Blogpost

IT GRC between law and practice: avoiding liability – anchoring security

IT GRC, i.e., the governance of IT, the management of IT risks, and compliance with external and internal requirements, is becoming increasingly important for banks and financial service providers in times of increased cyberattacks, growing digitalization, and stricter regulation. In a conversation with Prof. Dr. Josef Scherer, we discussed the legal foundations of IT/AI governance. It became clear that IT GRC is not a theoretical debate, but a concrete management task.

msg for banking
126
Compliance
6 minutes reading time
Header IT-GRC, IT GRC

Introduction Cyberattacks, increasing digitalisation and stricter regulation pose considerable challenges for banks and financial service providers in 2025. At the same time, the responsibility of company management to ensure the secure operation of IT systems and data processing processes is growing.

In our conversation with Prof Dr Josef Scherer, we discussed the legal foundations of IT/AI governance. It became clear that IT GRC is not a theoretical debate, but a concrete management task – with clear obligations, liability risks and the possibility of relief through effective systems.

The following sections summarise the key topics: What are the obligations, what are the liability risks and how can a compliance management system provide legal protection for management bodies?

Prof. Dr. Josef Scherer

Lawyer Prof Dr Josef Scherer has been Professor of Corporate Law (Compliance), Risk and Crisis Management, Restructuring and Insolvency Law at Deggendorf Institute of Technology since 1996. He previously worked as a public prosecutor at various regional courts and as a judge at the regional court in a civil chamber.

In addition to his work as a senior partner at the law firm Prof. Dr. Scherer & Partner, which specialises in commercial law and governance, risk and compliance management (GRC), he prepares scientific legal opinions and acts as a judge in arbitration proceedings.

Legal guard rails: obligations, liability and discharge

There is no legal definition for terms such as “IT governance” or “AI governance.” Their meaning is derived from laws, supreme court rulings, and international standards. These include DIN ISO 37000 (Governance of Organizations)1, ISO/IEC 38500 (Governance of IT for the Organization)2, and ISO/IEC 420013, the first standard for an AI management system.

Prof. Scherer defines IT/AI governance from a legal perspective as the “sustainable, compliance- and risk-based conscientious management and monitoring of organizations, including interaction with relevant stakeholders in the field of IT (AI).”

According to Prof. Scherer, compliance is the basis of all governance. Over 90% of all governance risks are also compliance risks, as almost all relevant obligations are subject to sanctions. If a compliance system is lacking, this usually constitutes a breach of organizational duty.

Prof. Scherer emphasizes: “Everything that needs to be done in the field of IT/AI governance must be done. This is pure compliance with no room for discretion.”

In recent years, the courts have repeatedly clarified that a missing or inadequate compliance management system (CMS) constitutes a breach of organizational duty. The Munich I Regional Court (2013, Siemens case) ruled that the lack of a compliance system was a breach of duty. The Higher Regional Court of Nuremberg (2022, 12 U 1520/19) also considered the lack of internal control systems to be a breach of duty. The “Federal Court of Justice (2017, judgment StR 265/16)” clarified that an effective compliance system can have an exonerating effect under criminal law.

Legal basis

  • 43 GmbHG: Managing directors are liable for breaches of duty
  • 93 AktG: Management board members must exercise the diligence of a prudent and conscientious manager
  • 91 (2) AktG: Obligation to set up a monitoring system to ensure the continued existence of the company
  • 130 OWiG: Breaches of organizational obligations can lead to fines

In order to avoid liability due to accusations of an organisation that is not legally compliant, an IT/AI governance CMS is indispensable."

Prof. Dr. Josef Scherer

The business judgement rule (Section 93 (1) sentence 2 AktG) only protects managers if they can prove that they are acting on the basis of proper information. Without systematic checks and controls, managers cannot invoke this protection. A documented compliance management system (CMS) with clear processes is therefore a prerequisite for making legally compliant decisions.

