Cyberattacks can push companies into insolvency within hours. When does a ransomware attack trigger the obligation to file for insolvency under § 15a InsO – and how can directors protect themselves from personal liability?
A Cyberattack as an Existential Threat
In July 2021, the district of Anhalt-Bitterfeld became the first German municipality to declare a state of emergency due to a cyberattack. For more than six months, IT systems were largely paralysed, with costs amounting to approximately 2.5 million euros. What was dramatic but survivable for a public authority can spell the end for a private-sector company: cyber insolvency.
The term describes cases in which a cyberattack – typically ransomware – disrupts business operations so massively that the company becomes unable to pay its debts and must file for insolvency. The number of such cases is rising. The German Federal Office for Information Security (BSI) recorded an average of 119 new vulnerabilities per day in its 2025 status report – an increase of 24 per cent over the previous year.
Prominent Cases: From Maersk to Südwestfalen
Maersk and NotPetya: USD 300 Million in Damages
The most prominent case of a cyber catastrophe struck the Danish logistics giant A.P. Møller-Maersk in 2017. The NotPetya malware encrypted virtually the entire IT infrastructure within hours – 49,000 laptops and 3,500 servers across 130 countries. Maersk, which handles approximately 20 per cent of global container trade, was unable to operate for days. The total damage amounted to approximately USD 300 million. Only a backup that had survived by chance in Ghana made recovery possible. A company with fewer reserves would not have survived.
Südwestfalen-IT: 103 Municipalities Offline
In October 2023, a ransomware attack on Südwestfalen-IT (SIT) paralysed the IT infrastructure of more than 100 municipalities in North Rhine-Westphalia. Citizen service centres could not issue identity documents, vehicle registration offices came to a standstill, and social benefits could not be disbursed. Recovery took more than eleven months. Strikingly, the SIT board had unanimously voted against purchasing cyber insurance just weeks before the attack.
German SMEs: Fasana and Einhaus
The German Mittelstand is particularly vulnerable. The napkin manufacturer Fasana from Euskirchen had to file for insolvency in 2024 after a ransomware attack – on the first day alone, orders worth over EUR 250,000 could not be fulfilled, and revenue losses over the following two weeks amounted to approximately two million euros. A similar fate befell the Einhaus Group from Hamm, formerly Germany’s leading electronics insurer, which faced economic ruin after an attack by the “Royal” ransomware group.
When Does a Cyberattack Trigger the Obligation to File for Insolvency?
Inability to Pay Through Operational Disruption
The key question for affected directors is: when does an IT disruption become an insolvency law obligation? Under § 15a InsO, directors of a GmbH must file for insolvency without culpable delay, but no later than three weeks after the onset of inability to pay.
Inability to pay within the meaning of § 17 InsO exists when the company is unable to meet its due payment obligations. The IDW Standard S 11 specifies that a mere payment disruption – a temporary liquidity shortfall of less than ten per cent that can be remedied within three weeks – is not yet sufficient.
However, a ransomware attack can quickly exceed this threshold:
- Production shutdown: When IT systems are encrypted, many companies cannot produce, deliver or invoice
- Payment failures: Online banking and accounting systems are blocked; due wages and supplier invoices cannot be paid
- Customer attrition: Major customers terminate contracts when delivery deadlines are not met
- Recovery costs: Forensic analysis and IT rebuilding consume substantial resources
The Three-Week Deadline in Practice
The deadline under § 15a InsO begins objectively when inability to pay occurs – not only when the director recognises it. In practice, the recommendation is therefore clear: conduct a liquidity analysis immediately after a serious cyberattack. Continuously document the status of payment ability and seek legal advice without delay.
Over-Indebtedness as an Additional Insolvency Ground
In addition to inability to pay, over-indebtedness (§ 19 InsO) may also exist when liabilities exceed assets and a positive going-concern prognosis is no longer possible. A cyberattack can massively impair the going-concern prognosis, for example if essential customer data is irretrievably lost or the trust of business partners is destroyed.
Director Liability: When the Attack Becomes a Personal Risk
Duty of Care Under § 43 GmbHG
Under § 43 GmbHG, directors must exercise the care of a prudent businessperson. According to the prevailing view, this duty also encompasses IT security. A director who fails to implement adequate cybersecurity measures risks personal liability towards the company.
Liability may materialise through:
- Failure to invest in IT security despite a known threat landscape
- Absence of contingency plans (Business Continuity Management)
- Lack of insurance: Deliberately forgoing cyber insurance may constitute grounds for liability
- Delayed response after an attack, particularly in filing for insolvency
Delayed Insolvency Filing as a Criminal Offence
If the insolvency filing is submitted late after a cyberattack, the director faces not only civil liability but also criminal prosecution for delayed insolvency filing (§ 15a(4) InsO). The penalty: imprisonment of up to three years or a fine. Mere negligence is sufficient.
Cyber Insurance: Protection with Gaps
The cyber insurance market in Germany is growing rapidly – Germany holds the largest market share in Europe at 24.4 per cent. However, cyber insurance is no panacea:
- Higher rejection rates: Almost one in three applications is now rejected, as insurers impose stricter IT security requirements
- Coverage gaps: Many policies do not cover the full business interruption loss, particularly lost profits over extended periods
- Policy conditions: If agreed security standards are not maintained, the insurer may refuse to pay
- Sum limits: Coverage amounts are frequently insufficient for an existential attack
Nevertheless, adequate cyber insurance is an essential building block of risk strategy and can make the difference between restructuring and insolvency in an emergency.
Preventive Measures: What Companies Should Do Now
Business Continuity Management Under BSI Standard 200-4
The BSI has published a practice-oriented guide for Business Continuity Management (BCM) with Standard 200-4. The following measures are central to cyber resilience:
- Business Impact Analysis: Identify business-critical processes and their dependence on IT systems
- Contingency plans: Create documented plans for operating without IT – at least for core processes
- Backup strategy: Implement the 3-2-1 rule (three copies, two media types, one offsite) with regular recovery testing
- Incident Response Team: Define roles and responsibilities for crisis situations – including external forensic service providers and legal advisors
Technical and Organisational Measures
- Network segmentation: Prevent the lateral spread of malware
- Multi-factor authentication: Protect privileged access and VPN connections in particular
- Employee training: 90 per cent of all cyberattacks begin with phishing – regular awareness training is indispensable
- Patch management: Close security vulnerabilities promptly – the SIT attack exploited a known VPN vulnerability
Legal Precautions
- Review contract clauses: Does your cyber insurance contain force majeure provisions? Are your supply contracts prepared for IT operational disruptions?
- Documentation: Record all security measures and investment decisions in writing – this documentation can be decisive in liability cases
- Crisis communication plan: Prepare communication with customers, suppliers, authorities and media in advance
Recommendations for Directors
Cyber insolvency is no longer a theoretical risk but a business reality. For directors, this gives rise to concrete duties:
- IT security is a board-level matter: Responsibility cannot be fully delegated to the IT department
- Regular risk assessments: Evaluate your cyber risks at least annually – taking into account the current BSI status report
- Liquidity reserves: Maintain reserves that can bridge a multi-week operational shutdown
- Involve legal counsel: Have your liability risks examined and your insurance policies reviewed
- Test the crisis plan: Conduct regular exercises – a contingency plan that has not been tested is no contingency plan at all
At compleneo, we support you at the intersection of insolvency law, corporate law and crisis advisory. Whether preventive liability analysis, contingency planning or acute crisis management following a cyberattack – get in touch with us.
