KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So I'm, I'm coming more from like a, a, a legal point of view. And as you just said, I would like to talk with you about insulin response management, sort of a checklist for, for the first steps in case of a cyber attack.
As I said, especially from a, from a legal standpoint, not so much from a, a technical standpoint, I have some technical aspect as well, but I come from a, from a legal perspective. So I think all of, you know, the, the, the number of randomware attacks and anyway, cyber techs have raised quite a bit within the last, last one or two years. And as a LA, as a law firm, we always come, come in when it's, when it's very late.
And, and we see different kind of attacks. And I, I just listed some of them and, and we are seeing a raise, especially regarding ransomware tax. So we had some cases where you have the, the typical case that some, some Trojans or some, some ransomware came into the systems of our clients. Everything was blocked. And they were sort of like PL mailed, so were asked to, to, to pay anything.
So, so they get their data back. And I think that's really a severe problem because all of the cases we had, there was no chance to, to go on with the, with the work, with the, with the services there, the, the companies offered. So it was really severe problems and it took quite a while to, to yeah.
Get that, get that data back. So what's the, the risk, especially of these kind of ware techs, obviously the, the dependency on dependence on it gets greater every day. And as we know, there's a big problem. If you can't like get your data, it's not only that you can't work anymore, but you have reputational damage. That's quite likely. And from my point of view, we are, we have a lot to do with the, with the GDPR, with adrenal data protection regulation, which also have some specific regulations regarding cybersecurity and as well for cases of ransomware attacks.
So as we already like discussed yesterday a little bit, there's some steps which you should do before in the best case to, to prevent any care, any kind of ransomware attack. And from our experience, these kind of steps also help within any kind of rental wear attack.
So, first of all, of course, you should establish a basic it security and best case to prevent any, any kind of ransomware attack or at least to mitigate the risks of any kind of ransomware attack. Secondly, of course, you should be prepared for any kind of ransomware or any other cyber attack. So you should know who to get together, what to communicate and who, who to, what to communicate and who you, you yeah.
Get to, to help you. So usually from our experience, you need really fast reaction. So you need a plan to really go on very fast. And as I said, there's also some legal requirements, this especially, especially about reporting. So the last case we had, everything was like hacked, and it was very likely that the attackers had, could get any eye of the data of the client, which was, which is client data was employed data. And then the, the GDPR also came in.
So to start off with the, with the legal obligations, the GDPR tells you to do so, it's not only a question of, of your own interest to protect your, your systems. You also have a legal obligation to protect the systems. And in case you don't yeah. Comply with these obligations, there's a high risk also of, of, of damage claims of your clients of third parties and also penalties of, of the data protection authority. So we have 32 of the GDPR, which says that you have to, as a company, have to have appropriate level of it. Security.
So appropriate, always is a, is a difficult question which sometimes gets asked to as a, as a lawyer, what means appropriate? That's not so, so called an an abstract question. It all depends what kind of data you have, what kind of system you have. What's the state of the art, what's the cost of implementation? And the law also depends on the nature of scope, context and purpose purposes of your data processing. So there's, there's no abstract questions. What kind of level of it security you have to achieve?
It's always a question of how to look or to look at the data and to decide in, in specific cases, we had some cases where it was what was about health data. So was a big company with, with a lot of health data. Obviously the, the level of it security you have to achieve is, is much higher than in, in some other fields. So it security you can like get down to, to, to specific measures also in the, the GDPR, they, they, yeah, depend on technical and organizational matters. So you have to look, what's your, what's the system. You have to take technical step technical steps.
That's where it usually ends for the lawyer and where the, where the work of the it department starts. So you have, obviously you have to take technical measures, first of all, to prevent any kind of ware attack, and also to act in any kind of ware attack either by, by having backups either by, by dividing your data. So that's different possibilities to protect your, your company.
So, first of all, you need technical measures to prevent any kind of cyber attack. As I said, that's more like a technical questions and depends on the system you have, but you're also obliged to take organizational matter measures. So you have to be prepared also for, for any kind of cyber attack, ransomware attack, it's even a legal obligation to know how to react in cases of, of, of ransomware attack. So usually we, like we try to implement it, it security policies with our clients.
It security policies does not mean only the case to, to prevent them before, but also to let them know how to react in any kind of, of, of cyber attack. So that's organization matters. And as I said, in the case of a, of a ransomware attack, it is very, very likely that you also have reporting obligations as a company. And that should also be on your incident response plan to really check what's your reporting requirements. So you can act really fast.
So to get a bit more into these kind of reporting or notification obligations, it's, especially in 33 and 34, the GDPR, whenever any kind of personal data might be hacked, or anybody outside your company might have gained access to any kind of personal data. It is very likely that you have an obligation to notify either the, the supervisor or the, the authorities, or even the data subjects, which are, yeah. Which are attached by this.
So, as I said, we have article 33, which says when there's a, a specific risk to the data subject, you have to at least inform the authorities within the European union. And if you don't do so, there's a higher risk of a penalty, which goes up to, to 10 million Euro. So that's quite a, quite a serious, quite a serious matter because you only have like 72 hours to inform the authorities. So that should always be on your incident response plan to check if you have any kind of notification obligation and obviously to comply with the notification obligation.
As I said, in, in most of the ransomware attack cases we had, there was obligation to at least inform the authority, which was not too severe. In some cases, the authorities were able even able to, to help and to support the company.
