Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for “Hacker Attacks”?

In modern corporate governance, the question is no longer whether a company will be targeted by cybercriminals, but only when this will happen. The number of successful cyberattacks is also increasing. For managing directors (GmbH), executive board members, and supervisory board members (AG), this brings a topic into focus that extends far beyond the IT department alone: personal liability for deficiencies in cybersecurity.

1. The Legal Starting Point: Organizational Duties Without a “Blueprint”

Although Austrian law does not provide specific technical guidance for the required IT infrastructure within a company, it clearly establishes organizational duties. A corporate director bears the fundamental responsibility for ensuring that tasks at subordinate levels are carried out according to clear rules and that compliance with these rules is regularly monitored. This also applies to the IT sector. While directors are not required to personally master every technical process, they are obligated to establish appropriate processes and employ qualified, trustworthy personnel.

2. The Internal Control System (ICS) as a Protective Barrier Against Cyber Fraud

A central legal obligation is the establishment of an internal control system (ICS) pursuant to Section 22 Austrian Limited Liability Company Act (GmbHG) or Section 82 Austrian Stock Corpoaration Act (AktG). The ICS encompasses all coordinated methods and measures within a company designed to safeguard assets, ensure the accuracy and reliability of accounting data, and support compliance with prescribed business policies. Its primary purpose is financial reporting and ensuring that a company’s financial status is presented transparently and comprehensibly.

A functioning ICS includes, for example:

  • reporting lines,
  • the four-eyes principle,
  • segregation of duties,
  • as well as clear authorization limits (payment thresholds).

In the context of cyberattacks, the “human factor” is becoming increasingly important, particularly in cases involving social engineering, spoofing, or deepfakes. With regard to accounting-related functions and payment transactions, corporate directors are required to exercise a heightened level of vigilance. Accordingly, the establishment of an appropriate internal control system (ICS) is also a key component of effective protective measures against such cyberattacks.

Liability trap: If a managing director culpably fails to establish an appropriate internal control system (ICS), they are liable to the company for any resulting damages. However, if errors are nevertheless committed by employees despite a properly implemented system, this does not automatically result in personal liability for the managing director.

3. IT-Compliance

In addition to the ICS, an effective compliance management system (CMS) is also indispensable in defending against liability consequences in connection with cyberattacks. It serves not only to prevent damage and liability, but, in certain cases, may also protect against criminal consequences in the event of an incident.

  1. Corporate criminal law (VbVG): Fines for criminal offences committed by employees may be reduced if the company can demonstrably show that it has implemented preventive measures to avoid such offences (Section 5(3)(1) Austrian Corporate Criminal Liability Act – VbVG).
  2. Administrative criminal law: In administrative law as well, compliance systems serve to reduce or even eliminate a company’s own exposure to sanctions or liability risks. An effective compliance system can, for example, not only protect the person responsible for administrative offences within the meaning of Section 9 VStG from penalties, but also shield the company from joint liability under Section 9(7) VStG.
  3. GDPR sanctions: In the event of data breaches, fines of up to EUR 10 million or 2% of global annual turnover may be imposed. However, the implementation of appropriate technical and organisational measures (TOMs) pursuant to Article 32 GDPR may lead to exculpation (relief from liability) of the controller.

4. Specific legal foundations for IT organisation

For certain companies, additional specific obligations regarding IT organisation also apply:

  • NIS-2 Directive and NISG 2026: As early as 2018, the Austrian Network and Information Security Act (NISG) introduced initial comprehensive rules for sectors such as energy, banking, and healthcare. With the new NIS-2 Directive and its implementation in Austria through the Network and Information Systems Security Act 2026 (NISG 2026), the scope of application will be significantly expanded as of 1 October 2026. In Austria alone, several thousand companies will be affected, for which cybersecurity compliance (including information security management systems) will gain a fundamentally new level of importance.
  • Regulated entities in the financial sector: For credit institutions, insurance undertakings, and payment service providers, strict special statutory provisions on IT security have already been in place for several years (e.g. Section 39(2b) Austrian Banking Act – BWG, Section 110(2) Insurance Supervision Act 2016 – VAG 2016, or Section 85 Payment Services Act 2018 – ZaDiG 2018). These entities are required to establish effective risk management systems to limit “operational risks” – i.e. losses resulting from the failure of internal systems or human error.

