Cyber security
July 2025 | WORLDWATCH | RISK MANAGEMENT
Financier Worldwide Magazine
July 2025 Issue
The cyber security threat landscape has now reached unprecedented levels of sophistication and frequency, with companies facing near-constant risks. Advancing technologies, such as generative AI, are expanding the attack surface, increasing vulnerabilities and making defence against cyber attack more challenging. As malicious actors proliferate, companies need to establish a resilient security programme – reinforcing their efforts through policies and procedures, and training and awareness that cultivate a culture of compliance.
FW: How would you describe the magnitude of the cyber security threat facing companies today? In your opinion, how vulnerable are companies to these threats?
BELGIUM
Taelman: The cyber security threat landscape has reached unprecedented levels of sophistication and frequency. Every year sees double-digit increases in the number of attacks in Belgium. There is a significant shift from opportunistic attacks to highly targeted campaigns by organised criminal groups and state actors. Software suppliers remain the most popular target in Belgium, but the healthcare and financial sectors are not far behind. Malware and phishing attacks continue to rise and artificial intelligence (AI) is being used to improve the sophistication of cyber attacks. Many larger companies have increased their cyber security resilience in recent years, although work remains to be done. But many smaller companies underestimate their exposure, believing they are ‘too small’ to be targeted. However, cyber criminals increasingly view smaller entities as stepping stones to larger targets. Through their inclusion in the supply chains of larger companies, the vulnerability of smaller companies may also affect larger companies.
UNITED STATES
DePass: Companies are under near-constant threat from cyber security risks. The cyber threat landscape is immense and dynamic, creating challenges for companies of all sizes and levels of maturity. Today’s cyber threats are increasingly sophisticated, and include various methods for exploiting vulnerabilities in a company’s defences. Tactics including deployment of ransomware and other malware, use of elaborate social engineering schemes, and advanced persistent threats, among others, leave companies exposed. Advances in AI make defending against these attacks more difficult, as they allow for more variability and sophistication in approaches taken by malicious actors. The consequences of experiencing these kinds of attacks can be extremely damaging, and while it likely is not possible to eliminate all threats, companies that meaningfully invest in cyber security controls that meet or exceed industry-standard practices will be better positioned to withstand them.
THE NETHERLANDS
van der Wolk: The magnitude of cyber security threats is significant for companies in general, and the Netherlands in particular, due to the war in Ukraine and the fact that the Netherlands is a hub into Europe, including via infrastructure such as the port of Rotterdam. In addition, the Netherlands is host to this year’s North Atlantic Treaty Organization (NATO) summit and is receiving a lot of attention as a result. The Netherlands as a country and Dutch companies individually are facing significant cyber threats. Fortunately, the cyber posture of most companies has been improved considerably. Cyber regimes such as the Network and Information Security Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) have definitely helped companies increase their cyber security programme, but ongoing efforts are required.
GERMANY
Ritzer: The cyber security threat landscape for companies today is serious and rapidly evolving. Cyber-enabled fraud ranks as one of the highest organisational cyber risks globally, including in Germany. Companies face significant exposure. The increasing use of technologies, such as generative AI (GenAI), further expands the attack surface, increasing vulnerabilities. From a legal standpoint, companies in Germany and the European Union (EU) are vulnerable not only due to technical weaknesses but also because of stringent regulatory requirements imposing heavy penalties for breaches, especially under the General Data Protection Regulation (GDPR), Cyber Resilience Act (CRA), DORA and the NIS2 Directive, which has not yet been implemented into most EU member states’ laws. Critical infrastructure operators are prime targets and must comply with enhanced security and reporting obligations. Increased liability risks also stem from potential strict liability for damages resulting from cyber security deficiencies under the new Product Liability Directive, as well as representative actions resulting from a breach of specific cyber security requirements.
CANADA
Caldwell: The magnitude of the cyber security threat facing companies is significant. The number of threat actors is rising, and there has been an influx of less sophisticated actors engaging in threat behaviour through the use of ‘cyber crime as a service’ tools. The lowering, and even outright removal, of barriers to entry for would be cyber criminals has had a significant impact on the number of external threat actors operating worldwide. Moreover, the rise in the availability of high-quality tools powered by AI has empowered threat actors to be even more dangerous. All companies, no matter how sophisticated, remain vulnerable. Unfortunately, the current state of play is such that all companies need to accept the harsh reality that it is less about ‘if’ and more about ‘when’, ‘how severe’ and ‘how ready they will be’ when external threat actors successfully penetrate their defences.
