If you’re responsible for a company – whether as a CEO, IT manager, or strategic leader – you’re inevitably dealing with information, IT, and cybersecurity. Two terms that keep coming up in this context are Due Diligence and Due Care. They might sound like legal jargon at first, but in practice, they’re absolutely critical.
This article breaks down what they mean, why they matter to you, and what can happen if you ignore them. You’ll also see what Due Diligence and Due Care look like in day-to-day business.
What is Due Diligence?
Imagine you’re acquiring another company. You want to know if there are any digital skeletons in the closet – outdated systems, open security gaps, or data protection issues. That’s exactly what Due Diligence is about: a structured and thorough check before you make a decision.
In the IT and security context, this means asking questions like:
- Are sensitive data being stored securely?
- Is there outdated software or undocumented shadow IT?
- Which third parties have access to systems or data?
- Are there security policies in place – and are they being followed?
Example: A mid-sized company acquires an online shop. The check reveals the shop system still runs on PHP 5.6, there’s no two-factor authentication, and admin accounts were never reset. Without these findings, the acquisition could’ve turned into a full-blown security disaster – and a mandatory data breach report to the authorities.
This example shows how crucial a structured data protection risk analysis and a cybersecurity audit are as part of Due Diligence.
What is Due Care?
Due Care is the day-to-day counterpart. While Due Diligence is more like a “preventive check” before making a decision, Due Care is your ongoing duty of care in daily operations.
That means, in practical terms:
- You regularly install security updates.
- You limit admin rights to the bare minimum.
- You train your employees in safe IT practices.
- You test whether your backups actually work.
- You respond to incidents – before it’s too late.
In short:
- Due Diligence is the careful look before the decision.
- Due Care is the responsible action after the decision – every single day.
A strong IT security management system relies on a healthy balance between both principles.
What happens if you ignore both?
Without Due Diligence:
You acquire a company or implement new software without thoroughly checking. The result? You inherit outdated systems, security gaps, or GDPR compliance risks. You’re liable – because you should have known.
Without Due Care:
You do everything right at first, but then let it slide. Systems aren’t updated, training falls through, an employee clicks on a phishing link – and suddenly, customer data is gone. The GDPR doesn’t show mercy here.
Real-Life Example:
Marriott Hotels acquired Starwood. Due Diligence failed to uncover security issues. Later, it was discovered that millions of customer data were compromised over several years. The damage? Over 100 million euros, plus massive reputational loss.
What legal consequences are at stake?
If you neglect your duty of care – whether in Due Diligence or Due Care – it can lead to not just operational but also legal consequences:
- GDPR Violations: Fines of up to 20 million euros or 4% of global annual turnover – whichever is higher. Especially if it’s proven that risks were known but no action was taken.
- Liability of Management: In Germany, management can be held personally liable (§43 GmbHG, §93 AktG). If you act recklessly or grossly negligently – such as failing to conduct a security check – you may be liable with personal assets.
- Contractual Penalties and Compensation: If security failures cause harm to customers or partners, you risk claims for damages. Insurance companies can also refuse to pay if basic duty of care was violated.
- Labor Law Consequences: If incidents are caused by employees who weren’t adequately trained, there could be disputes or lawsuits over wrongful termination if there is no documented awareness campaign in place.
In short: Neglecting your duty of care isn’t just an IT risk – it’s a personal risk to you, and that can get expensive.
Due Diligence and Due Care in the Application of Security Processes in Companies
When it comes to security processes in a company, Due Diligence and Due Care play a particularly crucial role. Both principles are not just theoretical concepts but essential components of an effective IT and cybersecurity strategy. They help minimize risks, maintain customer trust, and meet legal obligations. But what does this really mean in the context of applying security processes? Let’s take a look.
Due Diligence: The Proactive Security Check
Due Diligence in this context refers to the thorough precautionary check. Before implementing security processes, you need to ensure that all relevant aspects of your company’s security have been considered. This is the first step in identifying potential security gaps and risks before they become a problem.
Here are some concrete examples of what Due Diligence includes when implementing security processes:
- Risk Management and Security Assessment
Before new security measures or processes are introduced, a comprehensive risk assessment must be conducted. What threats could jeopardize your company? Which data is especially sensitive? The answers to these questions help you choose the right security measures. - Selecting Suitable Security Solutions
Due Diligence means ensuring that the security solutions you choose actually fit your company’s needs. It’s not enough to just buy the latest technology – it needs to meet the specific requirements of your company. This also includes conducting regular security audits and checking existing systems for vulnerabilities. - Compliance Check
Security processes must always align with legal requirements such as the GDPR (General Data Protection Regulation) or other industry-specific regulations. Due Diligence involves ensuring that all compliance requirements are met before implementing security processes. - Third-Party Security Assessment
If you work with third-party vendors or use cloud services, Due Diligence also involves reviewing the security standards of those partners. This helps minimize potential risks from insecure third parties and ensures that your data is well-protected even outside of your own infrastructure.
Due Care: The Ongoing Duty of Care in Execution
Due Care refers to the continuous duty of care after the security processes have been implemented. You’ve made the right choices, but now it’s about maintaining these processes, monitoring them regularly, and keeping them up-to-date. Security processes aren’t a one-time job – they require ongoing attention and adjustment.
Here are some essential aspects of how Due Care looks in practice:
- Regular Security Updates and Patches
Security vulnerabilities in software are constantly being discovered. To protect your company, you must ensure that all systems are regularly updated with the latest security patches. This means establishing a process that automatically checks for these updates and implements them in a timely manner. - Monitoring and Incident Response
Due Care also includes the continuous monitoring of your IT systems. Cyberattacks or security incidents often occur when least expected. Ongoing monitoring helps detect threats early. It’s also important to have a clear incident response plan in place to react quickly and effectively in case of a breach. - Employee Training and Awareness
Your employees are often the weakest link in the security chain. An important aspect of Due Care is ensuring that all employees are regularly trained. They should not only know how to interact with IT systems securely but also recognize phishing attempts or other social engineering attacks. - Data Backup and Recovery Testing
Regular data backups are an important security measure. But what good is a backup if you can’t ensure that it will actually work in an emergency? Due Care requires that you regularly test your backups and ensure that data recovery works quickly and reliably in case of a disaster. - Continuous Risk Assessment
The threat landscape is constantly changing. What’s secure today might not be enough tomorrow. Due Care means regularly reviewing your risk assessment and making adjustments to security processes to counter new threats.
Why is This Important for Companies?
Applying Due Diligence and Due Care in security processes is not only about reducing risks, but also a strategic advantage for your company. When you consistently implement these principles, you can:
- Minimize costs from security incidents: Security gaps that aren’t detected early can lead to costly data breaches and reputational damage. By applying Due Diligence and Due Care, you can prevent many of these incidents.
- Avoid legal problems and penalties: Failing to meet security or data protection regulations can have serious legal consequences. By regularly conducting Due Diligence and Due Care, you ensure that you meet legal requirements and minimize risks.
- Maintain customer and partner trust: A company that can demonstrate it regularly reviews and maintains its security processes gains the trust of customers and partners. This is especially important when handling sensitive data.
Applying Due Diligence and Due Care in the security processes of a company is not a one-time task, but a continuous and ongoing process. Due Diligence ensures that you identify potential security gaps proactively and take appropriate measures, while Due Care ensures that these measures are maintained and adjusted regularly to safeguard your company’s security in the long term.
Without these two principles, you not only risk the security of your IT systems but also face legal and financial consequences. A good security management system is based on a balanced approach between Due Diligence and Due Care – for a secure and sustainable future for your company.