5. Digital duty of care: The “Business Judgment Rule” in IT

For non-regulated companies—i.e. those not subject to specific legislation such as the NIS-2 Directive or sector-specific statutory requirements—the legal framework regarding IT security appears at first glance less explicit, but is nonetheless binding. Even though neither the Austrian Limited Liability Companies Act (GmbHG) nor the Stock Corporation Act (AktG) contains specific provisions dedicated to IT, managing directors are still required to ensure that the company identifies risks and mitigates them to the greatest extent possible.

Since the possibilities for IT security measures are virtually unlimited, the question arises as to the required standard of care. This is where the Business Judgment Rule (BJR) applies (Section 25(1a) GmbHG, Section 84(1a) AktG). A managing director is not liable for entrepreneurial decisions if they:

  • act on the basis of adequate information,
  • do not pursue extraneous or improper interests,
  • and act in good faith in the best interests of the company.

The complete failure to implement necessary digitalisation measures may, under certain circumstances, be regarded as a breach of the duty of care. Corporate directors are required to actively monitor technological developments and make use of digital innovations in order to ensure both the competitiveness and the security of the company.

Important for practice: A managing director does not need to be an IT expert, but must obtain an adequate informational basis by involving qualified individuals (including external experts where necessary). From a liability perspective, an incomplete risk analysis is critical in this regard – for example, if only the web shop is assessed, but not the internal network or internal risks posed by employees, the decision is not made on the basis of adequate information.

6. Liability is particularly likely in cases of unjustifiable decisions. These include, among others:

Liability is particularly likely in cases of unjustifiable decisions. These include, among others:

  • Ignorance: the deliberate disregard of known security vulnerabilities after a risk assessment has already been carried out.
  • Refusal of budget allocation: where funding is denied for simple, low-cost but highly effective measures such as multi-factor authentication (MFA), regular backups, or employee training.
  • Delegation errors: assigning security responsibilities to clearly unsuitable or unqualified employees.

7. Cyber insurance: only part of the solution

Cyber insurance is a useful complement to mitigate financial consequences (e.g. business interruption, data recovery costs). However, it is not a substitute for a technical security concept. Corporate directors cannot simply “outsource” the risk; the obligation to proactively secure the company remains in place.

8. Conclusion and recommendations for action

A successful cyberattack does not automatically result in liability. The law does not require 100% security, but it does require appropriate protection. This must correspond to the state of the art and the size of the company. Particularly critical is inaction in the face of obvious risks.

9. Checklist for managing directors:

  • Regular risk assessments: When was the entire system (including internal threats) last reviewed by specialists? Have the findings and lessons learned from the previous risk assessment been implemented?
  • State of the art: Do firewalls, encryption methods, and authentication mechanisms (MFA) comply with current standards?
  • Employee awareness: Are regular trainings conducted on phishing, fake president fraud, and ransomware?
  • Emergency management: Is there an up-to-date disaster recovery plan in place to enable rapid data restoration?

Do you need support?

If you’d like support with this topic, feel free to get in touch with LEUKOS. We support you:

  • to minimise your liability risk by helping you prepare and document decisions on IT security measures in a way that meets the strict requirements of the Business Judgment Rule,
  • to establish a tailored internal control system (ICS) and/or compliance management system (CMS), and
  • and to support well-founded risk analyses of your IT infrastructure from a legal perspective, in order to create an appropriate information basis for your management decisions.

