The Spanish Public Employment Service (SEPE) fell victim to “Ryuk” ransomware

Cyberattacks and business diligence
April 7, 2021

A few weeks ago, we witnessed the umpteenth cyberattack in a long list of cases. On this occasion, the Spanish Public Employment Service (SEPE) fell victim to “Ryuk” ransomware. The attack collapsed all its computer systems, its offices were unable to function and its activity was paralyzed for a whole day.

Far from being isolated events, cyberattacks are quite common. 2020 set a new record, with a 62% surge in cyberattacks on companies— to a large extent due to the pandemic. European institutions expect this trend to continue to increase in the coming years, given that 22.3 billion devices worldwide are expected to be connected to the internet by 2024.

Several studies confirm the exponential growth of online threats. According to a report on cybercrime by the International Criminal Police Organization (INTERPOL), the main cyberthreats related to COVID-19 were phishing and malware/ransomware, with an increase over the previous year of 59% and 36%, respectively.

Last year, the average ransom demanded by cybercriminals in Europe, the US and Canada to release files hijacked by ransomware was $312,500, compared to $115,000 on average in 2019 (i.e., a 171% year-on-year increase). The full scale of the problem is illustrated by the recent attack on a Taiwanese manufacturer of computers and IT equipment, who was demanded a ransom of $50 million to recover its data, the largest ransomware payment to date.   

This challenging reality has not gone unnoticed by the national legislature. Thus, recent regulations (RDL 12/218 and RD 43/2021) highlight the importance of cybersecurity in the current context. The aim of this legislative effort—triggered by the need to transpose European regulations—is to improve the protection of networks and information systems against cyber threats, preventing and minimizing the chances of falling victim to cyber incidents. And when the threat materializes, an action and resilience plan is needed to mitigate and alleviate its effects and return to normality as soon as possible.

Cybersecurity is rapidly becoming a key strategic factor in the decision-making process of large corporations and government bodies. What used to be optional preventive measures and actions are now mandatory. Failure to implement them entails legal liability and heavy economic consequences. We are facing a change of model, in which investing in cybersecurity protocols and system resilience policies is essential. It is no longer a matter of ticking a box after checking that a requirement is met, but rather of continuously monitoring and verifying the diligence of the company and its managers in this field.

In this blog, we will follow any developments closely. In addition to technical aspects, this issue involves significant legal issues, both in terms of prevention and reaction to potential cybersecurity incidents.

Authors: Josu Eguiluz y Miquel Peguera

April 7, 2021