Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
INDEPTHFEATURE
CYBER SECURITY & RISK MANAGEMENT
2 0 2 0
Published by
Financier Worldwide Ltd
First Floor, Building 3
Wall Island, Birmingham Road
Lichfield WS14 0QP
United Kingdom
Telephone: +44 (0)121 600 5910
Email: [email protected]
www.financierworldwide.com
Copyright © 2020 Financier Worldwide
All rights reserved.
No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers.
Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or
omissions, nor for any claims made as a result of such errors or omissions.
Views expressed by contributors are not necessarily those of the publisher.
Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice.
Opinions expressed herein do not necessarily represent the views of the author’s firm or clients or of any organisations of which the author is a member.
CYBER SECURITY & RISK MANAGEMENT
July 2020
INDEPTHFEATURE
CYBER SECURITY & RISK MANAGEMENT
July 2020
INDEPTHFEATURE: Cyber Security & Risk Management 2020
1
Introduction
Given the increasing frequency of cyber attacks and the sophistication of
cyber criminals, it is imperative that companies put measures in place to
counteract bad actors. However, the cyber risk environment is becoming
increasingly challenging for companies to navigate. The emergence of cloud
computing, 5G, the internet of things (IOT) and other new technologies are
increasing the threat vectors for many organisations.
2020 has of course been a remarkably challenging year for all companies due
to the COVID-19 pandemic. The dramatic uptick in the number of people
working from home, for example, has increased network vulnerabilities and
tested corporate cyber security resources. In response, companies are adapting
their incident response programmes and implementing new plans to address
exposures.
Going forward, cyber security and risk management should remain near the
top of the corporate agenda, particularly as the EU General Data Protection
Regulation (GDPR), the California Consumer Privacy Act (CCPA) and
other similar laws around the world continue to place strict obligations on
companies.
To overcome today’s challenges, cyber security and risk management needs to
be approached as a company-wide task, not merely a concern for the IT team
and the chief information security officer.
INDEPTHFEATURE: Cyber Security & Risk Management 2020
1
UNITED STATESGuidehouse ......................................................... 02
UNITED KINGDOMCorix Partners ...................................................... 08
FRANCEGibson Dunn ........................................................ 13
BELGIUMTokio Marine HCC ................................................. 19
GERMANYTokio Marine HCC ................................................. 25
SPAINAon .................................................................... 30
PORTUGALMorais Leitão, Galvão Teles, Soares da Silva & Associados .......................................................... 36
Financier Worldwide
canvasses the opinions of leading
professionals on current trends in
cyber security & risk management.
C O N T E N T S
36 37
Morais Leitão, Galvão Teles, Soares da Silva & Associados
DAVID SILVA RAMALHOSenior AssociateMorais Leitão, Galvão Teles, Soares da Silva & [email protected]+351 210 091 720 David Silva Ramalho is a member of Morais Leitão’s litigation and arbitration team. His practice is focused on criminal litigation and compliance, particularly in the economic and financial areas, as well as in information technology. He has significant experience in cyber crime, digital evidence, and criminal matters related to cryptocurrency, regularly representing clients and providing legal assistance in those areas. He is regularly invited to participate in conferences and postgraduate courses on matters related to cyber crime and digital evidence, having published several articles on those topics.
Respondent
PORTUGAL
INDEPTHFEATURE: Cyber Security & Risk Management 2020
37
Q. In your opinion, what are the major
cyber threats to which today’s companies
are vulnerable? Could you comment on
any recent, high profile cyber attacks in
Portugal?
A: The major cyber threat to most
companies today lies in email. More
specifically, in the use of employee
email accounts. This is the gateway
for most cyber attacks, ranging from
unsophisticated and commonly seen
‘Nigerian prince’ scams, to the most
sophisticated malware, phishing and
ransomware attacks. The reason is simple:
IT departments can more easily prevent
risky behaviour by an employee than react
to an outside attacker who is actively
searching for human failure. The former
is largely preventable by blocking access
to certain websites, monitoring threats
arising from unadvised web usage or
imposing download restrictions on certain
file types. The latter faces serious technical
difficulties preventing certain emails from
entering the company’s mailboxes and
preventing users from opening them on
any of their devices. In the past few years
there have been a few high-profile cyber
attacks in Portugal. The ones that received
more widespread media coverage were
carried out by a Portuguese hacker in the
‘Football Leaks’ case. Also, in April 2020,
a high-profile ransomware case affecting
Portugal’s largest energy company made
headlines, with the attackers allegedly
using Ragnar Locker to steal and
subsequently encrypt a significant volume
of data, then demanding a ransom of
approximately €10m.
Q. To what extent have cyber security
and data privacy regulations changed
in Portugal? How is this affecting the
way companies manage and maintain
compliance?
A: With the entry into force of the General
Data Protection Regulation (GDPR) and
the national legislation that followed,
many companies are now concerned about
protecting personal data and implementing
cyber security procedures within their
organisations. In several cases, however,
this preoccupation quickly faded and gave
way to the creation of standard internal
guidelines and data protection procedures
without implementation of legal and
technical solutions specifically designed
for each organisation. Given the lack
Morais Leitão, Galvão Teles, Soares da Silva & Associados
38
INDEPTHFEATURE: Cyber Security & Risk Management 2020
39
of general cyber security legislation or
regulations, many small- and medium-sized
companies have become prone to reduced
investment in cyber security, except
when necessary or after a cyber attack
has occurred. Often, the policies that are
implemented by small- and medium-sized
companies are not only ineffective against
cyber attacks and therefore inadequate
to protect personal data, but also make it
harder to investigate cyber attacks due to a
tendency to combine the lack of adequate
cyber-security measures with a generalised
fear of collecting and storing data, such
as logs, IP addresses and ports, which
leaves very few traces to investigate cyber
offences.