Managing Director Liability – Business Judgment Rule

Managing directors constantly face critical business decisions that shape the success of their companies. The economic outcome of these decisions is often uncertain by nature. Investments, strategic realignments, and everyday business operations all involve both opportunities and risks. Effective risk management and well-informed decision-making are therefore essential for sustainable business growth and long-term corporate success. Austrian corporate law recognizes this business reality and does not hold managing directors liable for every incorrect decision. Instead, it provides an important legal safeguard: the Business Judgment Rule.
This principle clarifies that liability does not depend on whether a business decision ultimately leads to economic success or failure. Rather, the decisive factor is how the decision was made.
read more

Corporate Criminal Liability: Preconditions to hold companies liable – and how to minimize risks

Companies are increasingly exposed to criminal investigations. Under Austria’s Corporate Criminal Liability Act (Verbandsverantwortlichkeitsgesetz – VbVG), criminal responsibility is no longer limited to individuals. Companies themselves may be held liable for criminal offences committed within their organization. For managing directors, shareholders and compliance officers, understanding the scope of corporate criminal liability is essential in order to manage legal, financial and reputational risks effectively.
read more
show all blog entries

Dr. Paul Krepil

Partner | Attorney at Law

Paul Krepil is an attorney at law and partner at LEUKOS Attorneys at Law. His practice focuses on litigation, white-collar crime and (international) arbitration. He has 10 years of experience acting as counsel and defense attorney in cross-border cases. In addition, he has been repeatedly recommended as a Key Lawyer by the renowned legal guide Legal500.

„Paul Krepil was incredibly well prepared and always kept everything together.” – Legal500 (2024)

 

„Paul Krepil knows the case in depth, quick and useful responses. He typically knows even minor details by heart.” – Legal500 (2023)

Professional Background

since 2025
2021 – 2025
2016 – 2021

LEUKOS Attorneys at Law
Cerha Hempel
Wolf Theiss

University of Vienna (Dr.iur. and Mag.iur.), Austria
University of Edinburgh, Scotland

  • Representing a global tech company in mass proceedings concerning alleged GDPR violations.
  • Successfully defending a real estate entrepreneur in criminal proceedings, resulting in an acquittal on all charges including aggravated fraud, fraudulent insolvency and accounting fraud.
  • Strategically resolved a mass claim litigation involving over 120 claims through a combination of successful court proceedings and favorable settlements for the client.
  • Representing a financial institution in enforcement proceedings related to an arbitration award exceeding EUR 200 million.

  • Providing legal advise in enforcement proceedings arising from a multi-million-euro investment arbitration.

  • Cybercrime und inländische Gerichtsbarkeit (ecolex 2025)
  • Schutzmaßnahmen als Haftungsminimierung für Unternehmen und ihre Organe in Brewi/Royer (Hrsg.), Praxishandbuch Cybercrime (Linde 2025)
  • Obstructing Arbitral Proceedings at Their Beginning: A Bumpy Road (Not) to Take in Austrian Yearbook on International Arbitration 2024 (Manz 2024, co-author)
  • Regular presentation and courses for the academy for law and taxes in contract law – “Einführung in das Vertragsrecht” (ARS)
  • Litigation & Dispute Resolution, 2024, 17th Edition, Austria, International Comparative Legal Guide (ICLG, 2024, Co-Autor)
  • The Banking Litigation Law Review – Austrian Chapter, 5th Edition (Law Business Research 2021; Co-Autor)
  • Class & Group Actions 2019: International Comparative Legal Guide, 11th Edition (ICLG 2019; Co-Autor)
  • Foreign Investments in Austria, ABA Section of International Law, Issue 17, August 2018 (Co-Autor)
  • Global Legal Insights – Bribery & Corruption: Austrian Chapter (GLI 2018; Co-Autor)
  • The Class Action Law Review – Austrian Chapter, 2nd Edition (Law Business Research 2017, Co-Autor)

Team

Mag. Claudia Brewi

Partner | Attorney at Law

Claudia Brewi is an attorney at law and partner at LEUKOS Attorneys at Law. Her core practice areas include white-collar crime, cybercrime, litigation and compliance. She has extensive experience as defense or victim’s counsel in complex white-collar cases as well as representing clients in civil disputes with an economic and corporate nexus. In addition, she is a founding and board member of the Austrian White Collar Crime Association (AWCCA).