“Companies can evaluate their cyber risk exposure through comprehensive risk assessments that consider the entire lifecycle of digital products and services, as mandated by the EU CRA and other regulations.”
MEXICO
Larrea: The cyber security threat landscape facing companies today is more severe than ever. Adversaries are evolving quickly, adopting tactics that resemble legitimate business operations. In 2024, 79 percent of intrusions were malware-free, relying instead on ‘hands on keyboard’ techniques that are harder to detect. Breakout time – the time it takes attackers to move laterally – dropped to an average of 48 minutes, with the fastest case recorded at just 51 seconds. Human vulnerabilities remain a key entry point, with voice phishing attacks increasing by 442 percent in just six months. Social engineering and abuse of valid accounts are now widespread, especially in cloud environments where 35 percent of incidents involved credential misuse. GenAI has further empowered threat actors to produce realistic phishing content, deepfake videos and malicious scripts, accelerating the speed and scale of attacks.
FW: With the uptick in cyber threats having led to a more stringent regulatory environment, how are companies coping with greater compliance requirements?
UNITED STATES
DePass: Companies are implementing increasingly robust cyber security programmes both to address regulatory requirements, and because doing so is a business imperative. This involves leveraging strong administrative, technical and physical controls – for example, maintaining comprehensive data security policies and procedures, regularly assessing risks and implementing corresponding risk management plans, deploying, monitoring and testing advanced security technologies, and routinely educating workforces about the company’s security protections. Companies are further investing in their defence capabilities by leveraging dedicated security teams – often combining internal resources and external support. Finally, security teams are coordinating closely with legal to understand regulatory requirements and develop strategies to enhance governance and resources available to fortify defences.
THE NETHERLANDS
van der Wolk: Compliance requirements depends on the type of company and the regulatory regime they are subject to. For companies subject to NIS2, most cyber security control requirements align with the cyber controls they already have in place. NIS2 requirements in that regard are relatively high level and mostly principle-based, which makes them easier to map against existing cyber control frameworks. For companies in the financial sector and subject to DORA, it is more challenging, because DORA is much more prescriptive than NIS2, making it more time consuming to map. The more challenging parts of the new cyber regulations regard red tape as well as the integration of notification obligations in existing incident response plans and protocols. Because triggering factors and thresholds for notification differ from the likes of the GDPR, most companies need to adapt their incident response plans to avoid under- or over-notifications.
GERMANY
Ritzer: Companies are responding to the growing regulatory demands by significantly increasing their cyber security budgets. Many firms plan to increase their cyber security spending, prioritising data protection, technology modernisation and compliance with evolving laws like the NIS2 Directive and German cyber security laws.
CANADA
Caldwell: In some cases, companies are establishing dedicated cyber security teams to perform compliance functions. Companies are investing in comprehensive risk assessments, penetration tests and security audits to identify vulnerabilities and ensure adherence to regulatory standards. In addition, companies are leveraging technology solutions such as technology assisted data governance, security information and event management reporting, and automated compliance management systems to streamline the process of meeting often overlapping regulatory requirements. These systems help monitor compliance status, generate reports and ensure timely updates to policies and procedures.
“Because triggering factors and thresholds for notification differ from the likes of the GDPR, most companies need to adapt their incident response plans to avoid under- or over-notifications.”
MEXICO
Larrea: The rise in cyber threats has led to stricter regulatory environments, and companies are coping with greater compliance requirements by adopting more integrated and proactive strategies. Instead of treating compliance as a simple formality, many organisations are embedding cyber security into their broader governance and risk management practices. They are implementing structured improvement programmes that evaluate their current posture, identify gaps and define clear steps to meet evolving obligations. To address increasingly complex and overlapping regulations, companies are centralising compliance efforts, aligning with international standards and automating key reporting processes. Investments are being made in technologies that enhance visibility, identity management and threat detection across digital environments. In highly regulated sectors such as financial services and healthcare, compliance is now essential for operational continuity and maintaining stakeholder trust. Executive leadership is becoming more involved, taking responsibility for cyber risks, and engaging directly with regulators and boards. Many organisations are also building internal capabilities by training staff and recruiting experts in cyber security compliance to stay ahead of emerging requirements.