Q. In your experience, what steps should
companies take to avoid potential cyber
breaches – either from external sources
such as hackers or internal sources such
as rogue employees?
A: The solution lies in finding the right
balance between the legal and technical
sides of cyber security. While the legal
side should focus on complying with
labour and data protection legislation,
the cyber security side should focus on
implementing technical measures that
mitigate cyber risk and assist evidentiary
tracing of possible attacks. It is always
important to protect the company against
external cyber breaches with measures that
include intrusion detection, tailor-made
email filtering and regular vulnerability
assessments conducted by independent
entities. But companies should not neglect
the fact that many cyber breaches come
from within organisations.
Q. How should firms respond immediately
after falling victim to cyber crime, to
demonstrate that they have done the right
thing in the event of a cyber breach or
data loss?
A: The first response should be to make
sure that the attack has been contained.
Afterward, the company should assess
the level of damage suffered and if
any sensitive personal data has been
compromised. The first assessment
should be made by independent legal and
technical specialists, working closely with
the company’s IT department. It is the
purpose of this analysis to identify how the
attack has happened, to collect evidence
in a forensically sound manner and to
Morais Leitão, Galvão Teles, Soares da Silva & Associados
INDEPTHFEATURE: Cyber Security & Risk Management 2020
39
analyse the terms in which a legal response
should be pursued. The response will vary
depending on the outcome of the legal and
technical specialists’ analysis.
Q. Do companies usually pursue legal
action against cyber criminals? When
they do, how successful have these
investigations been in the past few years?
A: Companies do not usually pursue
legal action following less serious cyber
crimes because they assume that it is
very difficult to identify the perpetrator.
However, in the past few years, criminal
investigations have been progressively
more successful. The reason is mainly that
the people in charge of investigating cyber
offences are specifically trained for these
types of investigations and are no longer
merely adapting real world investigative
techniques into a digital environment.
Public prosecutors and police officers
are becoming more knowledgeable
about cyber crime, are benefitting from
international exchanges of information
and experiences, and are more prepared
to identify the sources of evidence and
Morais Leitão, Galvão Teles, Soares da Silva & Associados
““
People in charge of investigating cyber offences are specifically trained for
these types of investigations and are no longer merely
adapting real world investigative techniques into a
digital environment.
40
INDEPTHFEATURE: Cyber Security & Risk Management 2020
41
to collect the relevant information in an
expedited manner.
Q. In what ways can risk transfer and
insurance help companies and their
D&Os to deal with cyber risk, potential
losses and related liabilities?
A: Companies are more aware of the
importance of taking different actions to
mitigate cyber risks, mainly due to the
spike in cyber threats and data protection
laws. Cyber insurance is gaining traction
as a viable mitigation tool and its market
is becoming better prepared to match
the increase in demand for products that
include cyber risk coverage. As the market
currently stands, such protection may be
found in traditional commercial insurance
or by taking out a standalone insurance
policy or via endorsement to an existing
insurance policy. The latter are usually the
safest options as traditional commercial
policies often exclude cyber risks or
include wording that casts doubt on such
protections. Cyber risk protection may
include first-party coverage, such as cover
for direct losses arising from a breach or
business interruption, third-party claims,
such as liability arising out of data breach
claims or harm to third-party systems, or
defence costs and regulatory fines. For
more holistic solutions, some insurers have
also engaged in partnerships with cyber
security technology companies to offer
comprehensive solutions that bundle risk
coverage with cyber security assistance.
Whether insurance is an effective measure
to mitigate cyber risks needs to be assessed
by companies on a case-by-case basis and
will depend heavily on the degree of the
cyber risk exposure in question. In any
event, companies should not expect to
rely solely on insurance to manage cyber
risks and fail to implement adequate cyber
security defences.
Q. What are your predictions for cyber
crime and data security in Portugal over
the coming years?
A: If there is anything that we have learned
from predicting the future of cyber crime,
it is that such predictions are usually
wrong. Taking this into consideration, if
I were to risk any predictions, I would
say that the more serious offences will
continue to be ransomware, hacking
through vulnerability exploitation and
phishing, with the intent to steal money,
Morais Leitão, Galvão Teles, Soares da Silva & Associados
INDEPTHFEATURE: Cyber Security & Risk Management 2020
41
Morais Leitão, Galvão Teles, Soares da Silva & Associados
information or intellectual property. I
believe that the more serious changes will
not be felt on the criminal side, but instead
on the investigative side, precisely due to
the increase in data security. The advent
of secure communication apps, increased
access to the ‘dark web’ and online illegal
markets and the rise of new ways to
launder proceeds from crimes, particularly
with digital currencies, will seriously
hamper investigations.
www.mlgts.pt
MORAIS LEITÃO is recognised for its work culture and for the opportunities it provides for its clients. In such a dynamic market, its position is distinguished by combining the best traditional advocacy with the latest technology. The development of its clients’ businesses is always on its mind. The firm, although independent, is privileged to work in partnership with multiple sectors and jurisdictions. The firm is proud of its long and continuous growth, and is always present in operations
and complex challenges.
DAVID SILVA RAMALHO Senior Associate [email protected] +351 210 091 720
PB
INDEPTHFEATURE
CYBER SECURITY & RISK MANAGEMENT
2 0 2 0