The session started with a presentation from the inspector Antonio López Melgarejo, Head of Unit of the Logical Security Section of the Technological Investigation Department of the National Police, who discussed the different types of cyber attacks that have been affecting companies of various sectors and sizes. López underlined the importance of companies being aware of current and future cybersecurity challenges and strongly encouraged the reporting of any cyber attacks.
Anthony J. Ferrante, Senior Managing Director and Head of the Cybersecurity practice at FTI Consulting, was next to speak. Drawing on his extensive experience with the security elite including the FBI and the White House, Ferrante spoke of the importance of the human factor in the prevention of cyber attacks and the high percentage of vulnerabilities which are caused by actions born of ignorance or a lack of awareness of the risks. He also explained that although the types of attacks have not changed substantially, the effects have multiplied due to the increasing global and interconnected nature of information. This calls for an effective prevention plan to minimise these detrimental effects, especially for a company’s most important assets.
The second part of the session offered attendees a legal approach to cybersecurity and focused on the challenges the subject poses both from a criminal and insurance law perspective.
Ana Martín Martín de la Escalera, a Prosecutor specialised in Cybercrime, reviewed in detail the changes to the Criminal Code in July 2015 that are intended to enable the prosecution of cybercrime. Martín mentioned the importance of the recent criminalisation of certain behaviour which allows investigations to be launched when the security of information systems –which is recognised as an independent legal right– or the internet of things is compromised, and emphasised the difficulty of regulating something as transnational and dynamic as cybercrime.
Juan Palomino, Senior Associate in Pérez-Llorca’s White Collar Crime and Investigations area and head of the firm’s cybercrime practice, then discussed the need for companies to have crisis management protocols for cyber attacks, emphasising that in this type of situation improvisation is very ill-advised. Palomino also analysed the guidelines that these protocols must meet in order to offer a quick and effective response to the crisis.
After this presentation, Javier Ybarra and Sara Muñoz, Director of Financial and Professional Lines and Head of the Cyber Department at Marsh respectively, outlined the different insurance solutions to cyber risks. Ybarra and Muñoz discussed the diverse risks resulting from cyber incidents and the expansive nature of its effects, the main risks covered by a cyber policy and the steps for taking out this type of product.
Laura Ruiz, Senior Associate of the Litigation and Arbitration practice at Pérez-Llorca, concluded the session with a brief history of the judgments in this area. Litigation related to these types of policies has arisen first in the United States, but will soon start in Spain. The first US judgments have been more reluctant to accept these incidents being covered, especially under general liability insurance policies. Thus it is desirable to take out specific cyber policies and analyse them carefully from a legal perspective to make sure that they cover the losses that need to be covered.