Skip to content
Sub practice
Sub practice

Cyber Security

Cyber attacks cannot be avoided! Do you have a communications plan and cyber attack incident response plan for this eventuality? Do they take account of the type of cyber attack and the different stakeholders?

Cyber attacks are unavoidable and there is usually no defence against them – statistics reveal that there are about 80 to 90 million cyber attacks per year worldwide, and two thirds of German companies have already been a target or victim of cyber attacks. With Industry 4.0, the Internet of Things (IoT), big data/data lakes, autonomous driving and smart homes/devices on the rise, the risk of cyber attacks will further increase in the future (about 400 new threats per minute are being released worldwide). In addition to breaches of law and reputational risks, cyber attacks and data incidents in particular cause financial losses. According to current statistics, the average cost of an individual data incident in Germany was EUR 3.42 million in 2017.

If a cyber attack is detected at all, this will trigger an immediate communication requirement for the affected company with and vis-à-vis its stakeholders. The first 30 minutes are crucial. Communication must be at Twitter speed. At the same time, legal notification duties towards authorities, customers, employees, the public/stakeholders must also be met. Under the General Data Protection Regulation, any personal data breach must be notified to the competent supervisory authority without undue delay but not later than 72 hours after it was identified. Fine that could be payable in case of delayed or inaccurate notification: up to EUR 10 million or 2% of consolidated worldwide turnover.

Your challenges

Data is critically important for companies, which is why protection from unauthorised access by both external third parties and the company's own employees is vital. In order to ensure effective data protection management and cyber security, companies must know their respective stakeholders in terms of data protection. In addition to employees and their representative bodies, customers or users as well as suppliers/business partners, stakeholders may also include creditors/capital markets, investors, supervisory/regulatory authorities (e.g. Data Protection Authority, BSI, German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht; BaFin)) or the press/media. These stakeholders and their expectations must be taken into account when structuring the relevant processes and communications (both internally and externally). Contract positions must be secured, and trust must be maintained or rebuilt. So who communicates with whom and when? In this context, it is essential to implement organisational safeguards in order to protect data from unauthorised access, in addition to preventing the loss of data by technical means. A holistic approach has proven successful in this regard, comprising both repressive and preventive action. Any company lacking an integrated Data Incident Response Communication Plan (DIRCP) will have no real chance of success.

Our expertise

Allen & Overy and Hering Schuppener have created an integrated advisory tool that offers legal and communications advice regarding cyber attacks from a single source. We would be glad to support you both in implementing preventive measures and if you have fallen victim to an attack. Your advantage: cooperation that is unique in the market between leading legal and communications firms – you will benefit from just one interface for an entire range of expertise.

Scope of services
  1. Prevention: Developing strategic and legal communications plans to prepare for unavoidable cyber attacks
  2. In case of attack: Legal and strategic advice in response to a cyber attack
  3. Consequences: Managing crisis communication and the additional measures to be taken after a cyber attack

News and insights

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

The European Data Protection Board (EDPB) during its 90th plenary session, on 14 February 2024, amongst other things: adopted an opinion (the Opinion) on the notion of a controller’s main…

Read more
Data protection

Blog Post: 14 February 2024

ICO and AEPD take steps for protection of minors

The Information Commissioner’s Office (ICO) launched a campaign called ‘Think. Check. Share’ (the Campaign) on 29 January 2024, to promote responsible data sharing to safeguard children. The Campaign…

Read more

Blog Post: 10 January 2024

CJEU rules that a credit score constitutes automated decision making under the GDPR

On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely…

Read more
World map with graph information overlaid

Blog Post: 13 September 2022

Germany – Schrems II: German court overturns presumption of international data transfer from EU-subsidiary to non-EU parent company

On 13 July 2022, the Public Procurement Chamber of the German state of Baden-Württemberg (the Public Procurement Chamber) issued a decision confirming that personal data processed by an EU subsidiary…

Read more


crisis management cybercrime

Crisis Management - Cybercrime

Cybercrime – criminal activities that exploit electronic infrastructures – is one of the greatest threats faced by companies in the digital age. Both the number of attempted attacks and the level of professionalism employed by the perpetrators have been on the rise for years. Attacks are thus occurring more often while also becoming more complex. Cases of cybercrime are to be viewed as corporate crises requiring a fast and legally sound response. We can offer our experience in the relevant legal fields, combined with our contacts at the competent authorities and other service providers. Be it prevention or response, cybercrime requires your attention. We would be happy to advise you – please don’t hesitate to contact us.

Digital maturity

Two women sitting at a boardroom table, floor to table windows and sunlight coming in

Law is code. We speak both. Today, every company is a technology company. That includes us.

Fluent in tech, experts in law—Allen & Overy helps clients navigate the complex landscape of technology. Move beyond digital transformation to true digital maturity with a firm that’s backed by global experience and expertise.