2018/2019 Edition of the Global Regulatory Update

Global Regulatory Update  | Corporates Edition 67 6) Cyber in LATAM –Mexico, Chile, Brazil The need to address cyber security risks and threats continues to pick up steam among the region’s policymakers. And while considerable progress has been made to develop national strategies for cyber security with the support of the Organization of American States (OAS), many countries continue to lag behind in the design and implementation of robust legal and regulatory frameworks. However, recent breaches of the financial system in Mexico and Chile have prompted more urgency to ensure critical infrastructure is protected and financial institutions have high standard information and cyber security policies and standards in place. Mexico Hackers attacked the Interbanking Electronic Payment System (SPEI) developed and operated by the Mexican Central Bank and diverted $20 million from the financial system. The Central Bank and the National Banking and Securities Commission (CNBV) have announced their intent to design and issue information security guidelines for banks. This will complement the recently approved national strategy on cyber security that requires implementation. Chile Hackers also targeted the payment system of Banco de Chile, creating a loss of $10 million. Significant public and congressional pressure has been put on the Ministry of Finance, Central Bank, and the Superintendence of Banks (SBIF) to put cyber security at the top of the regulators’ agenda. A national strategy for cyber security was adopted in 2017, and requires the government to identify critical infrastructure. The SBIF issued its first regulations on cybersecurity in January 2018 requiring banks to maintain a database of security breaches, carry out penetration tests, and educate staff and customers on cyber security. The recent attack will surely accelerate further regulations, and the SBIF will likely work with congress to update the current cyber law. Brazil The Central Bank issued a final resolution on 26 April 2018 that establishes the cyber security policy and requirements for the contracting of data processing, storage, and could computing services by financial institutions or other entities authorized to function by the Central Bank. Covered institutions are required to implement and maintain a risk-based cybersecurity policy to ensure confidentiality, integrity, and availability of systems and data through established goals, procedures, controls, testing scenarios, and other measures.