INDEPTHFEATURE

CYBER SECURITY & RISK MANAGEMENT

2 0 2 0

Published by

Financier Worldwide Ltd

First Floor, Building 3

Wall Island, Birmingham Road

Lichfield WS14 0QP

United Kingdom

Telephone: +44 (0)121 600 5910

Email: info@financierworldwide.com

www.financierworldwide.com

Copyright © 2020 Financier Worldwide

All rights reserved.

No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers.

Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or

omissions, nor for any claims made as a result of such errors or omissions.

Views expressed by contributors are not necessarily those of the publisher.

Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice.

Opinions expressed herein do not necessarily represent the views of the author’s firm or clients or of any organisations of which the author is a member.

CYBER SECURITY & RISK MANAGEMENT

July 2020

INDEPTHFEATURE

CYBER SECURITY & RISK MANAGEMENT

July 2020

INDEPTHFEATURE: Cyber Security & Risk Management 2020

1

Introduction

Given the increasing frequency of cyber attacks and the sophistication of

cyber criminals, it is imperative that companies put measures in place to

counteract bad actors. However, the cyber risk environment is becoming

increasingly challenging for companies to navigate. The emergence of cloud

computing, 5G, the internet of things (IOT) and other new technologies are

increasing the threat vectors for many organisations.

2020 has of course been a remarkably challenging year for all companies due

to the COVID-19 pandemic. The dramatic uptick in the number of people

working from home, for example, has increased network vulnerabilities and

tested corporate cyber security resources. In response, companies are adapting

their incident response programmes and implementing new plans to address

exposures.

Going forward, cyber security and risk management should remain near the

top of the corporate agenda, particularly as the EU General Data Protection

Regulation (GDPR), the California Consumer Privacy Act (CCPA) and

other similar laws around the world continue to place strict obligations on

companies.

To overcome today’s challenges, cyber security and risk management needs to

be approached as a company-wide task, not merely a concern for the IT team

and the chief information security officer.

INDEPTHFEATURE: Cyber Security & Risk Management 2020

1

UNITED STATESGuidehouse ......................................................... 02

UNITED KINGDOMCorix Partners ...................................................... 08

FRANCEGibson Dunn ........................................................ 13

BELGIUMTokio Marine HCC ................................................. 19

GERMANYTokio Marine HCC ................................................. 25

SPAINAon .................................................................... 30

PORTUGALMorais Leitão, Galvão Teles, Soares da Silva & Associados .......................................................... 36

Financier Worldwide

canvasses the opinions of leading

professionals on current trends in

cyber security & risk management.

C O N T E N T S

36 37

Morais Leitão, Galvão Teles, Soares da Silva & Associados

DAVID SILVA RAMALHOSenior AssociateMorais Leitão, Galvão Teles, Soares da Silva & Associadosdsramalho@mlgts.pt+351 210 091 720 David Silva Ramalho is a member of Morais Leitão’s litigation and arbitration team. His practice is focused on criminal litigation and compliance, particularly in the economic and financial areas, as well as in information technology. He has significant experience in cyber crime, digital evidence, and criminal matters related to cryptocurrency, regularly representing clients and providing legal assistance in those areas. He is regularly invited to participate in conferences and postgraduate courses on matters related to cyber crime and digital evidence, having published several articles on those topics.

Respondent

PORTUGAL

INDEPTHFEATURE: Cyber Security & Risk Management 2020

37

Q. In your opinion, what are the major

cyber threats to which today’s companies

are vulnerable? Could you comment on

any recent, high profile cyber attacks in

Portugal?

A: The major cyber threat to most

companies today lies in email. More

specifically, in the use of employee

email accounts. This is the gateway

for most cyber attacks, ranging from

unsophisticated and commonly seen

‘Nigerian prince’ scams, to the most

sophisticated malware, phishing and

ransomware attacks. The reason is simple:

IT departments can more easily prevent

risky behaviour by an employee than react

to an outside attacker who is actively

searching for human failure. The former

is largely preventable by blocking access

to certain websites, monitoring threats

arising from unadvised web usage or

imposing download restrictions on certain

file types. The latter faces serious technical

difficulties preventing certain emails from

entering the company’s mailboxes and

preventing users from opening them on

any of their devices. In the past few years

there have been a few high-profile cyber

attacks in Portugal. The ones that received

more widespread media coverage were

carried out by a Portuguese hacker in the

‘Football Leaks’ case. Also, in April 2020,

a high-profile ransomware case affecting

Portugal’s largest energy company made

headlines, with the attackers allegedly

using Ragnar Locker to steal and

subsequently encrypt a significant volume

of data, then demanding a ransom of

approximately €10m.

Q. To what extent have cyber security

and data privacy regulations changed

in Portugal? How is this affecting the

way companies manage and maintain

compliance?

A: With the entry into force of the General

Data Protection Regulation (GDPR) and

the national legislation that followed,

many companies are now concerned about

protecting personal data and implementing

cyber security procedures within their

organisations. In several cases, however,

this preoccupation quickly faded and gave

way to the creation of standard internal

guidelines and data protection procedures

without implementation of legal and

technical solutions specifically designed

for each organisation. Given the lack

Morais Leitão, Galvão Teles, Soares da Silva & Associados

38

INDEPTHFEATURE: Cyber Security & Risk Management 2020

39

of general cyber security legislation or

regulations, many small- and medium-sized

companies have become prone to reduced

investment in cyber security, except

when necessary or after a cyber attack

has occurred. Often, the policies that are

implemented by small- and medium-sized

companies are not only ineffective against

cyber attacks and therefore inadequate

to protect personal data, but also make it

harder to investigate cyber attacks due to a

tendency to combine the lack of adequate

cyber-security measures with a generalised

fear of collecting and storing data, such

as logs, IP addresses and ports, which

leaves very few traces to investigate cyber

offences.

