Mexico: Cybersecurity

Digital connectivity brings with it myriad opportunities but many risks. Over the next five years, it is expected that cyber crimes will cost companies US$5.2 trillion worldwide. Authorities globally have realised the need for better cybersecurity regulation. This chapter provides an oversight of relevant cybersecurity legislation in Mexico.

Terminology and background

The prefix cyber- has come to denote the digital threats malicious actors pose to organisations and systems, and the requisite steps to defend against these threats. Risks include data hacks, distributed denial of service, drive-wiping viruses and ransomware, such as the NotPetya and WannaCry in 2017, and the LockerGoga attacks in 2019.

Some new regulations, such as the EU’s Networks and Information Systems (NIS) directive or the Bank of Mexico’s Cybersecurity Strategy, subject banks and financial market infrastructures to tighter requirements.

Cybersecurity regulation and regulatory government agencies

Mexico has in place a National Cybersecurity Strategy, led by Mexico’s federal government in coordination with local governments, the private sector, civil society and academic institutions, which aims to identify and establish actions in the cybersecurity arena to encourage individuals, companies and government agencies to carry out their activities using free, reliable, secure and resilient information and communications technology for economic, social and political development. This strategy may produce a number of laws and regulations increasing cybersecurity standards in the country. However, until now, no specific laws or regulations in this regard have been issued by Congress.

In dealing with personal data, the Federal Law on Protection of Personal Data Held by Private Parties and its Regulations contain different security measures that must be implemented by data controllers or data processors, which are inclusive of digital environments, including:

  • administrative security measures to:
    • arrange security information from an organisational perspective;
    • identify and classify information; and
    • raise awareness;
  • physical security measures to:
    • prevent unauthorised access, damage or interference to facilities or equipment;
    • protect mobile or portable equipment;
    • provide maintenance to equipment where personal data is stored; and
    • guarantee the deletion of personal data; and
  • technical security measures to:
    • guarantee that only identified and authorised users have access to logical databases to perform their tasks;
    • maintain secure systems; and
    • administer computerised resources used for the processing of personal information. 

The Federal Criminal Code regulates illicit access to computer systems and equipment, including the unauthorised access of data; the unauthorised modification, destruction or intentional loss of data in information systems protected by a security mechanism; and aggravated forms of these crimes with respect to government-owned equipment and financial institutions, and when the information obtained is intended for personal or for third-party profit.

In Mexico, cybersecurity is governed by a number of institutions depending the relevant industry or applicable law; for example, the National Security Commission of Mexico and the Subcommittee on Cybersecurity have an important role regarding criminal activity in cyber environments. However, these are not the sole authorities dealing with cybersecurity issues. In the financial sector, the Bank of Mexico and the National Banking and Securities Commission play a significant role in dealing with cybersecurity in the financial industry. Finally, Mexico’s data protection authority the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) also deals with data protection in cyber environments.

Cybersecurity guidance for financial services organisations

The Bank of Mexico, which is the central bank and monetary authority in Mexico and was responsible for creating the Information Technology Security Division as the responsible body for the enforcement of cybersecurity, has worked to preserve the confidentiality, integrity and availability of the information in the financial sector through the incorporation of various technological and administrative controls to increase the level of protection of assets.

The Bank of Mexico has initiated cybersecurity programmes aimed at:

  • protecting information and its processes to cover computer systems and other additional aspects of technology;
  • addressing cybersecurity from a risk-prevention perspective;
  • concentrating the security of information across the ecosystem to extend the requirements to financial institutions that interact with the Bank of Mexico; and
  • strengthening the governance of information security through the reorganisation of areas, the design of institutional cybersecurity policies and providing human resources.

Further, the Bank of Mexico and other authorities have worked on the implementation of mechanisms in order to meet the requirements of the Mexican data protection laws, and the strengthening of technical areas of computer security and the mechanisms for evaluating and protecting computer vulnerabilities for more active protection.

More recently, as a consequence of hacks suffered by several Mexican financial institutions in 2018, the Bank of Mexico issued several amendments to the Rules of the Electronic Interbank Payment System to strengthen information security in electronic payments, which include, among others:

  • having an incident response manual that includes the actions and measures to be adopted to react against any cybersecurity incident;
  • implementing policies and procedures that oblige the financial institutions to carry out confidence and integrity tests to its employees and staff, as well as to the service providers who have access to relevant information and systems;
  • appointing a chief information security officer;
  • carrying out periodical revisions to the chief information security officer’s functions;
  • establishing procedures to detect and manage cybersecurity incidents on the technological infrastructure that ensures the identification and containment, adequate collection and safeguarding of cybersecurity evidence for notification to senior management; and
  • carrying out vulnerability tests every two years to determine the security of the technological infrastructure.

On a separate issue, Congress approved the Law regulating Financial Technology Institutions (the Fintech Law) on 1 March 2018. The purpose of this law is to provide a regulatory framework for services rendered by financial technology institutions (FTIs) and their operations, functioning and services, subject to specific regulation offered or carried out by innovative means. The Fintech Law and its regulations contain heavy cyber­security measures for FTIs. FTIs include collective financing institutions (ie, crowdfunding) and electronic payment funds institutions. FTIs can carry out transactions with virtual assets, including cryptocurrencies. The law also authorises the operation of regulatory sandboxes and application programming interfaces (ie, APIs). According to the National Banking and Securities Commission, this is one the first laws of its nature in Latin America based on the principles of financial inclusion and innovation, competition, consumer protection, the preservation of financial stability, the prevention of illicit transactions and technological neutrality.

In connection with the above, on 10 September 2018, the National Banking and Securities Commission issued the General Provisions Applicable to Technological Financial Institutions, which regulate the Fintech Law, and contain several provisions to be implemented by the FTIs. The provisions state obligations for the FTIs that, among others, include:

  • carrying out vulnerability tests to the technological infrastructure and code analysis before its implementation;
  • carrying out periodical tests regarding the management, modification, replacement and destruction of information;
  • providing security measures for the protection of the FTI regarding access and use of the information received, generated, transmitted, stored and processed on its the technological infrastructure, that is, the identification and authentication of each user of technological infrastructure, encryption of messages, strong passwords, etc;
  • establishing processes for any cybersecurity incidents that ensure the detection, classification, attention and containment, investigation and, where appropriate, digital forensic analysis, diagnosis, reporting to competent areas, solution, follow-up and communication to authorities, clients and counterparts;
  • implementing automated devices or mechanisms to detect and prevent cybersecurity events, as well as to prevent unauthorised inbound or outbound data flows and connection and information leakage, considering, removable storage;
  • hiring a third-party service provider that has technical capacity to carry out vulnerability tests at least every two years to detect errors, vulnerabilities, unauthorised use, or any other issue that may compromise the information of the FTI or its clients;
  • providing training to employees regarding cybersecurity and best practices in connection with information security;
  • appointing a chief information security officer; and
  • notifying the clients and authorities of any cybersecurity incident and carrying out an investigation in order to identify the origin and cause of the incident.

Updates to cybersecurity legislation

There are some initiatives in place to modify the Federal Law on Protection of Personal Data Held by Private Parties and its Regulations and other sectoral cybersecurity regulations in the financial sector, and as referred, the National Cybersecurity Strategy may lead to new a regulatory regime in the country.