BELGIUM
Taelman: Belgium was one of the first EU countries to implement the NIS2 Directive in October 2024. This has fundamentally transformed the compliance landscape for Belgian businesses. By requiring board of directors training and accountability on cyber security, resilience against cyber threats has received much more attention. Companies achieving the best outcomes treat NIS2 as an opportunity to strengthen their overall security posture and competitive advantage, rather than just a burden. Companies are struggling with significantly expanded obligations, in particular those relating to supply chain security, which often require review of a significant number of suppliers and agreements, and incident reporting requirements, which have short reporting deadlines. While larger organisations have dedicated compliance teams, smaller entities often struggle to find sufficient resources. Even though NIS2 typically does not apply to smaller entities, in practice some of them need to comply with those requirements as well, because they form part of the supply chain of larger entities which are subject to NIS2 and push these requirements down. The Centre for Cybersecurity Belgium provides practical guidance, helping organisations, including smaller entities, navigate the regulatory complexity.
FW: What methods can companies use to evaluate their cyber risk exposure and determine the most suitable countermeasures to employ?
THE NETHERLANDS
van der Wolk: Evaluating cyber risk exposure generally entails assessing a company’s assets and vulnerabilities and prioritising what requires protection. While a lot of attention will be paid to a company’s ‘crown jewels’, we are seeing more attackers targeting ancillary or peripheral systems and equipment.
GERMANY
Ritzer: Companies can evaluate their cyber risk exposure through comprehensive risk assessments that consider the entire lifecycle of digital products and services, as mandated by the EU CRA and other regulations. This includes identifying vulnerabilities in design, manufacturing, delivery and maintenance phases. Technological tools such as automated outside-in scanning platforms assess external digital attack surfaces. These tools can help identify weaknesses such as domain name system misconfigurations, distributed denial of service vulnerabilities and exposure on the dark web, enabling companies to prioritise countermeasures effectively. Risk evaluation should be combined with regular internal audits, penetration testing and compliance checks aligned with regulatory frameworks.
CANADA
Caldwell: Depending on their business, companies have a number of countermeasures at their disposal. First, identify vulnerabilities, threats and impacts by analysing IT infrastructure, data assets and business processes. Also, evaluate the effectiveness of existing security measures and compliance with industry standards and regulations. Second, stay informed about emerging threats to anticipate potential attacks. Third, simulate cyber attacks to identify security gaps and address vulnerabilities proactively. Fourth, develop and maintain an incident response plan with defined roles, communication and privilege protocols, and conduct regular drills. Finally, implement ongoing cyber security training programmes to raise awareness and educate employees about best practices.
“The rise in the availability of high-quality tools powered by AI has empowered threat actors to be even more dangerous.”
BELGIUM
Taelman: Effective cyber risk evaluation requires a systematic approach, combining technical assessments with business impact analysis. The Centre for Cybersecurity Belgium’s CyFun framework is an excellent tool for systematic evaluations, with different frameworks depending on the sophistication of the company. It has already been adopted by Romania, and other countries are considering adopting it as well. Most Belgian companies subject to NIS2 seem to pursue ISO 27001 certification as a method to evaluate their exposure and demonstrate a long-term commitment to providing a valuable risk management structure. Belgian law offers compliance presumption benefits for certified organisations.
MEXICO
Larrea: Companies can evaluate their cyber risk exposure through structured methodologies that help them identify threats, assess impact and implement appropriate controls. One widely used method is the quantitative approach, which assigns numerical values to risks estimating potential financial losses. This method offers objective analysis but requires significant data and may not apply to all scenarios. The qualitative approach, on the other hand, uses expert judgment to categorise risks as low, medium or high. While more subjective, it is flexible and suitable when data is limited. A semi-quantitative method combines both by assigning scores to risks, offering a balance between objectivity and adaptability. It is often used when precise data is unavailable, but a structured framework is still needed. Asset-based assessments focus on identifying and protecting critical assets such as personal or health data, making them ideal for companies subject to local regulatory frameworks.
UNITED STATES
DePass: One of the most common ways for evaluating cyber risk is by conducting a comprehensive security risk assessment to identify threats and vulnerabilities to a company’s systems and data. Companies often align risk assessments to regulatory specifications, like the Health Insurance Portability and Accountability Act Security Rule, or recognised frameworks, such as the National Institute of Standards and Technology cyber security framework. Many elect to engage third-party assessors to perform these assessments, either because the company lacks internal capabilities or resources, or to lend credibility to the results. Risks and threats identified in the assessment then are addressed in a risk management plan that outlines the company’s strategy for mitigation, often based on the potential impact and likelihood of a threat being exploited. Companies can supplement risk assessments through other technical and non-technical activities, such as penetration tests and vulnerability scanning, to detect potential exposure risks. In addition, companies often find value in participating in intelligence-sharing networks that reflect collective experience and learnings from multiple organisations.
