On 16 June 2026, our Corporate Crime & Investigations (CC&I) team in Frankfurt hosted a conference on "Cybercrime & Compliance: Navigating Risks in a Digital World". The event brought together senior representatives from law enforcement, industry and technology, alongside global partners of Herbert Smith Freehills Kramer (HSF Kramer), to exchange insights on addressing cybercrime risks and emerging threats.
Keynote: The Threat of Cybercrime: Risks, Trends and the Importance of International Cooperation
In his opening speech Fred-Mario Silberbach (Senior Criminal Director and Deputy Head of the Cybercrime Division, Federal Criminal Police Office (BKA)) addressed the current cybercrime threat landscape, the evolvingg role of AI, and law enforcement's strategic response.
Whilst domestically driven incidents in Germany are declining, attacks originating from abroad continue to rise. Germany remains a primary target for advanced persistent threats and state-sponsored operations originating from Russia, Iran, China, and North Korea. The threat is no longer purely digital: hybrid campaigns combining cyberattacks with non-digital methods such as drone surveillance or physical sabotage are increasingly observed.
Today's cybercrime ecosystem increasingly resembles a legitimate business: a sophisticated underground economy with specialised roles and structured processes. On AI, the findings of Project AI 2027 – a scenario exercise supported by Microsoft, Europol and the BKA – were striking: as of April 2026, approximately 22,000 autonomous AI agents were active in the threat landscape. AI-driven attackers are becoming faster and less error-prone, while defenders remain bound by legal and compliance frameworks that attackers simply ignore.
Law enforcement is pursuing coordinated strategies against across four dimensions:
- Prosecution: where possible, threat actors are identified, arrested and brought to justice.
- Infrastructure disruption: where suspects are in non-cooperative jurisdictions, the focus shifts to seizing and dismantling technical infrastructure.
- Financial disruption: the BKA confiscates assets, flags cryptocurrency holdings and renders the proceeds of cybercrime unusable.
- Disruptive communication: threat actors are made aware that they have been identified – as demonstrated by Operation Endgame.
The keynote's central message was clear: cybercrime is a global, evolving threat requiring coordinated action between public authorities and private organisations – and collaboration must begin well before an incident occurs.
Fighting Cybercrime: Prevention, Incident Response and Resilience
The first panel, moderated by Prof Dr Jürgen Stock (former Secretary General of INTERPOL and former BKA Vice President), examined how organisations can build genuine cyber resilience beyond mere regulatory compliance.
The role of AI in cyber threats
Dr Jennifer Pernau (Microsoft Germany) noted that Germany records the highest number of cybersecurity incidents of any EU Member State. Microsoft's AI-driven security model deploys up to 100 AI agents in concert to identify vulnerabilities – uncovering security gaps that had remained undetected for over 20 years, demonstrating a capability that substantially exceeds that of even experienced human security teams.
Corporate preparedness, however, remains a critical weakness: attackers frequently operate undetected within corporate networks for more than 100 days. The gap between perceived and actual resilience remains one of the most significant – and underappreciated – vulnerabilities in the corporate threat landscape, a shortfall compounded by the growing offensive use of AI by threat actors.
Arnd Gille (Palo Alto Networks) highlighted that within a single year, sophisticated AI agents capable of vulnerability chaining (the sequential exploitation of multiple weaknesses) have transformed previously dormant weaknesses into active threats. He stressed that effective defence must begin well before an incident occurs, with employee awareness and training as a critical first line of defence, and encouraged organisations to engage proactively with the BKA and the relevant State Criminal Police Office (LKA) as active partners in cyber defence.
Legal challenges and enforcement limits
Jana Ringwald (Office of the Attorney General Frankfurt, Zentralstelle zur Bekämpfung der Internetkriminalität (ZIT)) offered a prosecutorial perspective on the challenges that criminal law faces in the age of AI-driven offences. At the heart of these challenges lies a structural tension: the criminal procedure framework is built around natural persons – and as AI agents become more autonomous, establishing the causal chain back to a human actor becomes increasingly complex and legally contested.
Ringwald strongly recommended notifying the ZAC (Zentrale Ansprechstelle Cybercrime) of the relevant LKA and filing a criminal complaint following a cyberattack, even absent a legal obligation to do so. She emphasised that the prosecution authority operates covertly: it does not publicise the attack, nor does it shut down systems or seize work equipment. The objective is to secure the digital traces embedded in the company's data – evidence that can be obtained swiftly and efficiently through cooperative communication with the affected organisation. Unreported attacks distort official statistics and misallocate enforcement resources.
Ringwald's message was clear: law enforcement has a vital role to play, but it does not – and cannot – substitute for corporate preparedness. A cyberattack is not a question of "if" but of "when" – it is not a threat reserved for large corporates or critical infrastructure; it touches every organisation. Those that have yet to treat cyber resilience as a board-level priority are not merely taking a risk – they are already exposed.
The corporate perspective
Wolfgang Müller (IDEAL Lebensversicherung) gave a candid account of his company's experience of a cyberattack originating from a firewall vulnerability. He described the threat environment as a "digital swamp" in which attackers operate in sophisticated divisions of labour, making attribution and defence extremely difficult. No organisation is too small to be a target, and attacks frequently exploit the human element rather than technical vulnerabilities alone.
