Clifford Chance

Key factors that led to the investigation closing without a fine were the diligent and efficient crisis management and the swift notice to relevant regulators and third parties.

The Spanish Data Protection Agency has concluded its investigation into the cyber attack last August on the Spanish insurance and reinsurance multinational MAPFRE.

The investigation was opened following a formal notice from MAPFRE's data protection officer on 16 August regarding a ransomware attack against its computer systems. It was conducted under GDPR provisions and exclusively on the grounds of the reported data breach. This does not, in principle, preclude an independent investigation being opened in parallel by the authorities responsible for cybersecurity issues, but this did not occur in this case.

The cyber attack originated from a security breach when an external worker accessed MAPFRE's systems remotely. No personal data was stolen in the attack, but it did slow down the systems, according to the company. It is believed that this cyber attack was part of a greater plan to hack MAPFRE's systems.

After analysing all the details of how the cyber incident occurred and the response in terms of crisis management, the Spanish Data Protection Agency decided that there were no legal grounds to impose any sanctions on MAPFRE.

The key factors that the Spanish Data Protection Agency took into consideration in closing the investigation without any consequences for MAPFRE were the following:

• MAPFRE had implemented, prior to the data breach, "reasonable technical and organisational measures to prevent this type of incident", which led to the swift detection, analysis and classification of the security breach.
  
  Specifically, prior to the incident MAPFRE re-assessed remote working–related risks and designed an audit plan;
  
  
• the cyber attack had a very limited impact as the only data compromised was basic data (user IDs and passwords for accessing MAPFRE's information systems) with no effect outside MAPFRE's systems;
• the impact in terms of the volume of data compromised was almost non-existent, since the exfiltration (data extraction) attempts were detected and prevented in a timely manner;
• MAPFRE's response to the incident was effective and diligent, particularly in its prompt notice to the Spanish Cybersecurity Institute (INCIBE), the Spanish Cryptological Center (CCN-CERT), the police and the Spanish Data Protection Agency;
• MAPFRE made the cyber attack public promptly and acted in a transparent manner, disclosing it to the security teams of its major business partners, which allowed clients, employees, external workers and suppliers to act accordingly and minimise the impact. Consequently, no complaints by third parties had been filed before the Spanish Data Protection Agency; and
• Following the incident, measures were taken to strengthen cybersecurity control levels, not only in Spain but in other jurisdictions as well.

In terms of lessons learned, MAPFRE's case provides useful guidelines as to what the Spanish Data Protection Agency considers factors in not imposing sanctions in the event of cyber incidents.

Key takeaways from this case include the importance of having robust cybersecurity policies and protocols, crisis committees and business continuity plans, together with a swift response in making the cyber attack public, which in this case enabled clients, employees, workers and suppliers to act effectively, thereby minimising the impact. And last but not least, it demonstrated the importance of reviewing and strengthening existing cybersecurity policies and procedures.