Cybersecurity in Latin America: Cyber Threats Evolve in a Landscape of Incipient Resilience
Organizations in Latin America should not wait for regulators to impose cybersecurity readiness requirements, as preparation is key for mitigating impacts of increasing cyber attacks.
The volume and sophistication of cyber-attacks registered in Latin America are on the rise, with organizations in countries like Brazil and Mexico ranked among the top global targets for cyber criminals.[1] They are particularly appealing for hackers due to the region’s combination of increasing digitization and generalized cybersecurity immaturity.[2] Governments have yet to enforce robust regulations imposing clear cyber resilience requirements for companies in all industries. Without such “incentives”, they tend to neglect or postpone addressing this issue, either because they fail to see cybersecurity as a critical issue for their business, or because they have other conflicting priorities. Improving cyber capabilities can be a tricky challenge for organizations across Latin America that are falling short in other critical areas – as it demands time, expertise, and money that some might think should be applied elsewhere.
In its recently launched Global Cybersecurity Outlook 2024, the World Economic Forum (WEF) called out the “cyber inequity” among certain geographies as a concerning issue, describing the lower number of self-reported cyber-resilient organizations in Latin America and Africa (in comparison to higher numbers in North America and Europe) as a gap that “unsurprisingly […] tends to mirror other global development indicators”. [3] Disparities in development of cyber capabilities across the region and between small and large organizations are also an issue, as the pace for improvement might vary, but impacts of cyber incident can be systemic.
Get our 2024 Latin America Insights in your inbox – Subscribe Now
Challenging Road to Cyber Resilience in Latin America
To complicate matters further, as Latin American countries continue to promote further digitization to foster socioeconomic growth, they become even more vulnerable to cyber criminals, given the increased use of technology also increases the potential for attacks. Additionally, there are challenges such as increasing cost of access to cybersecurity services, tools and talent as cyber threats evolve with emergence of new technologies such as Generative AI. [4]
After suffering increasingly harsh cyber-attacks,[5] local authorities across Latin America have rushed to advance cyber resilience improvement initiatives such as bills to create cybersecurity agencies in Colombia[6] and Chile[7]. The idea of having such a regulatory body is also on the radar in Brazil, which has just established a new National Cybersecurity Policy (PNCiber) and the creation of a public-private National Cybersecurity Committee to respond to the evolving landscape and pursue international collaboration.[8]
While more robust regulatory frameworks and greater public-private cooperation are necessary and positive, there is concern in the region about the effectiveness of emerging regulations that do not meet the real needs of the local markets.
While more robust regulatory frameworks and greater public-private cooperation are necessary and positive, there is concern in the region about the effectiveness of the emerging regulations. When attempting to adapt regulations from more mature markets, Latin American countries often experience misalignment between those regulations with the specific needs of emerging local economies. For instance, trends seen in mature markets towards imposing strict requirements for supply chain risk management and cyber insurance might be too advanced for Latin America right now. Moreover, a tendency for vague and unclear guidelines might hinder the creation of common cybersecurity baselines for all organizations in Latin America. An additional hinderance for fostering broad-based cybersecurity accountability may be the tendency to place the burden of cybersecurity resilience solely on the private sector – as already seen in some sector-specific directives in Brazil, for example.[9]
Still, taking ideas from paper to reality is typically a hard endeavor in Latin America, and robust regulations that are both effective and enforceable will take time to materialize.
How Can Latin American Companies Proactively Become Cyber Resilient?
Latin American organizations cannot afford to sit back and simply wait to comply with whatever regulations that may come up. Taking action starts with understanding that cybersecurity is not an IT issue, but a strategic business subject that can potentially lead to wider systemic risks that put entire industries (if not economies) in peril.
“Taking action starts with understanding that cybersecurity is not an IT issue, but a strategic business subject that can potentially lead to wider systemic risks that put entire industries (if not economies) in peril.”
With the correct mindset established, the next step is to conduct a serious assessment of the current state of the organization’s cybersecurity culture, tools, expertise and protocols. The analysis will provide insights on vulnerabilities and help identify priority action areas to be addressed through a multidisciplinary approach that prioritizes preparedness, including incident response protocols and continuous testing, via simulations and table exercises, for instance.
Our Takeaway
More than having each organization increase its own resilience, sectorial collaboration is also critical. Although this will require a shift in mindset to surpass existing trust issues, talking about cybersecurity with additional stakeholders (including the public sector) should be less tabu and more of a standard practice. Collaboration can lead to efficiencies and help entire economic sectors learn from past experiences. Perhaps most importantly, it can create a culture of intelligence sharing to strengthen prevention efforts for all parties involved.
