Can the board of directors or management be held personally liable for IT security breaches?

Yes, in Germany, board members and management can be held liable for IT security gaps in the company. This is within the scope of their statutory duties to manage the company properly. In particular, the GmbH Act and the Stock Corporation Act require managing directors and board members to perform their duties with the diligence of a prudent manager. They can be held personally liable in the event of negligence or breaches of duty that lead to IT security gaps and jeopardize the company's assets or the rights of third parties. The exact liability depends on the circumstances of the case and often requires legal review.