{"id":2150,"date":"2026-04-30T08:04:25","date_gmt":"2026-04-30T08:04:25","guid":{"rendered":"https:\/\/leukos.at\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/"},"modified":"2026-04-30T09:45:27","modified_gmt":"2026-04-30T09:45:27","slug":"cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks","status":"publish","type":"post","link":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/","title":{"rendered":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d?"},"content":{"rendered":"\n

1. The Legal Starting Point: Organizational Duties Without a \u201cBlueprint\u201d<\/strong><\/h2>\n\n
<\/div>\n\n

Although Austrian law does not provide specific technical guidance for the required IT infrastructure within a company, it clearly establishes organizational duties. A corporate director bears the fundamental responsibility for ensuring that tasks at subordinate levels are carried out according to clear rules and that compliance with these rules is regularly monitored. This also applies to the IT sector. While directors are not required to personally master every technical process, they are obligated to establish appropriate processes and employ qualified, trustworthy personnel. <\/p>\n\n

<\/div>\n\n

2. The Internal Control System (ICS) as a Protective Barrier Against Cyber Fraud<\/strong><\/h2>\n\n
<\/div>\n\n

A central legal obligation is the establishment of an internal control system (ICS) pursuant to Section 22 Austrian Limited Liability Company Act (GmbHG) or Section 82 Austrian Stock Corpoaration Act (AktG). The ICS encompasses all coordinated methods and measures within a company designed to safeguard assets, ensure the accuracy and reliability of accounting data, and support compliance with prescribed business policies. Its primary purpose is financial reporting and ensuring that a company\u2019s financial status is presented transparently and comprehensibly. <\/p>\n\n

<\/div>\n\n

A functioning ICS includes, for example:<\/p>\n\n

<\/div>\n\n
    \n
  • reporting lines,<\/li>\n\n\n\n
  • the four-eyes principle,<\/li>\n\n\n\n
  • segregation of duties,<\/li>\n\n\n\n
  • as well as clear authorization limits (payment thresholds).<\/li>\n<\/ul>\n\n
    <\/div>\n\n

    In the context of cyberattacks, the \u201chuman factor\u201d is becoming increasingly important, particularly in cases involving social engineering, spoofing, or deepfakes. With regard to accounting-related functions and payment transactions, corporate directors are required to exercise a heightened level of vigilance. Accordingly, the establishment of an appropriate internal control system (ICS) is also a key component of effective protective measures against such cyberattacks. <\/p>\n\n

    <\/div>\n\n

    Liability trap: If a managing director culpably fails to establish an appropriate internal control system (ICS), they are liable to the company for any resulting damages. However, if errors are nevertheless committed by employees despite a properly implemented system, this does not automatically result in personal liability for the managing director. <\/p>\n\n

    <\/div>\n\n

    3. IT-Compliance<\/strong><\/h2>\n\n
    <\/div>\n\n

    In addition to the ICS, an effective compliance management system (CMS) is also indispensable in defending against liability consequences in connection with cyberattacks. It serves not only to prevent damage and liability, but, in certain cases, may also protect against criminal consequences in the event of an incident. <\/p>\n\n

    <\/div>\n\n
      \n
    1. Corporate criminal law (VbVG): Fines for criminal offences committed by employees may be reduced if the company can demonstrably show that it has implemented preventive measures to avoid such offences (Section 5(3)(1) Austrian Corporate Criminal Liability Act \u2013 VbVG).<\/li>\n\n\n\n
    2. Administrative criminal law: In administrative law as well, compliance systems serve to reduce or even eliminate a company\u2019s own exposure to sanctions or liability risks. An effective compliance system can, for example, not only protect the person responsible for administrative offences within the meaning of Section 9 VStG from penalties, but also shield the company from joint liability under Section 9(7) VStG. <\/li>\n\n\n\n
    3. GDPR sanctions: In the event of data breaches, fines of up to EUR 10 million or 2% of global annual turnover may be imposed. However, the implementation of appropriate technical and organisational measures (TOMs) pursuant to Article 32 GDPR may lead to exculpation (relief from liability) of the controller. <\/li>\n<\/ol>\n\n
      <\/div>\n\n

      4. Specific legal foundations for IT organisation<\/h2>\n\n
      <\/div>\n\n

      For certain companies, additional specific obligations regarding IT organisation also apply:<\/p>\n\n