Professional Background

since 2025
2021 – 2025
2017 – 2021

LEUKOS Attorneys at Law
Paulitsch Law
Wolf Theiss

University of Vienna (Mag.iur.), Austria
University of Oslo, Norway

  • Advising and representing a tax advisor in complex civil proceedings concerning alleged damages in the millions due to alleged incorrect advice; several (partly already legally binding) dismissals of claims were achieved.
  • Successful criminal defense of an entrepreneur from the real estate industry with acquittal on all charges (allegations including aggravated fraud, fraudulent insolvency and accounting fraud)
  • Representation of victims of large-scale crypto fraud cases in Austria, Germany and Switzerland.
  • Acting on behalf of an international IT company as a private party in connection with multi-million-euro in damages arising from embezzlement and money laundering.
  • Online-Presentation – Das österreichische Unternehmensstrafrecht (Verbandsverantwortlichkeitsgesetz): same same but different? (WisteV/AWCCA 2025)
  • Checklist: Aktuelle Cybercrime-Phänomene und Präventionsmaßnahmen für Unternehmen (ecolex 2025)
  • The International Anti-Corruption Academy’s Annual Conference on Global Trends and Challenges in Preventing and Combating Corruption Vortrag: From Corruption to Laundering in Austria/Europe: Legal and Practical Responses to an Evolving Threat (IACA 2025)
  • Co-Editor and Author of Praxishandbuch Cybercrime: Cybercrime – eine Bestandsaufnahme, Online- und Krypto-Betrug, Aktuelle Entwicklungen und Ausblick (Linde 2025)
  • Ecolex Talks – Do’s and Don’ts im Strafrecht (Manz 2025)
  • The International Anti-Corruption Academy’s Annual Conference on Global Trends and Challenges in Preventing and Combating Corruption Vortrag: New trends in AML/CFT from the financial sector perspective (IACA 2024)
  • Presentation at the AML-Conference: AML- und Betrugs-Compliance (ARS Akademie 2024)
  • Strafbarkeit wegen Geldwäscherei durch Unterlassen? (ecolex, co-author)
  • Verschärfung des Korruptionsstrafrechts (ecolex, co-author)
  • Expert panel on risks in the Darkweb (SMJ partners, AWCCA and Darkowl 2023)
  • Presentation at blockchain-REAL: Crypto-Crime – Aktuelle Betrugs- und Geldwäschefälle (Linde und GEWINN 2022)
  • Linde Podcast #96 – Crypto Crime (Linde 2022)
  • The Asset Tracing and Recovery Review – Austrian Chapter, 7th and 8th Edition (Law Business Research 2019 und 2020, Co-Autorin)

Team

Inhouse Outsourced

Outsourced
Legal department

For some companies, maintaining an in-house legal department is not economically viable. Even established legal teams can quickly reach their limits during periods of increased workload or staffing shortages, particularly in legally sensitive situations. We support your business flexibly, quickly and reliably in all legal matters – so you can focus entirely on your core business.

  • Corporate Housekeeping
    Ongoing legal support for companies, from incorporation to amendments of articles of association or changes in shareholder structure.
  • Claim Management
    Coordination and handling of contentious matters including strategic and legal support in disputes and conflicts.
  • Crisis Management and Crisis Communication
    Legal assistance in critical situations as well as strategic guidance on internal and external communication.
  • Data Protection (GDPR)
    Advisory on the implementation of data protection requirements, drafting of guidelines and support during regulatory audits.
  • Contract Drafting and Contract Negotiations
    Drafting of tailor-made contracts to safeguard company interests as well as legal support during negotiations to strengthen the company’s position and minimize risks.
  • Contract Management
    Structured administration, monitoring and adaption of existing contracts including deadline management.
  • Intellectual Property Law and Unfair Competition
    Protection of intellectual property (trademark applications, etc.) and opposing unfair business practices by competitors.

Cyber and Crypto Crime

Digitalization has led to a rapid increase and evolution of crimes in the worldwide web. Cyberattacks can hit both companies and private individuals suddenly and severely. We help you assess complex online crimes from a legal perspective, minimize financial losses and assert your rights effectively.

