Monday, 13 April 2020 14:02

Indra: at the technological forefront of Cybersecurity

Iberian Lawyer interviews Carlos González Soria, Indra ́s head of Legal Affairs and deputy secretary of its Board of Directors

Spanish Indra is one of the global leading technology and consulting companies and the technology partner for key client operations worldwide. As a leading global provider of proprietary solutions in specific segments of the Transportation and Defence markets, it excels in Digital Transformation and Information Technology consulting in Spain and Latin America through its subsidiary Minsait. Its business model is based on an integral offer of its own products, with an end-to-end approach, high value and with a high innovation component. The improvement of Minsait's profitability, together with the prospective of the Transport and Defense projects, predicts both a future and a challenge for it, among others, the one derived from having been appointed by the Spanish Government as the Spanish coordinator of the Future Combat Air System (FCAS) and the New Generation Fighter (NGF), together with its partners in France and Germany. This is undoubtedly one of the biggest technological projects that Europe intends to face in the next 20 years.

First of all, González Soria (pictured) explains that "as the maximum global responsible, my main function is to lead and coordinate the team of lawyers with the ultimate aim of ensuring adequate advice and control of the legal risks of the company's operations, with direct involvement in the most relevant matters."

What is the structure and how many people make up Indra's Legal department?

The legal department is structured in 5 main legal areas: Minsait; Transportation and Defense (T&D); Corporate; International and the Secretariat of the Board and Corporate Governance. It is composed of 80 professionals, 50 of which are in Spain and 30 in the different European and Latin American countries where Indra is established. 90% of the professionals are lawyers. Minsait's and T&D's legal departments are subdivided into Indra ́s areas of specialization in the different business lines, both vertical and transversal.

Indra's appointment as national industrial coordinator in the Future Combat Air System (FCAS) programme was described by Indra's CEO, Abril Martorell, as a logical strategic decision by the Spanish Government. What are the legal challenges of Indra's participation in the largest defence project of the next 20 years, together with France and Germany?

The appointment as national coordinator means an important boost for Indra. In the short term, it is a clear recognition of its capabilities, which strengthens its credibility and competitive capacity at international level and its access level to large international programmes.In the medium and long term, the first level technological developments included in the programme strengthen its future development capacity of the technologies in which it is currently a leader in Spain and Europe, which means that it will ensure that it is at the forefront of this industry for the next 20 years. With this, it increases its capacity to generate income via exports and its possibilities of attracting and retaining the best talent. On a legal level, this means a continuity of the work developed for the Eurofighter (EFA) programme, in which Indra has participated for many years, but with a new more active and leading role as the national industrial coordinator.

Regarding this project, Indra will have to coordinate with many Spanish companies responsible for the different technological pillars, among them, Airbus DS SAU. How do you approach these relationships from your department?

With absolute normality. Indra is the only Spanish company among the top 100 defence companies in the world and it is internationally renowned for the development of critical projects for the national defence of the countries it works for, for its participation in major European programmes and for its proven export capacity and its high added value within NATO framework. Indra has a high level of international recognition; it participates in 9 EDIDP (European Defence Industrial Development Programme) consortia and acts as coordinator in 3 of the 5 led by Spain, among others the Permanent Structured Cooperation (PESCO) programme for Strategic Command and Control, probably the most important of them all, in which Spain, Italy, Germany, France, Luxembourg and Portugal participate. Its technology (radars, electronic defence, command and control, mission systems, etc.) is recognized worldwide.

What areas of law need to be mastered to successfully perform a position like yours?

Commercial, Corporate and Public Law, although as the head of legal affairs, you end up advising on practically all areas of law, for which it is always important to be able to count on the technical opinion of those lawyers who specialize in that particular area.

You created your own digital transformation company, Minsait. Did you do it because you saw the need?

In 2018, Indra carried out a corporate reorganization consisting of grouping all its IT businesses, vertical and horizontal, national and international, into a new corporate entity that is a 100% subsidiary of Indra, including the digital transformation business.

The reasons for undertaking this reorganization were (i) To improve the management and accountability focus by separating the two largest business areas; (ii) To simplify the decision-making and execution processes by adapting them to the different needs of each area; and (iii) To facilitate the establishment of strategic alliances, joint ventures and integration processes with other IT companies.