      <\/div>\n\n
        \n
      • NIS-2 Directive and NISG 2026: As early as 2018, the Austrian Network and Information Security Act (NISG) introduced initial comprehensive rules for sectors such as energy, banking, and healthcare. With the new NIS-2 Directive and its implementation in Austria through the Network and Information Systems Security Act 2026 (NISG 2026), the scope of application will be significantly expanded as of 1 October 2026. In Austria alone, several thousand companies will be affected, for which cybersecurity compliance (including information security management systems) will gain a fundamentally new level of importance. <\/li>\n\n\n\n
      • Regulated entities in the financial sector: For credit institutions, insurance undertakings, and payment service providers, strict special statutory provisions on IT security have already been in place for several years (e.g. Section 39(2b) Austrian Banking Act \u2013 BWG, Section 110(2) Insurance Supervision Act 2016 \u2013 VAG 2016, or Section 85 Payment Services Act 2018 \u2013 ZaDiG 2018). These entities are required to establish effective risk management systems to limit \u201coperational risks\u201d \u2013 i.e. losses resulting from the failure of internal systems or human error. <\/li>\n<\/ul>\n\n
        <\/div>\n\n
        <\/div>\n\n

        5. Digital duty of care: The \u201cBusiness Judgment Rule\u201d in IT<\/strong><\/h2>\n\n
        <\/div>\n\n

        For non-regulated companies\u2014i.e. those not subject to specific legislation such as the NIS-2 Directive or sector-specific statutory requirements\u2014the legal framework regarding IT security appears at first glance less explicit, but is nonetheless binding. Even though neither the Austrian Limited Liability Companies Act (GmbHG) nor the Stock Corporation Act (AktG) contains specific provisions dedicated to IT, managing directors are still required to ensure that the company identifies risks and mitigates them to the greatest extent possible. <\/p>\n\n

        <\/div>\n\n

        Since the possibilities for IT security measures are virtually unlimited, the question arises as to the required standard of care. This is where the Business Judgment Rule (BJR) applies (Section 25(1a) GmbHG, Section 84(1a) AktG). A managing director is not liable for entrepreneurial decisions if they: <\/p>\n\n

        <\/div>\n\n
          \n
        • act on the basis of adequate information,<\/li>\n\n\n\n
        • do not pursue extraneous or improper interests,<\/li>\n\n\n\n
        • and act in good faith in the best interests of the company.<\/li>\n<\/ul>\n\n
          <\/div>\n\n

          The complete failure to implement necessary digitalisation measures may, under certain circumstances, be regarded as a breach of the duty of care. Corporate directors are required to actively monitor technological developments and make use of digital innovations in order to ensure both the competitiveness and the security of the company. <\/p>\n\n

          <\/div>\n\n

          Important for practice: A managing director does not need to be an IT expert, but must obtain an adequate informational basis by involving qualified individuals (including external experts where necessary). From a liability perspective, an incomplete risk analysis is critical in this regard \u2013 for example, if only the web shop is assessed, but not the internal network or internal risks posed by employees, the decision is not made on the basis of adequate information. <\/p>\n\n

          <\/div>\n\n

          6. Liability is particularly likely in cases of unjustifiable decisions. These include, among others:<\/strong><\/h2>\n\n
          <\/div>\n\n

          Liability is particularly likely in cases of unjustifiable decisions. These include, among others: <\/p>\n\n

          <\/div>\n\n
            \n
          • Ignorance: the deliberate disregard of known security vulnerabilities after a risk assessment has already been carried out.<\/li>\n\n\n\n
          • Refusal of budget allocation: where funding is denied for simple, low-cost but highly effective measures such as multi-factor authentication (MFA), regular backups, or employee training.<\/li>\n\n\n\n
          • Delegation errors: assigning security responsibilities to clearly unsuitable or unqualified employees.<\/li>\n<\/ul>\n\n
            <\/div>\n\n

            7. Cyber insurance: only part of the solution<\/strong><\/h2>\n\n
            <\/div>\n\n

            Cyber insurance is a useful complement to mitigate financial consequences (e.g. business interruption, data recovery costs). However, it is not a substitute for a technical security concept. Corporate directors cannot simply \u201coutsource\u201d the risk; the obligation to proactively secure the company remains in place. <\/p>\n\n

            <\/div>\n\n

            8. Conclusion and recommendations for action<\/strong><\/h2>\n\n
            <\/div>\n\n

            A successful cyberattack does not automatically result in liability. The law does not require 100% security, but it does require appropriate protection. This must correspond to the state of the art and the size of the company. Particularly critical is inaction in the face of obvious risks. <\/p>\n\n

