11/5/18 - Promontory Currents: Guiding Principles to Protect the Mexican Banking System from Future Cyberattacks
Home > News & Insights > Insights & Publications

11/5/18 - Promontory Currents: Guiding Principles to Protect the Mexican Banking System from Future Cyberattacks

By Judith Pinto and Jeffrey King

Last month, the Bank of Mexico directed participants of its interbank system for electronic payments (known in Mexico as SPEI, the acronym for the Spanish-language term) to use an alternate payments system after one participant reported errant account reconciliations that reportedly stemmed from a cybersecurity event. Banxico issued the same direction in April on the heels of similar suspicious activity.

These incidents are part of a larger pattern that has emerged over the past six months, as banks across Mexico have reported an increase in significant cybersecurity incidents.

The latest incident garnered headlines in major trade journals, some of which portrayed the cybersecurity of Mexico’s banks as dire. Other outlets were more moderate in their tone. However, while Mexico’s banks are facing serious cybersecurity challenges, they do have the capacity, capability, and commitment to overcome them.

The criticality of this endeavor cannot be overstated. The global financial system is amidst a major transformation, with cryptocurrency and blockchain-based delivery models challenging traditional financial-market infrastructure. Mexico — with its continuing internet penetration, rising entrepreneurism, and increased demand for digital services — will be impacted by this transformation.

Promontory believes that Mexico’s central bank and banking regulators, in conjunction with the new government, will need to coalesce around a cybersecurity strategy that is consistent with the Comisión Nacional Bancaria y de Valores’ principles for strengthening cybersecurity to ensure the stability of the Mexican financial system. This strategy should focus on the following:

Further expanding and advancing information sharing. In various forums, the Asociación de Bancos de México has indicated it has successfully piloted a platform for banks to exchange indicators of compromise. ABM’s member banks should be encouraged to participate in this program. Further, the platform should be expanded to allow for the interchange of other threat intelligence, including patterns of compromise and known tactics, techniques, and procedures associated with ongoing or emerging campaigns.

Leveraging data analytics for cybersecurity, in addition to anti-money-laundering activities. These technologies can be used to aggregate and curate indicators of compromise, allowing security-operations centers and incident responders to be more dexterous. These technologies can also be used to detect crimes and rapidly moving cyber threats that may only be visible through machine-speed analysis of data collected over time.

Harnessing the work of the international community. Last year, the Society for Worldwide Interbank Financial Telecommunication, which operates a platform for the interchange of global payments, reported that a number of its participants sustained attacks on their local infrastructures. These attacks resemble those sustained by SPEI participants and could very well have been perpetrated by the same actors. SWIFT has invested significant resources to develop a framework for customer-security controls, which Mexico should incorporate into its own regulatory framework. SWIFT has also made improvements to its system for detecting and remediating anomalous (and potentially malicious) activity.

Continuing the harmonization and expansion of cybersecurity regulations. In addition to the array of cybersecurity requirements found in international regulatory frameworks, Mexico has its own laws, policies, and sector-specific practices. On Nov. 8, the ABM will be presenting the first version of its cybersecurity reference framework to help harmonize the competing standards. The framework, titled “Marco de Referencia de Ciberseguridad” (also referred to by its acronym, MRC), should be a living document that is updated annually to incorporate changes to the cybersecurity landscape, as well as new regulatory expectations.

Cultivating a homegrown cybersecurity workforce. Mexico has well-defined cybersecurity tracks in many of its secondary schools. However, threats are emerging faster than banks can train qualified cybersecurity staff. Banks — which are targets of 65% of the cyberattacks in Mexico — need to bring students aboard as interns, and ultimately employees, to establish a dedicated cadre of skilled cybersecurity practitioners.

Increasing the rigor and frequency of testing. Banks should be contracting with technically competent third parties on application and penetration testing, preferably with a company that has a captive research team to study threats and vulnerabilities and can give testers insight into the latest attack methods. While most regulations require annual penetration testing, semiannual penetration testing is becoming increasingly common. Application-testing teams should have similar qualifications, but the testing should occur more frequently — particularly between (not just before) major releases.

Looking beyond technological solutions to organizational challenges. While cybersecurity hardware and software continue to evolve with the sophisticated threat landscape, only mature organizations will extract their maximum benefits. Banks must further compress their attack surfaces and segment their networks. Traditional, password-based authentication must be made obsolete. Cloud must become part of each bank’s short and long-term technology and cybersecurity roadmaps.

Being prepared to respond and recover. Mexico’s banks should operate under the assumption that they will have to recover from a real cybersecurity incident. Therefore, each bank must have incident-response, disaster-recovery, and business-continuity plans that are, at a minimum, exercised annually. Communication and crisis-management plans — which govern the escalation and communication of incidents to internal and external stakeholders — must also be created, exercised, and refreshed.

The cybersecurity threats facing Mexican banks are numerous, daunting, and constantly evolving. However, by working together to develop a comprehensive strategy that incorporates the principles mentioned above, regulators and the new administration can help ensure the safety and soundness of the Mexican banking system for years to come.


Judith Pinto is a managing director in Promontory’s New York office, and Jeffrey King is a principal in Promontory’s Washington office.