IDEAL chose to go public about the cyberattack: as an insurance company that relies on the trust of their clients, transparency is crucial. That said, the timing of any disclosure requires careful judgement, particularly in light of potential liability implications.
Drawing on his experience, Müller offered three practical recommendations for organisations looking to strengthen their preparedness:
- Establish a crisis team – and test it regularly, including simulations with external forensic partners.
- Build a kill switch: the technical capability to disconnect from the internet at short notice.
- Invest in a culture of resilience: recovery depends on everyone pulling in the same direction.
Global Investigations in a Cyber-Driven World: Cross-Border Investigative Challenges
The next panel centred on a case study involving a German-headquartered international company that had fallen victim to a cyberattack resulting in significant financial loss. HSF Kramer's partners Susannah Cogman (London), Jonathan Mattout (Paris), Dr Dirk Seiler (Frankfurt), Miguel García-Casas (Madrid) and David Chen (Shanghai) shared their jurisdiction-specific perspectives.
First response
The panel was unanimous: the immediate priority is to "stop the bleeding" to minimise damage and preserve room for manoeuvre. Cash flows must be traced, and both the paying bank and the authorities must be notified without delay. Furthermore, early external IT support is essential to assess the scope of the problem before any decisions are taken.
Evidence preservation
The most common mistake is allowing the IT team to remediate the system before forensic evidence has been preserved. Once the system is cleaned, the ability to understand and prove what happened is irretrievably lost. Best practice requires a multi-disciplinary crisis team with clearly delineated roles under a unified command structure.
Cross-border cases require cross-border legal management
Cybercrime incidents rarely respect jurisdictional boundaries. Where multiple jurisdictions are affected, the company faces various potentially differing or conflicting obligations – on reporting to authorities, the conduct of internal investigations, and on the protection of communications and documents through legal privilege. In such cases, international expertise on these issues is not optional, it is essential from the outset.
Particular care is required where the US or China are involved. In both jurisdictions, engaging local law enforcement carries risks that must be carefully assessed before any approach is made. In China specifically, the conduct of internal investigations – particularly where foreign investigators are involved, or information is to be transferred outside the country – requires close legal scrutiny.
Ransom payments
On ransom payments, the panel was direct: a ransom payment is never simply a commercial decision. In a multi-jurisdictional context, it can simultaneously trigger criminal liability, regulatory sanctions, and insurance complications – and it does not extinguish any legal obligations arising from the breach. Paying does not make the problem go away; it frequently compounds it. The overarching guidance was straightforward: identify the key jurisdictions you operate in, understand the applicable frameworks, and define your objectives clearly before any external engagement begins.
From Cyberattack to Liability Trap: Corporate and Management Responsibility
The conference closed with HSF Kramer partners Hannah Eckhoff and Thorsten Matthies examining the liability consequences of cyber incidents for companies and their management.
Prevention
The NIS2 Directive, transposed into German law through the BSIG, affects almost every organisation of substance. Its obligations – including risk management, documentation, organisational measures, and training – are dynamic duties evolving with the threat landscape. Sanctions reach up to €10 million or 2% of annual global turnover.
Under the BSIG, cybersecurity is expressly a matterof corporate governance, not IT. Management bears overall responsibility: it must implement and supervise the required measures, fulfil regular training obligations, and carries the burden of proving due care. Personal liability of individual directors for breach of these duties is now explicitly provided by statute.
Thus, prevention is the most important investment. Regulatory compliance is the minimum standard, but effective cyber resilience requires going materially beyond it.
During an attack
Advance preparation – including tabletop exercises – is essential given the time pressure of a live incident. Key immediate obligations include notification under the BSIG (24-hour early warning) and GDPR (72-hour breach notification), as well as timely notification of the cyber insurer. Ongoing documentation is critical, as it will form the evidential foundation of any subsequent liability dispute.
Corporate liability
A victim of a cyberattack may itself face substantial liability claims, whether for delayed delivery, forwarding incorrect payment details as a result of invoice fraud, or loss of customer data. Force majeure will not assist in the vast majority of cases. What counts is demonstrable preparation: a company that can evidence state-of-the-art IT security and regulatory compliance will be in a significantly stronger position. At board level, the Business Judgement Rule protects management that has made reasonable, informed and documented decisions on cyber risk allocation and mitigation but offers no protection to those who have failed to address the issue. D&O and cyber insurance can serve as useful risk mitigation tools, but neither substitutes for robust governance.
Where losses do occur, the most promising avenue for recovery is against contractual counterparties: IT service providers or suppliers whose systems were the vector of the attack. Eckhoff and Matthies recommended building contractual frameworks proactively to support such claims, including specific, measurable security obligations and clearly defined audit and control rights.
Conclusion
The discussions across all four sessions converged on a clear message: cybersecurity is a leadership responsibility, not an IT function. It is a matter of governance, preparation, and the willingness to treat resilience as a strategic priority – before the crisis, not during it.
Key contacts
Dr Dirk Seiler
Partner, Germany
Jonathan Mattout
Partner, Head of Corporate Crime and Investigations, EMEA, Paris
Susannah Cogman
Partner, London
Miguel García Casas
Partner, Madrid
Hannah Eckhoff
Partner, Germany
Thorsten Matthies
Partner, Germany
David Chen
Partner, Mainland China and Shanghai
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.