Q. In your experience, what steps should

companies take to avoid potential cyber

breaches – either from external sources

such as hackers or internal sources such

as rogue employees?

A: The solution lies in finding the right

balance between the legal and technical

sides of cyber security. While the legal

side should focus on complying with

labour and data protection legislation,

the cyber security side should focus on

implementing technical measures that

mitigate cyber risk and assist evidentiary

tracing of possible attacks. It is always

important to protect the company against

external cyber breaches with measures that

include intrusion detection, tailor-made

email filtering and regular vulnerability

assessments conducted by independent

entities. But companies should not neglect

the fact that many cyber breaches come

from within organisations.

Q. How should firms respond immediately

after falling victim to cyber crime, to

demonstrate that they have done the right

thing in the event of a cyber breach or

data loss?

A: The first response should be to make

sure that the attack has been contained.

Afterward, the company should assess

the level of damage suffered and if

any sensitive personal data has been

compromised. The first assessment

should be made by independent legal and

technical specialists, working closely with

the company’s IT department. It is the

purpose of this analysis to identify how the

attack has happened, to collect evidence

in a forensically sound manner and to

Morais Leitão, Galvão Teles, Soares da Silva & Associados

INDEPTHFEATURE: Cyber Security & Risk Management 2020

39

analyse the terms in which a legal response

should be pursued. The response will vary

depending on the outcome of the legal and

technical specialists’ analysis.

Q. Do companies usually pursue legal

action against cyber criminals? When

they do, how successful have these

investigations been in the past few years?

A: Companies do not usually pursue

legal action following less serious cyber

crimes because they assume that it is

very difficult to identify the perpetrator.

However, in the past few years, criminal

investigations have been progressively

more successful. The reason is mainly that

the people in charge of investigating cyber

offences are specifically trained for these

types of investigations and are no longer

merely adapting real world investigative

techniques into a digital environment.

Public prosecutors and police officers

are becoming more knowledgeable

about cyber crime, are benefitting from

international exchanges of information

and experiences, and are more prepared

to identify the sources of evidence and

Morais Leitão, Galvão Teles, Soares da Silva & Associados

““

People in charge of investigating cyber offences are specifically trained for

these types of investigations and are no longer merely

adapting real world investigative techniques into a

digital environment.

40

INDEPTHFEATURE: Cyber Security & Risk Management 2020

41

to collect the relevant information in an

expedited manner.

Q. In what ways can risk transfer and

insurance help companies and their

D&Os to deal with cyber risk, potential

losses and related liabilities?

A: Companies are more aware of the

importance of taking different actions to

mitigate cyber risks, mainly due to the

spike in cyber threats and data protection

laws. Cyber insurance is gaining traction

as a viable mitigation tool and its market

is becoming better prepared to match

the increase in demand for products that

include cyber risk coverage. As the market

currently stands, such protection may be

found in traditional commercial insurance

or by taking out a standalone insurance

policy or via endorsement to an existing

insurance policy. The latter are usually the

safest options as traditional commercial

policies often exclude cyber risks or

include wording that casts doubt on such

protections. Cyber risk protection may

include first-party coverage, such as cover

for direct losses arising from a breach or

business interruption, third-party claims,

such as liability arising out of data breach

claims or harm to third-party systems, or

defence costs and regulatory fines. For

more holistic solutions, some insurers have

also engaged in partnerships with cyber

security technology companies to offer

comprehensive solutions that bundle risk

coverage with cyber security assistance.

Whether insurance is an effective measure

to mitigate cyber risks needs to be assessed

by companies on a case-by-case basis and

will depend heavily on the degree of the

cyber risk exposure in question. In any

event, companies should not expect to

rely solely on insurance to manage cyber

risks and fail to implement adequate cyber

security defences.

Q. What are your predictions for cyber

crime and data security in Portugal over

the coming years?

A: If there is anything that we have learned

from predicting the future of cyber crime,

it is that such predictions are usually

wrong. Taking this into consideration, if

I were to risk any predictions, I would

say that the more serious offences will

continue to be ransomware, hacking

through vulnerability exploitation and

phishing, with the intent to steal money,

Morais Leitão, Galvão Teles, Soares da Silva & Associados

INDEPTHFEATURE: Cyber Security & Risk Management 2020

41

Morais Leitão, Galvão Teles, Soares da Silva & Associados

information or intellectual property. I

believe that the more serious changes will

not be felt on the criminal side, but instead

on the investigative side, precisely due to

the increase in data security. The advent

of secure communication apps, increased

access to the ‘dark web’ and online illegal

markets and the rise of new ways to

launder proceeds from crimes, particularly

with digital currencies, will seriously

hamper investigations.

www.mlgts.pt

MORAIS LEITÃO is recognised for its work culture and for the opportunities it provides for its clients. In such a dynamic market, its position is distinguished by combining the best traditional advocacy with the latest technology. The development of its clients’ businesses is always on its mind. The firm, although independent, is privileged to work in partnership with multiple sectors and jurisdictions. The firm is proud of its long and continuous growth, and is always present in operations

and complex challenges.

DAVID SILVA RAMALHO Senior Associate dsramalho@mlgts.pt +351 210 091 720

PB

INDEPTHFEATURE

CYBER SECURITY & RISK MANAGEMENT

2 0 2 0