Cybersecurity is an essential aspect for Indra as it is for many other companies, but in Indra's case it is, we assume, especially important. Proof of this is that you have purchased key companies in this sector. How do you handle these issues from the legal department?

Personal data and intangible assets protection is an increasingly relevant aspect at a global level. Computer attacks involving theft of financial data, illegal appropriation of other people's technology or know-how and public disclosure of personal data are becoming more frequent, with very serious consequences for both the economy and the reputation of companies and individuals.This is why Cybersecurity has become a top-notch technology sector, with a high level of demand, in constant growth (a nearly double-digit increase per year is expected in the Spanish market until 2023) and in full transformation, for which Indra is clearly committed and in which we have our own solutions.

 In December 2019, we acquired SIA, a specialized and leading company in the field of information security, to create the Cybersecurity leader in Spain and Portugal in terms of business volume in services and value-added products.The integration of SIA with Indra's Cybersecurity business will allow us to bring differential and complete offering to the market that includes cyber risk consulting services, technological footprint protection, incident detection and response, and the creation of secure businesses for our clients with advanced digital identity solutions. After this acquisition, Indra has a team of more than 1,000 professionals specialized in Cybersecurity and is positioned as the reference platform on which to carry out the development of this technology.In 2019, Indra also joined NATO's public-private partnership model in cyber defence after signing an industrial collaboration agreement with its Communications and Information Agency (NCIA) to become part of the network of companies that collaborate with this organization in the exchange of intelligence regarding Cybersecurity.

From a legal point of view, we focus our work on all aspects derived from the General Data Protection Regulation (GDPR) in our business, since in the design of our services and applications we are responsible for implementing the principle of privacy by design and by default. In the event of a data breach, its incorrect application could aggravate possible liabilities.

In addition, as we provide services to Public Administration systems, we must ensure that we comply with all the National Security Scheme requirements, which are normally set out in detail in the tender specifications. At a regulatory level, since we provide services to entities and systems affected by the obligations imposed by Law 8/2011 on Critical Infrastructures and RD-L 12/2018 on Network and Information Systems Security, it is essential to know and adequately regulate compliance with the regulatory provisions, which failure to comply with may result in significant economic penalties. At the contractual level, I would highlight two important aspects to be taken into account: (i) obligations in the field of security must be configured as obligations of means, understood as the commitment to maintain a standard of security and the execution of the agreed measures; (ii) insofar as we provide services based on third-party platforms (such as public clouds of the AWS, Ms Azure or Oracle type), when determining responsibilities, it is important to take into account the conditions derived from the use of such platforms. At the corporate level, it is important to cover possible risks derived from Cybersecurity incidents through specific insurance policies (which terms are increasingly complex and their cost is higher).

For what types of matters does Indra hire external lawyers? Do you always work with the same firms? What requirements must a law firm or its professionals meet in order to work with Indra? Do you use Alternative Legal Service Providers?

Legal advice in the ordinary course of business is provided by the internal team of lawyers. We hire external firms for those extraordinary matters which, due to their complexity, speciality or possible impact, require an external lawyer who specializes in the subject.  By its very nature, the area where we outsource most matters is Procedural and M&A. We select firms based on added value and cost criteria according to the complexity of the matter. To date we have not used ALSPs, which have effectively broken into the legal market by offering the outsourcing of paralegal tasks (such as document review, procedural support or legal research) offering cost savings and improved efficiencies. We are analyzing whether they would fit into Indra's legal advisory model and have held some meetings with suppliers to this end.

How do you think Brexit will affect Indra?

Brexit is a complex process with multiple dimensions and variables. At Indra, we have analyzed its main aspects in detail such as: fiscal impact; tariffs and customs controls; people ́s movement; regulatory changes; or European funds for Research and Development (R&D) projects, among others, in order to assess the possible impact on our activity. We have implemented a mitigation plan, with specific measures in the different identified areas, and the best estimate to date is that Brexit will not have a significant impact on Indra's businesses.

What measures are being adopted by Indra in relation to the coronavirus health alert?

