Latin America Advisor

Financial Services Advisor

A Daily Publication of The Dialogue

Are Mexico’s Banks Doing Enough to Fight Cybercrime?

Mexican Central Bank Governor Alejandro Díaz de León

Mexican banks have been seeing an unprecedented level of cyberattacks in recent weeks, central bank chief Alejandro Díaz de León said May 14. The attacks have included incidents in which thieves siphoned as much as $20 million out of the country’s banks. How prone is Mexico’s banking system to such attacks, and what are the system’s main vulnerabilities? What more must the country’s banks do in order to protect themselves? What actions should Mexican government agencies and lawmakers take to strengthen the country’s electronic banking system?

Jarrett Benavidez, vice president of sales for Central U.S. and Latin America at BeyondTrust: "After last week’s attack on the SPEI platform in Mexico, where multiple banks reported non-authorized transfers of as much as $20 million, the banking industry has responded by using alternate channels to avoid these transfer ‘delays.’ The resulting lack of trust of this very important platform will result in the unprecedented resignation of several top-level executives in Mexico, and will surely drive mandatory security requirements to protect this core of the Mexican banking system, rather than allow for nondisclosure and other confidentiality agreements to suffice as protection as before. The vulnerability that allowed for the successful attack on the transfer system was located in middleware, or software that acts as a bridge between an application and a critical system such as a database or operating system. The risk posture of middleware is often overlooked, as the focus of these programs falls on functionality instead of security. They are often developed by third parties and by internal resources that aren’t required to follow security best practices when writing code. Lack of attention to secure coding often makes middleware an easy target for hackers, as it goes into production riddled with security vulnerabilities. Activity between systems is hijacked, and legitimate credentials are stolen, allowing hackers to act as company employees and, in this case, disperse funds, in what appears to be a valid transaction. Mexican government agencies should mandate controls that improve security standards of middleware and other software, including secure-coding best practices, vulnerability identification and remediation, as well as management, auditing and recording of all access to critical financial applications. With 80 percent of cyberattacks involving stolen credentials obtained by leveraging vulnerabilities in the IT ecosystem, it is crucial to address the attack chain from beginning to end."

Melissa Diaz and Paola Sánchez Torres, attorneys at Diaz, Reus & Targ: "According to the World Bank, Mexico is the second largest economy in Latin America. Yet, its cybersecurity programs and technologies are outdated, and the country lacks a cybersecurity culture. These vulnerabilities leave Mexico’s banking system very prone to cyberattacks. Both Mexico’s banks and the Mexican government must enact immediate measures to prevent future cyberattacks like the recently discovered hacking and transferring of more than $15 million from Mexican banks such as Banorte to dummy accounts in other banking institutions. Mexico’s banks should implement enterprise-wide security policies that take into account all regulatory and enterprise compliance requirements and protect personal data. Once a security policy is in place, banks should enforce their security policy and constantly monitor their network to ensure that any changes to configurations within the network have been approved and are compliant with the policy. Banks should also screen all candidates and employees, and should conduct regular mandatory employee training on their security policies. Currently, Mexico does not have a dedicated law that regulates cybersecurity. As such, it is imperative that Mexican lawmakers create effective legislative frameworks that hold entities and their management responsible for poor cybersecurity practices and that allow for the prosecution of individuals responsible for cyberattacks. The Mexican government should incentivize a culture of cyber hygiene with effective communication and participation among participants, such as banks and other financial institutions. If Mexico and its banks do not make critical changes to their cybersecurity culture, the public is likely to lose trust in the Mexican banking system, which could substantially harm its economic growth."

Adalberto Palma Gómez, member of the Financial Services Advisor board and president of the Union of Mexican Financial Institutions (UNIFIMEX): "When it comes to cyberattacks, there are two kinds of financial institutions in the world: those that have already been attacked and those that don’t know it yet. Mexico’s financial system is no exception. The constant cyberattacks do not constitute the main problem, but rather the increasing sophistication with which they are carried out, as financial transactions are increasingly executed online. Condusef, the local authority that protects financial service users, said that in 2017 there were more than four million cases of cyberfraud and that two of every three client complaints had to do with this growing problem. Even Condusef itself suffered hacking attempts, impeding it from attending to thousands of client complaints. Recently, electronic payment system SPEI suffered a saturation attack through the Bank of Mexico, impeding operations at certain financial institutions. The attack exposed the lack of efficient response protocols, and that is what is being worked on today to prevent future failures. In a recent meeting with the National Banking and Securities Commission, the members of UNIFIMEX were informed that the body will soon release rules that will allow a joint reaction between financial institutions and authorities in order to prevent, and in some cases react, with measures appropriate for the problem in order to preserve the health of financial institutions, protect clients and reduce the risk to financial institutions’ reputations. The imminent next step for Mexico is the adoption of a framework for national cybersecurity covering all kinds of transactions, and communication between private and public institutions—for which the financial system is the lifeblood—to guarantee the continuation of necessary economic functions that society demands."

Alejandro Buschel, information security professional and founder at ProGloBix: "Banks around the world are targeted with cyberattacks. The level of investment needed to build, operate and maintain cyber defenses keeps growing, with scarce personnel available to innovate and implement scalable solutions. The complexity of banking systems has grown significantly in the last decade, and it will continue to grow in order to better serve customers, reduce operating costs and increase efficiency. These goals are achievable when cybersecurity is a fundamental part of the design and operation of systems. Mexico’s banking system should operate systems that foster collaboration and sharing of indicators of compromised systems among its members. They should have processes in place to react automatically to certain events. Automation is needed to distribute information and act accordingly. Sophisticated attacks are planned in advance and executed with precision. Cyber defenses should account for this kind of attacker with full awareness of all the critical systems required to operate, visibility of all applications flows, and mechanisms for detecting fraudulent activities. The banking system should be considered as important as critical infrastructure at the national level. Banks should be required to demonstrate adequate security to their regulator by implementing cyber stress tests of all critical applications, both for interbank transfers and internal systems. A past history of limited attacks does not imply the future will be the same."

The Latin America Advisor features Q&A from leaders in politics, economics, and finance every business day. It is available to members of the Dialogue's Corporate Program and others by subscription.