Cybersecurity is no longer just a technological challenge: today it is above all a legal imperative and a priority in any organization’s risk management.
Increasingly frequent and sophisticated cyber-attacks require organizations to be prepared, either by adopting the organizational measures needed to prevent them from occurring, or by preparing reaction plans, both legal and technological, that can be activated quickly and effectively to better respond to cybersecurity incidents.
Morais Leitão’s cybersecurity team, together with its technology partners, has developed a solution tailored to the specific needs of each client, which simultaneously ensures compliance with the legal framework, mitigates IT risks, prepares the reaction to incidents and responds quickly and effectively to IT attacks.
Preventing cyber-attacks requires, among other things, the technological implementation of certain legal and, in some cases, regulatory obligations, adapted to the reality of each organization.
Recognizing the impossibility of absolutely eliminating risk, but knowing where it manifests itself most intensely, the Morais Leitão team, in close coordination with its clients and technology partners, has developed tested procedures for assessing computer risk, mapping information, implementing cyber governance mechanisms, creating information security policies and creating incident response plans.
Recent past has shown a progressive growth of the legal and regulatory framework, both national and European, in terms of cybersecurity.
Regulatory compliance is particularly critical in the case of the Public Administration, critical infrastructure operators, service operators and digital service providers. Morais Leitão advises on the different aspects of the regulatory process, including the implementation of incident notification mechanisms, the identification and communication to the CNCS of the permanent point of contact and the security officer, the inventorying of assets, the preparation of the security plan and the preparation of annual reports.
In the event of a cyber-attack, rapid IT and legal intervention is required to control and stop the attack, mitigate the damage caused, comply with the applicable communication procedures, manage public communication (including data subjects) and prepare for any possible criminal reaction.
Specifically, it is necessary to identify the source of the attack, prepare the crisis management plan, notify the competent authorities (CNPD, ANACOM and/or CNCS), develop the necessary communication channels with data subjects and public authorities, prepare internal investigations, collect and ensure the preservation of evidence, and also manage internal and external communication.
Morais Leitão’s accumulated experience in legal advice related to some of the major cyber-attacks in Portugal has allowed it to systematize the various steps of the reaction and create a quick and effective implementation service, which aims to reduce the impact of the attack and promptly manage all its legal, technological and reputational consequences.