Indra is carrying out a series of initiatives, which are permanently updated, seeking to apply maximum precaution to ensure the highest protection of professionals by reducing the risk of transmission as much as possible and also making it easier for professionals to apply a work balance model and care for their families. All this is done in parallel, to ensure the capacity of execution and production and offer the highest service capacity to customers. These measures include: • The creation of a monitoring team, made up of members of senior management, business managers and corporate units, which permanently evaluates the measures to be taken.• The implementation of mechanisms to facilitate work from home and measures to make working hours and shifts more flexible for those who cannot access this model.• The analysis of cases of people belonging to groups susceptible to being considered at risk, such as pregnant women or people with chronic diseases, for example.• Reinforcement of hygiene and safety systems in the workplace to minimize sources of infection. • Constant internal communication campaign, updating the information regarding the adopted measures, the Administration's regulations and health recommendations, as well as providing Indra's professionals with a specific e-mail address to solve any queries.

Interview by Desiré Vidal.

To read the article in full please download issue N.93 here

The Latin American Lawyer
N.15 • September - October 2020

LAL12 cover EN


Iberian Lawyer
N.97 • September 2020

IL94 cover SP IL94 cover EN

IL LabourAwardsSP 300x100 Finalists3

legalinnovation webbanner 300x100px v2

IL Lawit 300X100 October

legalinnovation webbanner 300x100px v2

FortuUnder40awards Banner 300x250 CallForSub 2

IL LabourAwardsPT 300x100 Finalists3

legalinnovation webbanner 300x100px v2

IL LatamAwards STD 300x100 1

This website uses cookies

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the IberianLawyer website. However, you can change your cookie settings at any time. Learn more

I agree

What do I need to know about cookies?

A cookie is a small text file that’s stored on your computer or mobile device when you visit a website. We use them to:

  • Remember your preferences
  • Tailor our sites to your interests.

There are different types of cookies

First party cookies

These are set by the website you’re visiting. And only that website can read them.  In addition, a website might use a separate company to analyse how people are using their site. And this separate company will set their own cookie to do this.

Third party cookies

These are set by someone other than the owner of the website you’re visiting. 

Some IberianLawyer web pages may also contain content from other sites like Vimeo or Flickr, which may set their own cookies. Also, if you Share a link to a IberianLawyer page, the service you share it on (e.g. Facebook) may set a cookie on your browser.

The IberianLawyer has no control over third party cookies.

Advertising cookies

Some websites use advertising networks to show you specially targeted adverts when you visit. These networks may also be able to track your browsing across different sites.

IberianLawyer site do use advertising cookies but they won’t track your browsing outside the IberianLawyer.

Session cookies

These are stored while you’re browsing. They get deleted from your device when you close your browser e.g. Internet Explorer or Safari.

Persistent cookies

These are saved on your computer. So they don’t get deleted when you close your browser.

We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.

Other tracking technologies

Some sites use things like web beacons, clear GIFs, page tags and web bugs to understand how people are using them and target advertising at people.

They usually take the form of a small, transparent image, which is embedded in a web page or email. They work with cookies and capture data like your IP address, when you viewed the page or email, what device you were using and where you were.

How does the Iberian Lawyer use cookies?

We use different types of cookies for different things, such as:

  • Analysing how you use the IberianLawyer
  • Giving you a better, more personalised experience
  • Recognising when you’ve signed in

Strictly Necessary cookies

These cookies let you use all the different parts of Iberian Lawyer. Without them services that you have asked for cannot be provided.

Some examples of how we use these cookies are:

  • Signing into the IberianLawyer
  • Remembering previous actions such as text entered into a registration form when navigating back to a page in the same session
  • Remembering security settings which restrict access to certain content.

Performance cookies

These help us understand how people are using the IberianLawyer online, so we can make it better. And they let us try out different ideas.
We sometimes get other companies to analyse how people are using the IberianLawyer online. These companies may set their own performance cookies You can opt out of these cookies here.Some examples of how we use these cookies are:

  • To collect information about which web pages visitors go to most often so we can improve the online experience
  • Error management to make sure that the website is working properly
  • Testing designs to help improve the look and feel of the website.
Cookie nameWhat it's for
Google DoubleClick The IberianLawyer uses Google DoubleClick to measure the effectiveness of its online marketing campaigns.Opt-out of DoubleClick cookies
Google Analytics From time to time some IberianLawyer online services, including mobile apps, use Google Analytics. This is a web analytics service provided by Google, Inc. Google Analytics sets a cookie in order to evaluate use of those services and compile a report for us.Opt-out of Google Analytics cookies