Adriana Prado
Managing Director, Brazil
Adriana Prado leads FTI Consulting’s Strategic Communications team in Brazil and the Cybersecurity and Data Privacy Communications practice in Latin America. She frequently speaks about cyber incident preparedness and response at top-tier events in Latin America and is a guest professor at Brazilian business school Insper.
Ana Maria Munoz
Senior Director, Colombia
Ana Maria Muñoz leads FTI Consulting’s Cybersecurity and Data Privacy Communications team in Colombia. She is a lawyer and an expert in corporate reputation, brand positioning and crisis management.
Isaac Morales
Senior Director, Mexico
Isaac Morales leads FTI Consulting’s Cybersecurity and Data Privacy Communications practice in Mexico. With more than 15 years of experience in cybersecurity, emerging technologies, and international security, he has advised both government and private corporations on risks and complex cyber incidents.
Related Insights
Can Government-centric Economies in LatAm Convert into Market-centric Investor Darlings?
Argentina will offer clues in 2024
A Year of Elections in Latin America
Navigating Political Cycles, Seizing Long-term Opportunity
De-Risking Against Weaponization of News in Latin America
Misinformation and disinformation represent major challenges for news media organizations in 2024.
Legacy of Conflict
Businesses Grapple with Complex Transitional Justice in Colombia
Neither Fight nor Flight
The Case for Corporate Derisking in Populist Latin America
About Our Latin America Practice
FTI Consulting advises companies doing business across Latin America to navigate the stakeholder dynamics around high profile corporate events, from transactions and market entry to crisis, disputes and litigation. We help clients anticipate critical political, policy and reputational risks and effectively overcome them, unlocking long term opportunity. Our Latin America practice works in a coordinated manner through our offices in Mexico City, Bogotá, and São Paulo, as well as with our teams in Washington D.C., Brussels, Madrid, Houston, Miami, and other important hubs. Through our vast network of strategic partners, we have coverage on all Latin American countries.
Washington D.C. | Houston | Mexico City | Bogotá | São Paulo
[1] Emilie Sweigart and Jack Quinn, “Why Is Latin America So Vulnerable to Cyberattacks? We Ran the Numbers.”, Americas Quarterly (July 25, 2023), https://www.americasquarterly.org/article/why-is-latin-america-so-vulnerable-to-cyberattacks-we-ran-the-numbers/; and Tomás Lujambio, “FortiGuard Reports Cyberattack Attempts During 1H23,” Mexico Business News (August 17, 2023), https://mexicobusiness.news/tech/news/fortiguard-reports-cyberattack-attempts-during-1h23.
[2] See supra note 1, first source.
[3] Global Cybersecurity Outlook 2024, World Economic Forum in collaboration with Accenture (January 2024), https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf.
[4] Jennifer Gregory, “Cybersecurity trends: IBM’s predictions for 2024,” Security Intelligence (January 9, 2024), https://securityintelligence.com/articles/cybersecurity-trends-ibm-predictions-2024/.
[5] Cecilia Tornaghi, “The Dramatic Cyberattack That Put Latin America on Alert,” Americas Quarterly (July 25, 2023), https://www.americasquarterly.org/article/the-dramatic-cyberattack-that-put-latin-america-on-alert/.
[6] María C. Suárez, “Colombia’s President Petro to Create Digital Security Agency to Guard Against Hackers,” Bloomberg Linea (December 6, 2022), https://www.bloomberglinea.com/english/colombias-president-petro-to-create-digital-security-agency-to-guard-against-hackers/.
[7] “Chile: Chamber of Deputies approves cybersecurity law, presented for Senate consideration,” OneTrust DataGuidance (December 14, 2023), https://www.dataguidance.com/news/chile-chamber-deputies-approves-cybersecurity-law.
[8] “Decree establishing Brazil’s National Cybersecurity Policy enacted,” Mattos Filho (January 5, 2024), https://www.mattosfilho.com.br/en/unico/brazils-cybersecurity-policy/#:~:text=The%20policy%20is%20grounded%20in,and%20national%20and%20international%20cooperation.
[9] Ana Heeren and Mateo Millet, “One Regulatory Size Doesn’t Fit All in Emerging Markets,” FTI Consulting (January 21, 2020), https://www.fticonsulting.com/fr-ca/canada/insights/fti-journal/one-regulatory-size-doesnt-fit-emerging-markets.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals. ©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com |
