"If you haven't suffered a cyberattack yet, you will." Ruth Zapata, specialist in cyber risks at Jori
The National Cybersecurity Institute (Incibe) points out that in Spain 53% of companies have acknowledged being victims of a cybercrime that has affected their activity to some extent, with costs that can reach up to 10% of their annual budget. Others are also harmed without being aware of or without acknowledging apparent damage or simply hide it for reputational reasons. All the experts in the sector recognize that the rescue of data after a malicious software infection in corporate IT platforms and systems exists, something that the affected companies cannot recognize and usually do not report.
Faced with digitization accelerated by the pandemic in which the so-called market lemons effect prevailed, in which the customer does not have the ability to choose the best product and is left with the cheapest, cybercriminals have experienced their particular August, as Daniel recalled Hernández, director of Cyber Risk Advisory of Deloitte in the magazine that the Institute of Spanish Actuaries dedicated to the subject.
By dint of sticks, in just two years companies have become aware of the risk and protocols and training in cybersecurity, the hiring of specialized services or personnel and the subscription of these cyber policies are already common in both large companies and SMEs, a common practice in that they are service providers through some computer platform. "And what companies do not make transfers?", Zapata insists, appealing to a common cyber scam: the notification of a change of account number through a false certificate.
“The best thing is to have both a cybersecurity specialist, internal or external, as well as specific insurance, which is something very common in other areas. In addition to covering ourselves in the event of an incident, it is one more security measure within the risk analysis,” says Marcos Gómez, deputy director of Incide Services. “Cyber risk insurance can play an important role in quickly recovering from a security incident, but it does not replace the proactive security measures that must be implemented in the company, it is a complement”, adds Josep Albors, director of research and awareness at ESET Spain, leading firm in cybersecurity.
What should these cyber policies cover? Basically the costs to manage a cybercrime and its consequences and, where appropriate, the expenses of media crisis management in the event that the incident transcends. In addition to civil liability against third parties, claims from those affected by a data breach or for damages suffered as a result of a breach in security, in addition to a possible administrative sanction. With the exception that if a cybercrime exposes third-party data, the law requires publicity.
