Cybersecurity in Latin America: a legislative, organizational and technological challenge

Latin America has experienced a worrying increase in cyber-attacks in recent years. The region’s vulnerability is partly due to cybersecurity policies that are still under construction.

A specter is haunting Latin America: cyber-attacks, a major security problem that is increasingly affecting institutions, companies and individuals. Independent studies agree that there are more than 1,600 cyber-attack attempts per second throughout the region.

Data from the EY Global Cybersecurity Leadership Insights Study concludes that 91% of Latin American companies recorded a cybersecurity incident last year, while 62% have suffered a data breach. In recent years, the incidence of digital attacks of this type has soared in the region, starting with the three most frequent: malware infections, data kidnapping (ransomware) and phishing. In terms of malware, a report by the intelligence and threat laboratory FortiGuard Labs reports that the area would have suffered more than 360,000 cyber-aggression attempts of this type in 2022, with mainly in Mexico, Brazil, Colombia and Peru respectively.

Some of these attacks, due to their spectacular nature, their size or the importance of the institutions and companies affected, have attracted media attention. This is the case of the systematic cyber-attack against the Costa Rican government in July 2022 or, more recently, January’s massive data hijacking suffered by Colombia and Paraguay’s internet supplier, Tigo Data Center. In the latter case, the perpetrators blocked information from more than 3,000 backups on 330 computers using Black Hunt malware and demanded a ransom equivalent to $8 million dollars in Bitcoin.


Growing, but limited, responsiveness

These events are taking place in an area that is proving to be particularly vulnerable: according to data from the National Security Index (INCS), Latin America and the Caribbean are the worst prepared regions to deal with cyber-attacks, only ahead of the Middle East and Africa. Jorge M. Vega, an analyst at Spain’s Elcano Royal Institute, points out that "only seven Latin American countries [Brazil, Colombia, Uruguay, Mexico, Chile, Argentina and Paraguay] have specialized cybersecurity units within their Armed Forces".

A few months ago, Vega summarized the state of affairs forcefully: "In Latin America, the capacity to manage an effective cybersecurity policy is still under construction, with multiple and changing levels of maturity between sub-regions and countries". The International Security expert explains that the creation of adequate governmental structures and regional cooperation mechanisms is "a strategic imperative" that is not being addressed properly.

A good idea, in the opinion of analysts, would be to bring national regulations into line with the NIS2 directive, launched by the European Union in December 2022. This is the most advanced and comprehensive cybersecurity standard in the world, aimed, says jurist and expert in technological attacks Jesús Yáñez, at "creating a culture of cybersecurity". As David Fernández Granado, CEO of Prosegur’s global cybersecurity division, Cipher, explains, NIS2 requires companies "to have total visibility over the security perimeter, avoid technological and organizational fragmentation, professionalize the function by incorporating cybersecurity talent and implementing continuous improvement mechanisms to adapt to the speed of change."


Asymmetric strategies

In the absence of common guidelines, Latin American countries have been developing their own national contingency plans against cyber threats in recent years. The most advanced are those of Brazil, Colombia, Chile and Uruguay, but Argentina and Peru are beginning to make significant progress. Brazil has a Department of Information and Cyber Security within the Presidency area of its government, and its level of governance in this regard has been considered "solid" and mature by the Observatory of Cybersecurity in Latin America and the Caribbean. Only Colombia and Uruguay, which are attributed a "strategic" level, are rated higher. Colombia has bodies such as the National Digital Security Coordinator and the National Digital and State Information Commission. Chile, with "consolidated" organizational maturity, has an Interministerial Committee on Cybersecurity (CICS) chaired by the Ministry of the Interior.

Beyond legal and organizational progress at the institutional level, Latin American companies are also equipping themselves with their own tools, in many cases based on the NIS2 and other similar guidelines. As Armindo Portillo López, Cipher's Sales Manager in Paraguay, explains, "Argentina, Costa Rica and Chile recently adhered to the Budapest Convention on cybercrime, as did other countries, such as Mexico, Colombia and Paraguay. In addition, in 2017 the IberoAmerican Network carried out the publication of the Data Protection Standards for IberoAmerican States, which used the European Union's General Data Protection Regulation (GDPR) as a guide."

Beyond legal and organizational progress at the institutional level, Latin American companies are also equipping themselves with their own tools, in many cases based on the NIS2 and other similar guidelines.


A growing number of companies are boosting their investment in this area and equipping themselves with advanced internal protocols as part of their security master plans. Brazilian, Colombian and Chilean companies are leading this incipient development of creating successful corporate strategies. Proof of this was the action taken by the Colombian Center for Industrial Cybersecurity which, according to Portillo, "recently published a study detailing the increase in data breach incidents. All of this was a reminder that these problems are very real in the region and indicate that many individual companies and the financial services industry are unprepared."


The importance of the human factor

This is why it is essential to have cybersecurity managers at the corporate level, a  position that many Latin American companies still lack. The type of specific knowledge and experience that these professionals can offer can make the difference in the current context, where Fernández Granado says increasingly sophisticated threats are spreading, from automated ransomware attacks to new, highly effective phishing tactics. As he explains: "In the medium term, as soon as this technological standoff stabilizes, vulnerability will come mainly from the human factor. Attacks will be based on social engineering, which is what we call exploiting the fears, insecurities, imprudence or lack of knowledge of individual users, who are tricked into sharing access passwords, divulging valuable information or installing malware on their computers. Another pending challenge is to train a new batch of professionals with advanced technological skills to act as a checkpoint against this type of challenge. According to Portillo, "to strengthen the digital culture of the members of an organization is to strengthen their defense against the possible technological attacks ".

As ever, the recipe for success is to continue strengthening our response capacity, starting at the institutional level, creating adequate and common regulatory tools, as far as possible, for the whole continent. This has to be done without neglecting the necessary organizational effort and the essential investments in cybersecurity on the part of companies.

Portillo concludes with a reflection on the immediate future: "Cybersecurity experts are developing a whole arsenal of defensive resources to address Internet security in the near future. For this reason, and with the aim of following the obligations already established in the United States and the European Union, we must all work hand in hand, aided by technological developments, to shield our systems and our organizations behind a common regulatory framework for cybersecurity".