Latin American Cybersecurity: A Fast-Growth Priority
By Carlos Gonzalez Fillad, Managing Director, Regional Head of Latin America, Global Liquidity and Cash Management, HSBC
The recent cyber breach of five firms in Mexico and the USD15m exploitation of their connections to the SPEI  domestic payment system  have placed a spotlight on Latin American cybersecurity. However, while the losses may have raised awareness in the region, there is still much work to be done by corporates and their treasuries to prevent this sort of breach becoming more commonplace. Carlos Gonzalez Fillad, Managing Director, Regional Head of Latin America, Global Liquidity and Cash Management at HSBC, examines the current cybersecurity landscape in the region and explores some of the best practices for cyber risk mitigation.
The cyber landscape
Corporate awareness and activity
Even before recent events in Mexico, which followed similar breaches from around the globe, corporate treasurers were becoming increasingly concerned about cybersecurity issues. A report by Celent  in November 2017 revealed that 82% of treasurers cited cybersecurity as their number one concern. Yet despite this, corporate preparations appear less than comprehensive, as the report also revealed that globally:
- 70% of organisations have not developed a cyber-incident response plan
- 46% of organisations have not implemented or enhanced their phishing awareness training for employees in the past 12-24 months
- 43% of organisations lacked board-level responsibility for the review and management of cyber risk
- 37% of organisations have not yet estimated the financial impact of a cyber attack
- 34% of organisations do not assess their suppliers or customers for cyber risk
Based upon various conversations with HSBC clients in Latin America, it seems likely that these figures would probably also be regionally representative. However, the picture is extremely varied, with a small percentage of treasuries having a sophisticated cybersecurity approach, a larger group who are increasingly cyber-aware, but a majority where both awareness and activity are low.
In general, these groupings seem to reflect the corporate demographic, with the largest corporations typically being the most active, while the large number of smaller companies are less active. However, irrespective of size, companies that trade internationally seem to be more cyber-aware than purely domestic organisations.
At one end of the spectrum, companies may be taking minimal or no cybersecurity measures, but even where companies have put security processes in place, control gaps still exist. For example, treasury staff may lend each other security tokens, or access to vendor data may not be stringently controlled. There is therefore a need not only to raise cyber awareness but also to be discovering and implementing global best practice. In both cases, there is definitely an important role for banks to play in supporting clients. This has been very apparent from the strongly positive response of Latin American corporate treasuries to cybersecurity events and information sharing offered by HSBC.
Carlos Gonzalez Fillad
Government awareness and activity
The response of governments in the region to cybersecurity is almost as diverse as that of corporates. Mexico has been among the most active. Even before the recent attacks, Mexico's central bank had set out rules relating to the SPEI system that required financial institutions to have emergency response protocols prepared that would be triggered in the event of a cyber attack . The central bank has also announced the formation of a dedicated cybersecurity unit that will design and issue information security guidelines to the country’s banks.
Elsewhere, the Argentine government has already started working on cyber initiatives, including a cyber-policy partnership with the US . Despite these initiatives, there is still room for improvement in other Latin American countries, with a recent World Economic Forum paper reporting that Latin America was particularly vulnerable to cyber attacks and that many countries in the region still lacked the capacity to respond to major cyber incidents . This is perhaps understandable, because until now the primary focus for much of the available government (and bank) resources in Latin America has been focused on inhibiting the laundering of physical cash by narcotics cartels.
This further underlines the value of being able to rely on the support of a banking partner that has made a substantive investment and commitment to cybersecurity and that is open to sharing its knowledge of global best practice. In addition, as more Latin American companies expand into new trade corridors, the geographic extent of these capabilities across trade corridors will become increasingly important. For example, if a Mexican company has a business unit in China and there is a cyber attack there, the company will value insight on the Chinese cyber situation that can be provided at the head office in Mexico, as well as elsewhere.
The value of data
Treasury's control of cash makes it an obvious target for hackers. However, what is less commonly realised is that direct monetary loss may not actually be the biggest risk: treasury is also an extremely attractive target for the theft of financial and commercial data. The potential reputational and indirect financial losses from this could be far more severe than a straightforward cash theft.
The data stolen could be sold on for commercial advantage, such as in bidding for a contract where knowing a competitor's key price points is a major advantage. However, in industries such as aviation, there is also real concern that stolen technical data could be used for exploits, such as hijacking an aircraft.
More generally, while the average Latin American citizen may not regard corporate cash loss through cyber theft as of particular concern to them, they are definitely becoming much more aware of the personal risks to them of corporate or government cyber data theft. The last few years have seen a steady trickle of security failures by store chains, credit reporting agencies and government bodies. While the exact extent of the damage depends upon the data stolen, in some cases individuals had their identity data completely compromised, rendering them exceptionally vulnerable to identity theft. These individuals are unlikely to trust these organisations again, but the most severe failings may also have fundamentally undermined the integrity of the cyber ecosystem and its methods of identity validation .
1 Sistema de Pagos Electrónicos Interbancarios
3 "Combatting Treasury Fraud: External Forces Changing the Cybercrime and Cyberfraud Landscape", Celent, November 2017