The other obligation you might have is 34, which tells you that you have to inform the data subjects, meaning if any kind of, of customer data is attacked, or if somebody has outside has access to your customer data or employee data, you have to inform your customers and your employees, which is a quite a CV matter, because it's a question how to inform them what to tell them, to give them a good feeling that, that you are, how you, how you're gone. So it's always a question of a, of a communication policy as well, how to inform your customers and employees, if you're obliged to do so.
Usually the, the, the companies we have advised of course try to prevent this kind of notification, but, but if article 34 GDPR has, or the prerequisites of article 34 are fulfilled, of course, then you have obligation otherwise risk penalty. So, as I said, you have to be really fast, especially regarding these data protection obligations to have you have to within 72 hours after the knowledge of such an incident. Yeah. Clients usually ask us, what has it been actually, when, when do we really have knowledge? Do we have time, first of all, to, to inform ourselves what has happened?
The, the authorities are very strict on that as soon as, as you might know that one of the, these prerequisites, which we just had. So either article 33 or 34 might be fulfilled, as I said, you have 72 hours to inform the authority or the, the data subject. And we had some cases already in Germany where these kind of, yeah, notification or reporting was too late. And the authorities are really thinking about penalties, not luckily, not up to 10 million Euro, but they're very strict on these, on these deadlines.
So make sure that you're able to, to react within the time and you fulfill these requirements, at least when you are, when you have to oblige with the, with the GDPR. So, as I said, it's important. It's quite some, some measures you have to take in kind of, so whenever you have a ransomware, you don't really have time to make up your mind then. So it's good to be prepared before. So that's what we always at the moment.
And, and, and even more companies are realizing that it's important to be really prepared, to really have incident response plan, to know what happens when in kind of a, of a, a such an incident. So, you know, you should know how to inform who you should know how to get together, to act really fast and what decisions to take first. And from our experience, it's, it's very important that you have all the, the, the, you have different experts with you. So obviously you need a technical expert. You need a legal expert, you need somebody from the management to take decisions.
So you have to get the people together really fast to decide what to decide, what to do next. So, as I said, it's, it's important to be really prepared. So what I do, I mean, by preparation for an emergency, first of all, you should put all this together. What we just said before, you need an assessment of potential and other potential risks you might have, you should take the, the technical organizational measures before you need them, really.
So, first of all, you have to prepare to prevent such an incident, but also have an idea where, and how to react in kind of, of an incident. So you need an incident response plan. As I told yesterday, already, we had some discussions and, and even court case at the moment regarding insurance. I think it's a important thing to really have an insurance, a cyber security insurance, but from our experience, most of the insurances or some of the insurances you can to get at the market, don't really fulfill the needs.
As I said, we at the moment for, for one client who had a really severe ransomware attack at the moment, they had a cybersecurity insurance and they, they thought that they might pay them the damage they had, but the, the, the insurance company at the moment refuses to pay anything because they say the systems wanna safe enough. There was some, when the insurance was when they took the insurance, there was some, some pre-checks. And at the moment, the insurance company tries to get out of their responsibility.
First of all, by saying that they didn't get proper information in the beginning regarding the it system. And secondly, they try to, to give the fault to the company themselves. So be sure that you have a good insurance and be sure to, to really be prepared in kind of a renting wear tech that you, that you have all the information ready to really get, get the damage paid by insurance insurance company. And finally, of course, you need sufficient training of, of the, the people of your employees, which might be involved.
As I said, you, you really should identify and analyze your specific risks. I think that that's a problem that you really there's no one solution for everybody, as we said, it always depends on, on, on which data you, you, on, which system you have. And so that's really a problematic to really have one size fits all approach. It's really important to, to take your own approach. And then you should really take the necessary steps. First of all, you have these legal obligations. You might have these re reporting obligations.
In the last cases we have advised, we have also make the company to, to go to the police and then have a criminal complaint. Although it is, it is very unlikely that you will ever get to know who attacked you. They might sit somewhere in a foreign country. It's still important also for your, for your communication policy to, to make a criminal complaint and really to, to, to get them to the police.
And finally, you have these, these technical measures, of course you need, depending on, on the kind of attack you had, you, you might think about containment, medication, recovery of the data and of your systems you already have. As I said, that's merely a, a technical question. It's just important to really be prepared, to know your systems, to have your backups, to be able to recover all your data and your system very fast. In most of the cases we had, exactly, there was a problem.
The companies were not able really to, to, to have proper backups, and they were not able to recover all the data, which was attacked by the ransomware attack. So I think it's a, a good idea to really be prepared and, and know what to do when you have any kind of ransomware tech. So finally I would like, yeah, to, to point interest to, to cybersecurity video, we may have, unfortunately it is in German. And I don't know if you, you get the presentation, but a colleague of mine who's much more into like technical details. We made up a, a video.
If somebody's in interested of you just, just send me an email and I'll send you a link. You can also, of course have the presentation if you want, just to, to figure out what we advise additionally, to, to things I said already. So that's merely Edward. I wanted to tell you, as I said, it's all, it's not only technical questions, and it's not only a question of, of, of data. It's you also have like legal obligations and a lot of companies, I think, underestimate the legal obligations you have. I think in the, in the, in the near future, we will see even more ransomware attacks.
And, and it is very likely to me that some ransomware attacks might even harm your clients. We had some cases where it was very likely that that client data of our so customer data of, of our client might be, might be publicated in, in the internet, trade secrets and stuff. And I think that's really, really dangerous to, to companies. So you should always be prepared to yeah.
To, to protect the, the data you have to protect your data of your clients and the information of your clients. So that's the, the presentation I would like would like to, to tell you, obviously, if you have any questions, I'm, I'm open to questions now.
