pleasing 10,000 customers enables the processing of the new e-invoices coming from 2025 via its software. Some time later, the tax authorities carry out audits of the first customers and reject them because the software manufacturer has not complied with certain GoBD requirements. For the software manufacturer, a simple error is now "multiplied" considerably because every affected customer will claim recourse. It would also have made sense for the software manufacturer to carry out an audit in accordance with IDW PS 880. On the one hand, the error would then presumably have been noticed at an early stage. On the other hand, such a certificate builds trust with customers and helps with advertising and marketing in order to stand out from other products. If companies subject to mandatory audits use the software, such a certificate can even be a decisive factor when selecting a software provider.
IT-CMS Quick Check
A first impression of the situation in the company can be gained via our IT-CMS Quick Check. This enables companies and the personally liable management to obtain an initial overview of the status quo with a manageable amount of effort, i.e. what basic measures need to be taken and what obvious deficits exist - and therefore what general liability potential exists. As a rule, the IT CMS Quick Check is combined with a workshop. The areas covered by such an IT CMS Quick Check depend on the specific circumstances and needs of the company and are determined in advance. The focus can be on the following areas, among others:
Access protection: among other things, are sufficient rights assignment procedures applied for the applications and are super rights strictly assigned?
Change management: Are the changes made to programs tested in a traceable manner or is reliance placed on the input of service providers without complying with the legal obligation to provide evidence?
Digital transformation: Many central financial applications (ERP) currently face the challenge of changing systems (SAP, Navision, etc.), as earlier versions are no longer supported by software manufacturers. The introduction of the new ERP solution affects the entire financial IT backbone, is not the daily business of the company, but is essential to ensure that business processes can be operated without errors in the future. These projects have a very high risk (70 % to almost 100 %), so the question arises: does the company have experienced, independent experts available in addition to the service providers?
Basic IT processes: E.g. emergency concept incl. backup or system jobs with mass processing are often not considered in detail, but are crucial, for example, with today's level of digitization. Are these processes regularly checked for robustness?
Data protection. Example: Are the reporting channels in the company set up in such a way that data breaches and other reportable events are reported to the responsible supervisory authority within 72 hours at the latest (in the case of the GDPR) (late reporting is subject to fines under the GDPR, among other things)?
Resilience: Have sufficient service level agreements (SLAs) been concluded with service providers to avoid availability gaps in your own - possibly critical - services? Can data be transferred to the integrated service providers at all or are confidentiality agreements, confidentiality obligations or data protection being breached?
License compliance. Example: Is a license management system established in such a way that third parties cannot enforce injunctive relief against the company's own products due to undetected license gaps (including in license chains)?
Cybersecurity setup: For example, is there sufficient cyber insurance in place or have measures been taken to minimize the scope of incidents that do occur?
Have basic requirements for the design of your own goods and services been met, e.g. to avoid official prohibitions and liability towards customers in this regard?
Please also refer to the publication: Hötzel / Völkl, Avoidance of liability cases by means of IT-CMS, Zeitschrift für Bilanzierung, Rechnungswesen und Controlling (BC), 9/2024
Status: 17.07.2024