  • Crypto and Online Fraud
    Initial legal assessment, case analysis and enforcement of claims in cases of crypto fraud, investment and trading scams, romance scams, pig butchering schemes, fake online shops, impersonation scams and similar online fraud schemes.
  • Prevention and Compliance
    Development and implementation of guidelines, trainings and preventive measures to minimize digital risks.
  • Attacks on IT systems
    Legal advice and crisis management in cases of hacking, phishing, ransomware, fraudulent data processing, misuse of access credentials, data forgery and data damage.
  • Online Harassment and Abuse
    Legal support in cases of coercion, threats, stalking, cyberbullying, hate speech and online defamation.
  • Identity Theft and Online Manipulation
    Legal support in cases involving order fraud, CEO fraud, money laundering, data protection breaches and reputational harm.
  • NIS 2 Directive and Data Breaches
    Advice on security requirements, obligations and organizational measures for affected companies. Assistance in managing data protection incidents including data-breach notifications and communication with authorities.

White-Collar Crime

Criminal risks can affect companies and individuals unexpectedly. We provide comprehensive support to handle critical situations professionally, discreetly and with legal certainty. We safeguard your rights throughout all stages of criminal proceedings, guide you through challenging situations and ensure that your position is represented effectively and strategically.

  • Economic Crimes
    Consistent representation in cases of economic and business-related offences such as fraud, fraudulent insolvency, embezzlement, breach of trust, accounting offences, money laundering, misuse of trade or business secrets, forgery and other related matters.
  • Defense in Investigations and Criminal Proceedings
    Support and advice at every stage of criminal proceedings – from initial questioning to dawn raids, seizures, asset freezes and full defense representation before the criminal court.
  • Victim Representation
    Assertion of victims’ rights and claims of private parties or private prosecution to effectively protect economic and personal interests.
  • Corruption
    Legal advice and defense in cases involving abuse of power/office, acceptance of advantages, bribery and other corruption-related offences.
  • Compliance
    Development, optimization and implementation of guidelines, training programs and preventive measures to minimize risks for employees and companies.
  • Internal Investigations
    Discreet and independent clarification of internal matters to minimize criminal liability risks including interviews, document analysis and structured reporting for internal or external use.
  • Appeals and Remedies
    Review and filing of objections, complaints and appeals against acts or decisions of investigative authorities and courts.

Disputes

We represent our clients in contentious disputes before state courts and arbitral tribunals. Our services include enforcing claims, defending against unjustified claims and guiding our clients through payment, enforcement and insolvency proceedings. We also provide strategic support outside of court through assertive correspondence as well as efficient claim and enforcement management.

  • Advising in Civil Law Matters
    Legal advice across all areas of civil law, including damages, warranty, product liability and unjust enrichment.
  • Corporate and Commercial Disputes
    Legal support in shareholder disputes, director and officer liability and matters related to the Business Judgment Rule.
  • Representation before State Courts (Litigation)
    Comprehensive legal representation before state courts in all areas of civil law (i.e. damages claims, declaratory actions and injunctions) including strategic case management and targeted litigation preparation.
  • Arbitration
    Representation in domestic and international arbitration cases under various rules (i.e. VIAC, ICC, UNCITRAL) as well as ad hoc arbitration proceedings.
  • Out-Of-Court Representation
    Preparation of targeted legal demand letters and efficient out-of-court interventions to resolve disputes.
  • (European) Payment Orders
    Supporting with asserting monetary claims including initiating payment orders and representation in objection proceedings.
  • Debt Collection
    Efficient identification, securing and recovery of assets to enforce outstanding claims.
  • Enforcement Proceedings
    Securing and satisfying claims as well as enforcing final judgments through injunctions, seizures, enforced sale of assets and other enforcement measures.
  • Recognition and Enforcement of Foreign Arbitral Awards
    Legal representation in recognition and enforcement proceedings concerning domestic and international arbitration awards.
  • Insolvency Cases
    Legal advice and support with claim submissions as well as representation in insolvency related disputes.