FW: In what ways has the appetite for cyber insurance increased in recent years? How would you describe trends in the coverage, limitations and premiums on offer?
GERMANY
Ritzer: There has been a marked increase in demand for cyber insurance in Germany and across Europe as companies seek financial protection against the rising costs of cyber incidents, especially when it comes to business interruption cost. Premiums are certainly linked to the company’s risk profile, compliance posture and the extent of coverage required. The risk profile very much depends on the industry and potential cost of business interruptions – for example, a manufacturing site with a risk of standing still entirely certainly has a higher exposure than a mere consulting business. Also, companies in complex supply chains where their customers’ business would be heavily affected by an incident face a high cyber damage exposure. All these factors are considered by insurers when calculating premiums. Deductibles and exclusions are common, and companies often use brokers who compare policies to ensure risk-adequate protection. Insurers are conducting quite detailed due diligence and risk assessments – to answer their questions and prepare, the company often needs to step-up its cyber preparedness. The importance of carefully answering these risk questions is underscored by a recent ruling by a German Higher Regional Court, whereby a cyber insurer can relatively easily contest a contract on the grounds of fraudulent misrepresentation if the company answers risk questions incorrectly without taking the time to adequately verify the facts. Coverage trends include protection beyond mere data breach cost, to cover business interruption, ransomware payments and regulatory fines, although limitations and exclusions remain significant considerations.
MEXICO
Larrea: In recent years, the appetite for cyber insurance has increased as companies recognise the growing threat of cyber attacks and the potential impact on their operations, finances and reputation. Businesses now view cyber insurance not just as a financial safeguard but as part of a broader risk management strategy. This demand has been especially strong among large corporations, but small and medium-sized enterprises are also beginning to see its value, particularly as regulatory pressures and ransomware attacks intensify. Coverage has evolved to address more complex risks. Insurers now offer policies that include not only data breach recovery and liability but also business interruption, cyber extortion and support for incident response. Many insurers have also started providing cyber security assessments and access to external experts as part of their coverage, helping clients improve their cyber resilience.
“Protecting data and systems requires multiple levels of protection. Maintaining robust technical controls provides a strong foundation, but that is not enough.”
UNITED STATES
DePass: The demand for cyber insurance remains high given persistent cyber threats, contractual requirements to have certain levels of coverage, and the potential for significant financial harms resulting from cyber events and data breaches. In the wake of such incidents, companies face direct costs, such as those involved in containing and investigating an incident, as well as indirect costs including those relating to third-party notifications, government investigations, litigation and reputational harms. The high demand for cyber insurance coincides with efforts by insurers to mitigate their exposure by increasing premiums, narrowing coverage and adopting other restrictions. For example, some insurers will cover a company’s expenses for engaging third-party experts only if those experts have been pre-approved by the insurer to assist in incident response activities. Given these kinds of limitations, it is critical that companies carefully review their policies and coordinate with their insurance brokers to confirm that they meet the company’s needs.
BELGIUM
Taelman: The cyber insurance market has experienced significant growth in Belgium, with Belgian companies increasingly recognising insurance as critical to risk management strategy, although the market penetration is still running behind the US. This surge stems from high-profile breaches demonstrating potentially catastrophic financial impacts. Although NIS2 does not mandate cyber insurance as such, the robust risk management required by NIS2 has further increased the interest in cyber insurance. However, the insurance landscape has become increasingly sophisticated and selective. Insurers now conduct rigorous cyber security assessments before providing coverage, often requiring evidence of specific security controls such as multifactor authentication (MFA), regular patching protocols and employee training programmes. Premium costs have risen, particularly for high-risk sectors or organisations with poor security postures. Recent trends include active cyber insurance where the insurer not only provides coverage, but also helps companies with identifying, mitigating and responding to cyber risks. In short, purchasing cyber insurance is not just about obtaining coverage, it also demonstrates ongoing commitment to cyber security best practices.
