Civil liability of companies in the event of cyber attacks: legal analysis and insurance cover

At Belzuz Abogados, S.L.P., a law firm specialising in insurance law, we address in this article an issue of growing practical and legal relevance: the civil liability of companies in the event of cyber attacks, as well as the role played by insurance cover in this area.

1. Introduction: cyber risk as a business reality

Digital transformation has led to a substantial improvement in the efficiency and competitiveness of businesses, but it has also increased their exposure to technological risks. Among these, cyber attacks — such as ransomware, phishing or security breaches — have become a constant threat with potential financial, reputational and legal consequences.

This context necessitates a legal analysis of the potential civil liability that companies may incur when they suffer a cybersecurity incident, particularly in cases where such an incident affects third parties, such as customers, suppliers or employees.

2. Legal basis of civil liability

Civil liability arising from a cyberattack may be grounded in various bodies of law, depending on the nature of the damage caused.

Firstly, the general regime of non-contractual liability requires the concurrence of three elements: act or omission, damage and a causal link. In the digital sphere, the relevant omission usually consists of a failure to adopt adequate security measures.

Furthermore, where the attack involves a breach of personal data, data protection regulations come into play, imposing on companies the obligation to implement appropriate technical and organisational measures to ensure a level of security commensurate with the risk. Failure to comply with these obligations may result not only in administrative penalties but also in claims for damages by those affected. On the other hand, in the contractual sphere, the company may be liable to its customers or business partners if the cyberattack prevents it from fulfilling its obligations or compromises confidential information.

3. The standard of care required

A key issue in determining liability is the level of care required of the company. The aim is not to demand absolute security — which would be unrealistic — but to assess whether the company has acted in accordance with reasonable industry standards.

Key factors typically taken into account include:

• The nature and volume of the data processed.
• The size and resources of the company.
• The state of the art in cybersecurity.
• The existence of internal prevention and response protocols.
• Staff training.

In this regard, the adoption of measures such as up-to-date protection systems, regular audits, contingency plans or restricted access policies may prove decisive in excluding or mitigating liability.

4. Types of compensable damages

Cyberattacks can cause a wide variety of damages, both direct and indirect. Among the most common are:

• Financial loss: loss of revenue, system recovery costs, expenses for notifying those affected, or administrative penalties.
• Non-pecuniary loss: particularly in cases involving the exposure of sensitive personal data.
• Reputational damage: loss of customer trust or damage to corporate image.

Quantifying these losses is not always straightforward, which can lead to disputes in court or arbitration.

5. The role of insurance cover

Against this backdrop, insurance policies play an essential role as a risk management tool. In recent years, so-called cyber risk insurance policies have proliferated, designed specifically to cover the consequences of cyber incidents.

These policies typically include cover such as:

• Third-party liability for security or privacy breaches.
• Crisis management costs, including legal advice and communications.
• Data and system recovery costs.
• Losses due to business interruption.
• In some cases, cover against cyber extortion.

However, it is essential to analyse the scope of the policy in detail, as there may be significant exclusions, such as the lack of minimum security measures, malicious acts or certain types of attacks.

6. Interaction between liability and insurance

The existence of insurance does not remove the company’s liability, but it can mitigate its financial impact. In this regard, it is important to bear in mind:

• The obligation to disclose risks when taking out the policy.
• Compliance with the security conditions required by the insurer.
• Proper notification of the claim in the event of an incident.

Failure to meet these obligations could result in a reduction or even denial of cover, which reinforces the need for adequate preventive management.

7. Prevention and best practices

Beyond insurance cover, the best strategy remains prevention. Some key recommendations include:

• Implementing cybersecurity policies tailored to the risk profile.
• Conducting regular audits and penetration tests.
• Training employees in threat detection.
• Having an incident response plan in place.
• Regularly reviewing insurance policies to ensure they remain adequate.

The combination of technical, organisational and insurance measures enables companies to address cyber risk in a more robust and structured manner.

8. Conclusion

Companies’ civil liability in the event of cyber attacks is a constantly evolving legal reality, driven by increasing digitalisation and the growing sophistication of threats. The key lies in striking a balance between the requirement for due diligence and an understanding of the inevitability of certain risks.

In this context, insurance cover serves as a highly valuable complementary tool, provided it is properly arranged and managed.

At Belzuz Abogados, S.L.P., as a firm specialising in insurance law, we consider it essential for companies to adopt a comprehensive approach that combines prevention, regulatory compliance and appropriate risk transfer, with the aim of minimising the legal and financial consequences arising from cybersecurity incidents.