Cyber security law, technology and insurance

A compliance breakfast has been organized on July 17th by Kudelski Security’s partner Hogan Lovells, at their Munich office. About 60 participants, primarily from the media, finance, technology and insurance industries joined the meeting.

The presentation track was split in three parts:

• Legal sessions led by Hogan Lovells
• Technology session led by Kudelski Security
• Cyber insurance session led by Willis GmbH & Co. KG

The legal perspective gave us a comprehensive overview of the US vs EU approach on cyber security law. The comparison covered preventive and reactive measures and obligations, as well as limits imposed by privacy constraints. Another legal session was focused on liabilities and responsibilities related to security breaches and cyber attacks. Possible class actions under various jurisdictions have been discussed as well.

The technical session covered the preventive, detective and reactive measures to cyber attacks – with a particular emphasis on the need for security awareness programs, and the need to plan for security breaches. There is – and will probably always be – a strong asymmetry between the attack opportunities and costs on one side, and the prevention and remediation efforts on the other side.

This asymmetry makes cyber security a case which is particularly indicated for cyber insurance, which was the subject of the 3rd track. A cyber insurance will help organizations transferring their risk exposure to privacy breaches, brand reputation damage and data leaks.

My key takeaway from this compliance breakfast is the following: while law, technology and insurance and maturing in the cyber security area, it is of utmost importance that they progress together and build strong links and partnerships. The industry has also strongly matured in awareness, as demonstrated by the attendance and participation in the various discussions during this event.

Technology is needed to mitigate legal and commercial exposure to breaches, as well as to help insurance companies in pre- and post-breach assessments. A legal framework is needed to set the playground of security services providers, and to define rules and obligations for companies.

Quoting Dwight D. Eisenhower : Planning is everything, the plan is nothing : your organization is responsible to plan for cyber attacks. Of course, things will never occur as planned, but you will be prepared for proper reaction. Preparation can only be effective with the appropriate legal, technical and organizational support.