According to Prof. Scherer, a CMS for IT/AI governance is a structural and procedural organisation consisting of roles, objectives, resources, processes and controls. In particular, this includes IT compliance management, ICT risk management, IT strategy and planning, information security and data protection, the internal control system (ICS) including auditing and the management of digitalisation and the use of AI.

Standards and frameworks such as ISO4 or COBIT provide valuable guidance. However, laws and courts are decisive. Prof Scherer emphasises: “Whether a procedure was correct or triggers liability is not decided by standards, but by the courts.”

Whether a procedure was correct or triggers liability is not decided by standards, but by the courts."

Prof. Dr. Josef Scherer

IT GRC: Implementation in practice – operationalising governance

The practical implementation of governance requirements is particularly evident in banks’ core systems. Projects in the financial sector clearly show that similar vulnerabilities occur time and again. These include overly broad authorizations, uninstalled security-critical patches, missing audit logs, and opportunities for manipulation of master data. SAP systems, as the digital control center of banks, are a particular focus here.

Various measures have been established to manage such risks: system hardening and consistent patch management, active log management and connection to SIEM systems, regular SoD analyses, and code reviews for ABAP programs. Principles such as “zero trust” and “least privilege” help to reduce the attack surface in the long term.

Another key component is the implementation of the Digital Operational Resilience Act (DORA). Among other things, the regulation requires banks to implement ICT risk management, which is the responsibility of the management body.

In addition, there are requirements for structured incident management, regular resilience testing, including threat-led penetration testing (TLPT), and comprehensive third-party management. These requirements not only necessitate technical adjustments, but also clear governance structures that are anchored in the executive board.

Since IT/AI governance is primarily a matter for senior management, executive boards and supervisory boards must receive regular training. DORA training courses for management bodies teach participants about their obligations, the liability risks they face, and how to implement the regulations in practice. The aim is to enable management bodies to fulfill their responsibilities in a verifiable and legally compliant manner.

Recommendations for banks in 2025

In order to put the legal requirements from Prof. Scherer’s legal analysis into practice, banks should set several priorities in 2025. The first priority is to establish an integrated governance CMS that covers all relevant roles, processes, and controls. In addition, regular SAP security audits are necessary to demonstrate the state of the art.

Implementation of the DORA requirements has been mandatory since 2025 and should be carried out systematically. In addition, maturity assessments and benchmarking help to measure the effectiveness of measures. Finally, targeted training for management bodies is essential, as responsibility ultimately lies with the board of directors.

Verantwortung letztlich beim Vorstand liegt.

Area of action Legal obligation (Prof. Scherer) Practical implementation (msg for banking)
Governance CMS Obligation to set up (§ 91 AktG, § 43 GmbHG) Establishment of compliance & risk processes
SAP Security State of the art must be maintained Security audits, hardening, quick wins
DORA compliance EU regulation binding since 2025 Gap analysis, resilience tests, third-party management
Maturity assessment Well-founded decisions necessary (business judgment rule Evaluation matrix, benchmarking
Training for management bodies Responsibility lies with the board of directors DORA training, IT GRC seminars

 

Conclusion

IT and AI governance is not an option, but a legal obligation. A lack of systems leads to breaches of organisational duties and potential personal liability. Conversely, an effective compliance and governance system relieves the burden. Documented audits, clear processes and verifiable measures prove that the management fulfils its responsibilities.

Quellen
Share: LinkedIn Xing X Facebook
msg for banking Logo

msg for banking

is rethinking banking and offers its customers smart, innovative and platform-based digital solutions from a single source.

linkedin xing
Write a comment

You must login to post a comment.

Related articles

Discover even more interesting articles on this topic.

Blogpost
5 minutes reading time

Non-financial risk management in fintechs, neobanks and payment service providers: From startup spirit to regulatory maturity

Blogpost
2 minutes reading time

EU AI Regulation: GPAI rules since 2 August 2025

Hasan Neu
Blogpost
5 minutes reading time

Hybrid approach – speed and AI compliance in harmony