Covid-19 and the corona virus have taken control of public life and companies are considering whether they have taken all the necessary steps to sufficiently mitigate the consequences of the pandemic. Maintaining a functioning IT infrastructure is also vital for the survival of most companies in a digitalized economy. This is all the more true if, compared to regular operations, additional remote working facilities have to be set up and supplied with sufficient bandwidth as well as hardware and software.
In addition to commercial rationality, it is also the law that requires companies to deal appropriately with imminent risks to business operations. Of course, this applies first and foremost to companies that are of critical importance to the society and whose failure would endanger public supply and safety. These operators of critical infrastructures (KRITIS) are obliged by the German IT Security Act (“IT Sicherheitsgesetz”) to take precautions against risks and to establish effective emergency plans. The General Data Protection Regulation (Art. 32 para. 1 c) GDPR) also formulates the duty of the responsible party and its data processors to ensure, by means of appropriate technical and organizational measures, that access to data can be quickly restored even in a crisis. Pursuant to Section 25a of the German Banking Act (KWG) and the respective principles of banking supervision "MaRisk", banks and financial service providers must draw up an emergency concept together with their IT service provider and regularly check its effectiveness through documented emergency exercises. This also includes the development of business continuation and restart plans. Finally, the general statutory duty of commercial diligence in accordance with sec. 43 para. 1 German Limited Liability Companies Act (“GmbHG”) and sec. 91 para. 2 German Stock Corporation Act (“AktG”) results in a very personal entrepreneurial duty to ensure the establishment and monitoring of an emergency concept for business-critical systems and appropriate insurance cover for IT failure. The execution and preparation of the plans can be delegated to the IT department and the CIO, for example, but the responsibility for the existence itself always remains with the company management.
In practical terms, the question now arises as to what risks are to be addressed in such an emergency plan and how to deal with the pandemic. In practice, many IT contingency plans so far only depict natural disasters, technical failures and burglary or vandalism. The focus is on a failure of the technical infrastructure. The case that the people and service technicians needed to ensure and uphold the operation of the system could fail is too often neglected in practice. And yet the employees need not even be infected by a virus themselves. The current development shows which personnel gaps can arise if suspected people are ordered to domestic isolation for 14 days or if childcare is cancelled without alternative care. The closure of business premises and offices to prevent infection is a further challenge for the ongoing operation of servers and IT infrastructure at these locations.
Practical advice:
No matter whether the existing contingency plans did not foresee the pandemic as a realistic scenario in civilized societies or whether the creation and testing of contingency plans for IT has so far simply fallen victim to everyday business: Now, at the latest, is the time to plan for the maintenance of the often vital IT infrastructure, to adapt existing plans to current developments and experiences and to develop them further with a view to the specific characteristics and needs of the company.
We are here to support you in the development of appropriate regulation concepts and their implementation, e.g. in the (re-)negotiation of the corresponding support contracts with external service providers or in the effective and labor law compliant implementation of the necessary requirements in the company.
Practical assistance with the preparation and content of IT emergency plans can be found not least at the German Federal Office for Information Security (“Bundesamt für Sicherheit in der Informationstechnik – BSI”) and in particular in the BSI standards (see BSI Standard 100-4: Emergency Management). Rarely has it been so evident that IT compliance requirements, which are often reviled as "bureaucratic" or "obstructive", can take on a very real and crucial significance for the continued existence of the company. Please contact us to find out how we can support you in your efforts to achieve this.
Status: March 17, 2020