            <\/div>\n\n

            9. Checklist for managing directors:<\/strong><\/h2>\n\n
            <\/div>\n\n
              \n
            • Regular risk assessments: When was the entire system (including internal threats) last reviewed by specialists? Have the findings and lessons learned from the previous risk assessment been implemented? <\/li>\n<\/ul>\n\n
                \n
              • State of the art: Do firewalls, encryption methods, and authentication mechanisms (MFA) comply with current standards?<\/li>\n<\/ul>\n\n
                  \n
                • Employee awareness: Are regular trainings conducted on phishing, fake president fraud, and ransomware?<\/li>\n<\/ul>\n\n
                    \n
                  • Emergency management: Is there an up-to-date disaster recovery plan in place to enable rapid data restoration?<\/li>\n<\/ul>\n\n
                    <\/div>\n\n
                    \"\"<\/figure>\n\n
                    \n\n
                    <\/div>\n\n

                    Do you need support?<\/strong><\/h2>\n\n
                    <\/div>\n\n

                    If you\u2019d like support with this topic, feel free to get in touch with LEUKOS.<\/strong> We support you:<\/p>\n\n

                    <\/div>\n\n
                      \n
                    • to minimise your liability risk by helping you prepare and document decisions on IT security measures in a way that meets the strict requirements of the Business Judgment Rule,<\/li>\n\n\n\n
                    • to establish a tailored internal control system (ICS) and\/or compliance management system (CMS), and<\/li>\n\n\n\n
                    • and to support well-founded risk analyses of your IT infrastructure from a legal perspective, in order to create an appropriate information basis for your management decisions.<\/li>\n<\/ul>\n\n

                      <\/p>\n","protected":false},"excerpt":{"rendered":"

