Cybersecurity rarely appeared in the annual reports of companies. But today, what is strange and worrying is that there are no references to the subject, as a way to give transparency to an increasing risk, which affects any company, and which demands continuous vigilance. The practice begins to get in the way of the large Spanish corporations, which have decided to deal with this threat normally in their annual reports.
If last Tuesday, CincoDías reported that Telefónica has shielded hackers with cyber-risk insurance for 405 million (a fact that was revealed for the first time in its annual financial report), other Ibex 35 companies have also contracted similar policies. Iberdrola, for example, reveals that it has specific insurance protection for these types of threats since 2017 "in the terms that the insurance market allows", and that they review "periodically" before the rapid evolution and wide variety of these cyber risks.
The insurance covers the group in the different countries where it operates. "The program is contracted in layers with leading international insurance groups and has the participation of Iberdrola Re, reinsurer of the group", clarifies the power company, for whom the cybersecurity constitutes, in any case, a final layer to reduce the possible impact financial.
"For our Board of Directors, cybersecurity is a key business risk. For this reason, we made multimillion-dollar investments in this area, especially aimed at reinforcing early detection and response to incidents to minimize any impact ", highlights Iberdrola. The company admits that in 2018 they detected and managed to block hundreds of events and attempted attacks, although it claims that it did not record any significant incident that resulted in a financial or reputational loss. In its annual report, it does quantify that it has had 364 "substantiated" claims for breach of privacy or leakage of customer data (most in the United Kingdom and a few in Spain).
CaixaBank, Indra, Repsol, Santander, Amadeus and Bankia also have cyber risk insurance contracts, and Ferrovial says that it is "evaluating" it. "We have insurance for specific digital projects, but not general ones like those of Telefónica, although we are analyzing it. There is not yet a decision made, since in general we do not have digital services to the end customer, "they say from the company.
Bankia and CaixaBank do specify that they have contracted their cyber insurance with AIG. The entity chaired by José Ignacio Goirigolzarri states that, where appropriate, the most relevant coverage includes those pertaining to responsibilities for privacy decisions for possible violations of personal data or corporate information or responsibilities for security failures in the systems. Also coverage related to regulatory procedures and sanctions in the protection of personal data, as well as other related to the loss of benefits due to interruption in the systems or due to reputational damage. "In addition, it includes coverage on extortion to networks and systems and crisis expenses that may arise from an incident."
CaixaBank mocks its employees' phishing every month to train them to identify fraudulent emails
IAG recognizes in its annual report that in 2018 cybersecurity became very important for the group after the theft of customer data suffered by British Airways in September of that year. Its CEO, Willie Walsh, admits the need to be prepared for these new threats and respond to them "minute by minute, every day." The manager points out that they work with "frontline experts" and when necessary, we can contact them to request additional help.
The companies declare that cybersecurity has become a permanent challenge that they take very seriously. IAG has a Cybersecurity Office; Acciona and Iberdrola with specific committees, which promote and supervise the deployment throughout the organization of the strategic plan and the cybersecurity regulations, and BBVA has a center for prevention, alert and response to cyber threats to be "permanently updated" in the face of potential attacks In addition, the Technology and Cybersecurity Commission of this bank informs the council and reviews the evaluation, control and management systems for cyber risks, including response and recovery plans in the face of possible cyber-attacks.
Bankia, for its part, has created a Corporate Innovation and Cybersecurity Directorate. Its cybersecurity committee approved in the last quarter of 2018 a new Strategic Security Plan 2019-2021 that aims to turn cybersecurity into a fundamental pillar to gain the trust of customers. To undertake this plan, Bankia has expanded its budget for the cybersecurity area by 33% and has reinforced its technical and management team (which has grown by almost 24%), with the incorporation of specialized profiles.
In 2018, almost 1,500 Bankia professionals received training in cybersecurity. Also at CaixaBank, 27,646 employees have taken training courses on this issue (among other things, they make simulations of phishing each month to train their workers in the identification of fraudulent emails). The awareness of employees is seen as essential. For this reason, Repsol makes online cybersecurity courses mandatory for all its staff and Banco Santander has also launched measures to improve the training of its professionals in the face of cyber risks.
Beyond training, the entity chaired by Ana Botín points out that it has continued to evolve its cybersecurity regulations with the definition of policies aligned with international best practices. It also ensures that it continues investing in systems and platforms that help them improve in this area. "The group is embarking on an ambitious program to transform cybersecurity in order to strengthen detection, response and protection mechanisms," they say. In July 2018, the entity's executive risk committee approved a new version of the cyber supervision and control model, incorporating the technological risk within its scope. Santander has included cyber risk among the most relevant risk factors, where there are also money laundering or regulatory compliance.
CaixaBank has a computer emergency response team (CERT) made up of trained specialists prepared 24 hours a day to prevent, detect and act against any cyber-threat. The entity also claims that it is a co-founder of APWG.eu, one of the main international alliances in the field of cybersecurity.
For its part, Ferrovial, which admits in its memory that its infrastructures are exposed to cyber attacks that "may even lead to the shutdown of its operation", explains that it has integrated the concept of security from the design phase to protect the assets of these cyber attacks. "It is an issue to which we attach great importance, which is why we have developed a formal management model with controls at different levels, and we have turned this field into one of the axes of our strategic innovation plan," they explain.
IAG also highlights that it has an enhanced security operations center with uninterrupted operation, and ensures that its management committee regularly reviews cyber risk. In 2018, the company launched a program related to the new European regulation on data protection and implemented the directive on the security of networks and information systems.
Indra The Spanish technology continuously reinforces its protection systems against cyber threats as a shield for itself and for its clients. Indra has an information security management system certified under ISO 27001 and a code of conduct that covers access to confidential data. In 2018, the firm carried out an intensive global training plan on information security and has a Privacy and Data Protection Office. Indra has a business unit of Cybersecurity integrated in Minsait and, therefore, with numerous specialists in the field distributed in three global security operations centers located in Spain, Mexico and Colombia.
Amadeus The technology provider of the tourism industry Amadeus has a team dedicated to information security, as well as internal agencies in charge of monitoring, preventing and detecting possible problems linked to cybersecurity. The Spanish firm says that "it gives the highest priority to the security of the systems and customer data."
Sacyr. The construction company is renewing its solutions to mitigate the risks of cybersecurity, both at the infrastructure level and at the workplace. Its ICT budget for the security area has increased by 75% this year compared to 2018, although it does not specify the figure.