CANADA
Caldwell: The increased volume of cyber and privacy threats to companies has led to a higher demand for cyber insurance. Improved understanding of these risks has resulted in better underwriting standards, refined policy wordings and diverse coverage options. Cyber insurance premiums have seen a period of stabilisation and even some decline after significant increases in 2021 and 2022, but it still remains expensive. Common types of coverage include first party cyber liability, which covers direct damages like lost income, ransomware payments and customer notifications, and third party cyber liability, which covers legal fees and damages from third-party claims. Companies may need to enhance internal security processes, such as MFA, regular data backups and incident response plans, to qualify for a policy.
THE NETHERLANDS
van der Wolk: Most companies are certainly considering procuring cyber insurance. What I am hearing, though, is that in recent years premiums have gone up significantly while at the same time coverage has been more targeted and limited. Most cyber insurance will cover the cost of responding to an incident, which is helpful, but it will not cover such things as ransom payments, regulatory penalties or lost business. This may of course be understandable, but these are the areas where businesses are typically hit hardest as a result of a cyber incident. Companies should also be careful about the incident response coverage, and whether this includes free choice of third-party support, such as forensic investigators and attorneys. It is also important to know whether customer notifications, such as call centres and regular mail, are covered.
FW: What essential advice would you offer to companies on implementing effective strategies to mitigate cyber risk and strengthen their defences? How should they go about protecting their data, devices and critical infrastructure?
UNITED STATES
DePass: Protecting data and systems requires multiple levels of protection. Maintaining robust technical controls provides a strong foundation, but that is not enough. For a security programme to be effective, such controls must be reinforced through policies and procedures, training and awareness efforts, and other practices that cultivate a culture of compliance. Regularly assessing risks and vulnerabilities, and implementing measures to mitigate identified risks also are cornerstones of a mature security programme. Finally, companies should recognise that establishing a resilient security programme is not a one-time investment; it requires ongoing monitoring, evaluation and adjustment, given a dynamic threat landscape, and as a company’s operations and risk profile evolves over time.
“Companies can evaluate their cyber risk exposure through structured methodologies that help them identify threats, assess impact and implement appropriate controls.”
BELGIUM
Taelman: My primary advice would be to adopt a holistic, governance-driven approach rather than viewing cyber security as purely technical. Companies must establish clear policies making cyber security a board-level responsibility with defined accountability structures. This governance foundation enables effective implementation of technical and operational controls. Technical foundations should prioritise basic hygiene measures addressing common threats, including robust patch management, network segmentation, MFA, endpoint protection and comprehensive backup strategies. However, the human element remains critical. Regular employee training is essential as human error continues being a primary attack vector. Finally, incident response planning is non-negotiable, requiring tested procedures with clear communication protocols. While many IT departments already practice for cyber incidents, management is not as often involved in such exercises. I strongly believe, however, that it is necessary to ensure that the entire management is involved in such exercises to limit the disruption caused by an eventual cyber attack as much as possible.
CANADA
Caldwell: There are three areas where companies can invest time to mitigate risk and strengthen their defences and responses to a cyber incident. The first is an incident response plan. Companies should implement and regularly update an incident response plan to address emerging and persistent threats, and to reflect lessons learned in practice. Simulations should be conducted to test the plan’s effectiveness, incorporating lessons learned from real-life breaches. The second area is data governance. Retain sensitive data and personal information only as long as necessary to fulfil its purpose or legal requirements. Implement data mapping, retention policies and pragmatic approaches such as archiving and deidentification. Exercise diligence in sharing data with third-party vendors, restricting it to what is necessary for their services. And the last area is vendor management. Companies should assess vendors’ security and privacy controls, focusing on factors that mitigate risk such as encryption standards, data segregation methodologies, subcontractor and subprocessor controls, and data backup requirements. Ensure appropriate contractual safeguards, including written agreements with baseline security controls that go beyond mere attestations. Use auditing powers regularly rather than letting the contracts sit unused in a drawer.
THE NETHERLANDS
van der Wolk: An effective strategy very much starts with tone at the top and having management-level support. NIS2 introduces board-level responsibilities and liability, with the aim of ensuring that cyber security at board level receives the same attention as, for example, a company’s financial risks. It is about making sure that the board can pose the right questions to the chief information security officer (CISO) and for the CISO, in turn, to report on meaningful key performance indicators. The entire organisation should be aware of cyber risks, such that everyone appreciates that they contribute to the company’s overall cyber posture. On a more practical level, companies are strongly recommended to have adequate and up to date IT asset management inventories, so that IT assets can be monitored appropriately for security updates, patch management and vulnerabilities.