                      In modern corporate governance, the question is no longer whether a company will be targeted by cybercriminals, but only when this will happen. The number of successful cyberattacks is also increasing. For managing directors (GmbH), executive board members, and supervisory board members (AG), this brings a topic into focus that extends far beyond the IT department alone: personal liability for deficiencies in cybersecurity. <\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[48,45,43,49,46,47,44],"class_list":["post-2150","post","type-post","status-publish","format-standard","hentry","category-nicht-kategorisiert","tag-business-judgment-rule","tag-compliance-management-system-cms","tag-cyber-sicherheit","tag-hackerattacks","tag-internal-control-system-ics","tag-it-compliance","tag-organizational-duties"],"yoast_head":"\nCybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028\" \/>\n<meta property=\"og:description\" content=\"In modern corporate governance, the question is no longer whether a company will be targeted by cybercriminals, but only when this will happen. The number of successful cyberattacks is also increasing. For managing directors (GmbH), executive board members, and supervisory board members (AG), this brings a topic into focus that extends far beyond the IT department alone: personal liability for deficiencies in cybersecurity.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-30T08:04:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-30T09:45:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"LEUKOS Rechtsanw\u00e4lte\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"LEUKOS Rechtsanw\u00e4lte\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\"},\"author\":{\"name\":\"LEUKOS Rechtsanw\u00e4lte\",\"@id\":\"https:\/\/leukos.at\/en\/#\/schema\/person\/5249fc668a691bec3faf53bf06fde209\"},\"headline\":\"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d?\",\"datePublished\":\"2026-04-30T08:04:25+00:00\",\"dateModified\":\"2026-04-30T09:45:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\"},\"wordCount\":1334,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/leukos.at\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg\",\"keywords\":[\"Business Judgment Rule\",\"Compliance-Management-System (CMS)\",\"Cyber-Sicherheit\",\"Hackerattacks\",\"Internal Control System (ICS)\",\"IT-Compliance\",\"Organizational Duties\"],\"articleSection\":[\"Nicht kategorisiert\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\",\"url\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\",\"name\":\"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\\u2028\",\"isPartOf\":{\"@id\":\"https:\/\/leukos.at\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg\",\"datePublished\":\"2026-04-30T08:04:25+00:00\",\"dateModified\":\"2026-04-30T09:45:27+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage\",\"url\":\"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg\",\"contentUrl\":\"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Start\",\"item\":\"https:\/\/leukos.at\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/leukos.at\/en\/#website\",\"url\":\"https:\/\/leukos.at\/en\/\",\"name\":\"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\\u2028\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/leukos.at\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/leukos.at\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/leukos.at\/en\/#organization\",\"name\":\"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\\u2028\",\"url\":\"https:\/\/leukos.at\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/leukos.at\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/leukos.at\/wp-content\/uploads\/2025\/11\/cropped-Group-50.jpg\",\"contentUrl\":\"https:\/\/leukos.at\/wp-content\/uploads\/2025\/11\/cropped-Group-50.jpg\",\"width\":363,\"height\":103,\"caption\":\"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\\u2028\"},\"image\":{\"@id\":\"https:\/\/leukos.at\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/leukos.at\/en\/#\/schema\/person\/5249fc668a691bec3faf53bf06fde209\",\"name\":\"LEUKOS Rechtsanw\u00e4lte\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/leukos.at\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0454aa1512ef5e31143028bcfa298ef562f229c42bc7e4e9b67144ef439417d1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0454aa1512ef5e31143028bcfa298ef562f229c42bc7e4e9b67144ef439417d1?s=96&d=mm&r=g\",\"caption\":\"LEUKOS Rechtsanw\u00e4lte\"},\"sameAs\":[\"http:\/\/www.leukos.at\"],\"url\":\"https:\/\/leukos.at\/en\/author\/leukos\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","og_description":"In modern corporate governance, the question is no longer whether a company will be targeted by cybercriminals, but only when this will happen. The number of successful cyberattacks is also increasing. For managing directors (GmbH), executive board members, and supervisory board members (AG), this brings a topic into focus that extends far beyond the IT department alone: personal liability for deficiencies in cybersecurity.","og_url":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/","og_site_name":"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","article_published_time":"2026-04-30T08:04:25+00:00","article_modified_time":"2026-04-30T09:45:27+00:00","og_image":[{"width":2560,"height":1440,"url":"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-scaled.jpg","type":"image\/jpeg"}],"author":"LEUKOS Rechtsanw\u00e4lte","twitter_card":"summary_large_image","twitter_misc":{"Written by":"LEUKOS Rechtsanw\u00e4lte","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#article","isPartOf":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/"},"author":{"name":"LEUKOS Rechtsanw\u00e4lte","@id":"https:\/\/leukos.at\/en\/#\/schema\/person\/5249fc668a691bec3faf53bf06fde209"},"headline":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d?","datePublished":"2026-04-30T08:04:25+00:00","dateModified":"2026-04-30T09:45:27+00:00","mainEntityOfPage":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/"},"wordCount":1334,"commentCount":0,"publisher":{"@id":"https:\/\/leukos.at\/en\/#organization"},"image":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg","keywords":["Business Judgment Rule","Compliance-Management-System (CMS)","Cyber-Sicherheit","Hackerattacks","Internal Control System (ICS)","IT-Compliance","Organizational Duties"],"articleSection":["Nicht kategorisiert"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/","url":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/","name":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d? - LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","isPartOf":{"@id":"https:\/\/leukos.at\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage"},"image":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg","datePublished":"2026-04-30T08:04:25+00:00","dateModified":"2026-04-30T09:45:27+00:00","breadcrumb":{"@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#primaryimage","url":"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg","contentUrl":"https:\/\/leukos.at\/wp-content\/uploads\/2026\/04\/Still-14-1-1024x576.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/leukos.at\/en\/cybersecurity-as-a-management-responsibility-when-are-corporate-directors-liable-for-hacker-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Start","item":"https:\/\/leukos.at\/en\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity as a Management Responsibility: When Are Corporate Directors Liable for \u201cHacker Attacks\u201d?"}]},{"@type":"WebSite","@id":"https:\/\/leukos.at\/en\/#website","url":"https:\/\/leukos.at\/en\/","name":"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","description":"","publisher":{"@id":"https:\/\/leukos.at\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/leukos.at\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/leukos.at\/en\/#organization","name":"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028","url":"https:\/\/leukos.at\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/leukos.at\/en\/#\/schema\/logo\/image\/","url":"https:\/\/leukos.at\/wp-content\/uploads\/2025\/11\/cropped-Group-50.jpg","contentUrl":"https:\/\/leukos.at\/wp-content\/uploads\/2025\/11\/cropped-Group-50.jpg","width":363,"height":103,"caption":"LEUKOS Brewi Krepil Rechtsanw\u00e4lte Wien\u2028"},"image":{"@id":"https:\/\/leukos.at\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/leukos.at\/en\/#\/schema\/person\/5249fc668a691bec3faf53bf06fde209","name":"LEUKOS Rechtsanw\u00e4lte","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/leukos.at\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0454aa1512ef5e31143028bcfa298ef562f229c42bc7e4e9b67144ef439417d1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0454aa1512ef5e31143028bcfa298ef562f229c42bc7e4e9b67144ef439417d1?s=96&d=mm&r=g","caption":"LEUKOS Rechtsanw\u00e4lte"},"sameAs":["http:\/\/www.leukos.at"],"url":"https:\/\/leukos.at\/en\/author\/leukos\/"}]}},"_links":{"self":[{"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/posts\/2150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/comments?post=2150"}],"version-history":[{"count":1,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/posts\/2150\/revisions"}],"predecessor-version":[{"id":2154,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/posts\/2150\/revisions\/2154"}],"wp:attachment":[{"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/media?parent=2150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/categories?post=2150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/leukos.at\/en\/wp-json\/wp\/v2\/tags?post=2150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}