MEXICO
Larrea: To implement effective strategies for mitigating cyber risks, companies should adopt a proactive, layered approach that integrates technology, process and people. The foundation is a comprehensive risk assessment to identify vulnerabilities and prioritise threats. This includes evaluating insider threats, third-party risks and critical assets. Once risks are understood, companies should enforce robust security controls such as network segmentation, firewalls, encryption and intrusion detection systems. Regular software updates and patch management are essential to prevent exploitation of known vulnerabilities. Access to sensitive data should be limited based on roles, and MFA must be deployed to prevent credential theft. Data backup and disaster recovery plans should be tested regularly to ensure business continuity after a breach.
GERMANY
Ritzer: Companies should implement a comprehensive cyber security strategy that integrates technical, organisational and legal measures aligned with German and EU regulations. First, they should ensure timely detection, containment and mandatory reporting of cyber incidents to data protection authorities. Second, manual audits should be conducted to continuously identify and address vulnerabilities. Third, strong access controls, encryption, regular patching and endpoint security should be enforced to safeguard sensitive information and hardware. Fourth, operators must comply with strict security standards, perform regular security audits and maintain incident response capabilities as required by German law. Fifth, cyber security and social engineering awareness and best practices should be fostered throughout the organisation to reduce human error risks. And finally, companies should evaluate and procure insurance policies that complement technical and organisational measures, providing financial resilience against cyber risks.
“Belgium was one of the first EU countries to implement the NIS2 Directive in October 2024. This has fundamentally transformed the compliance landscape for Belgian businesses.”
Edward Taelman is a partner at Crowell & Moring LLP, focusing on cyber security and data. Through collaboration with Crowell’s global cyber team, he offers legal and technical cyber security expertise and is recognised for his thought leadership in cyber security and frequently publishes on related topics. He can be contacted on +32 2 214 2868 or by email: etaelman@crowell.com.
Guillermo Larrea has unparalleled know-how in compliance and investigations across Latin America. Whether guiding companies through artificial intelligence ethics, data breach management, cyber incident response, cross-border data flow compliance or whistleblower investigations and fraud detection, his counsel is trusted by domestic and multinational organisations alike. He can be contacted on +52 (55) 5091 0018 or by email: guillermo.larrea@hoganlovells.com.
Donald DePass is a counsel in Hogan Lovells US LLP’s data, privacy and cyber security practice. Working with stakeholders across legal, compliance and product teams, he helps clients tackle pressing legal challenges and achieve key business objectives. His specialties include strategic privacy programme design and implementation, cyber incident response and preparedness, government investigations, and commercial negotiations. He can be contacted on +1 (202) 637 3286 or by email: donald.depass@hoganlovells.com.
Marissa Caldwell is an associate in McCarthy Tetrault’s business law group in Toronto. She advises clients in a broad range of sectors on strategies and issues relating to technology commercialisation, intellectual property, privacy, anti-spam, and marketing and advertising. She has extensive experience advising clients on privacy compliance, including developing internal privacy compliance programmes, responding to cyber security incidents, and responding to inquiries from, and investigations conducted by, provincial and federal privacy commissioners. She can be contacted on +1 (416) 601 8223 or by email: mcaldwell@mccarthy.ca.
Alex van der Wolk is co-chair of Morrison Foerster’s global privacy & data security practice and managing partner of the firm’s Amsterdam and Brussels offices. He employs his nearly 20 years of experience to advise global companies on their most complex data strategies and compliance programmes governing all aspects of information management, with a special focus on cyber regulatory compliance and cyber incident response. He can be contacted on +31 (20) 793 1530 or by email: avanderwolk@mofo.com.
Dr Christoph Ritzer is a technology and data protection lawyer based in Frankfurt. He leads Norton Rose Fulbright’s German cyber security and data privacy practice. Advising on cyber risk management and coordinating crisis response teams to help clients mitigate the impact of adverse cyber incidents, his broad experience is drawn from having overseen the response to dozens of incidents, some involving legal and regulatory issues in multiple jurisdictions. He can be contacted on +49 (69) 505 096 241 or by email: christoph.ritzer@nortonrosefulbright.com.
© Financier Worldwide
THE PANELLISTS
BELGIUM
Crowell & Moring LLP
MEXICO
Hogan Lovells
UNITED STATES
Hogan Lovells US LLP
CANADA
McCarthy Tetrualt
THE NETHERLANDS
Morrison & Foerster
GERMANY
Norton Rose Fulbright LLP