Cybersecurity 2022 Comparisons

In Mexico, there is no specific legal framework that regulates cybersecurity. Despite the fact that there is a “National Strategy for Cybersecurity”, this is just a document which references what the goals of the state should be when regulating cybersecurity, and it also mentions that any effort expended on cybersecurity should be done for social, economic and political development, in the private and public sectors. 

In Mexico, cybersecurity has more to do with actions preventing the committing of certain crimes, than the implementation of policies and principles in the private and public sectors. In this sense, there are specific regulations pertaining to crimes in regards to breaches of information security systems. 

In addition to the aforementioned, since 2013, internet access has been considered a fundamental right as it is included within fundamental constitutional rights. This has influenced regulatory bodies to recognise the use of the internet and consequently, the protection of security in the digital environment.

Within the legal framework, the following have certain provisions related to cybersecurity:

• the Data Protection Law (for public and private parties); 
• the Telecommunications and Broadcasting Law, and its guidelines on security and justice collaboration;
• the Law on Transparency and Access to Public Information;
• the Criminal Federal Code and National Code of Criminal Procedures;
• the Law on Women's Access to a Life Free of Violence; and
• the United States–Mexico–Canada Agreement.

It is important to note that in 2022, at least three bills are being discussed on regulating cybersecurity with a specific law.

In addition to the aforementioned, note that a security breach is only relevant for data protection matters, where the breach includes personal data. If the breach happens within the private sector, the controller will only notify the affected parties and only when there is a substantial effect on the rights of the relevant parties. On the other hand, the public sector will also notify the Data Protection Regulator due to the public interest regarding such breach. 

If there is a security breach but this does not affect personal data, then we would need to review if the breach may constitute a crime and in this case, a criminal procedure would have to be started. In this sense, cybersecurity breaches, do not have a specific regulation as the breach will only be sanctioned or prosecuted if it is related to a specific crime. 

At present, there are no specific regulators in Mexico with specific authorities on cybersecurity matters. The relevant regulator would depend on the nature of the matter involving cybersecurity breaches or security matters.

• In matters related to the financial system, the authority is the National Banking and Securities Commission.
• In the case of personal data protection, it is the National Institute of Transparency, Access to Information and Protection of Personal Data.
• The Federal Police (Guardia Nacional), with its cybernetic police, is in charge of the investigation and prosecution of crimes related to cybersecurity. 
• Regarding critical infrastructure in Mexico, CERT-MX is the country's Computer Security Incident Response Team, acting as a member of the Forum for Incident Response and Security Teams (FIRST).

As mentioned at the beginning of this chapter, cybersecurity breaches dealing with personal data follow a specific process regarding notification procedures (depending on whether the breach concerns personal data held by the public or private sector).

Private Sector Breaches

When dealing with breaches in the private sector, as no notice has to be given to the National Institute for Transparency, Access to Information and Personal Data Protection ("INAI" for its acronym in Spanish), no specific actions are performed by INAI if a controller notifies relevant data subjects. Nevertheless, any claim brought by a data subject to INAI regarding such incident, may be investigated by INAI.

Public Sector Breaches

On the other hand, in the event of a data breach in the public sector, the authorities must notify INAI regarding such data breach. INAI will carry out an investigation to determine whether such authority complied with its obligations regarding data protection. However, INAI does not appear to have carried out any actions against authorities in terms of non-compliance with their data protection obligations.

Cybersecurity Crimes

Regarding crimes related to cybersecurity breaches, the local Public Prosecutor's Office will be in charge of prosecuting such crimes in accordance with the Criminal Procedures Code. The prosecution will be conducted after a specific claim has been brought by the affected party. 

In some cases, cybernetic police may investigate crimes without the need for a claim made by the affected party. However, this will depend on the type of crime to be investigated, as for some types of crime, the police are not allowed to start the investigations. 

The United States–Mexico–Canada Agreement, which may be one of the most important international treaties for Mexico, has a specific chapter on digital commerce. In this chapter, there is a specific cybersecurity section, in which it is established that the parties will promote the improvement of the cybercrime attention units, as well as promoting the use of a collaboration mechanism to avoid cyber-attacks. 

Despite this international obligation for Mexico, there has not been any significant improvement in cybersecurity regulation in Mexico. The National Strategy on Cybersecurity has not been updated since 2017, and no specific actions have followed its publication. There are ongoing discussions about creating a specific National Agency for Informatic Security and a National Platform for Cybersecurity. However, if there are no specific regulations imposing obligations on regulated companies or the public sector, there is no point in creating these types of bodies or regulators.

On a private-sector level, specific chambers have been pushing congress to develop a unified regulatory framework on cybersecurity. However, as these efforts have not been backed by the government, no significant developments have been made to date. 

INAI, as an authority on data protection matters, issues various guidelines that individuals can use to establish their procedures of data protection. However, INAI is also the authority in charge of sanctions when there are data protection violations.

Sharing information may not be an obligation unless a private company is part of a regulated sector, for example, the financial or telecommunications sector. In these cases, and depending on regulatory obligations, certain information may be requested from such regulated companies. 

As a general rule, a court order is deemed obligatory before a company will supply information on its data. Like any other request for information by the authorities, this may not be supplied in the event there is no regulatory obligation to disclose or share information. 

As mentioned above, as there is no specific regulatory body dealing with cybersecurity, there are no specific obligations private companies must follow in order to collaborate with the authorities.

In terms of threats, the only authorities that have so far addressed specific concerns or alerts are the financial authorities, such as the Central Bank and the National Banking and Securities Commission (CNBV for its initialism in Spanish).

No similarities can be drawn between the regimes in Mexico, as no cybersecurity development has been made in recent years. 

There are no specific certifications or requirements regarding what may be considered as critical infrastructure in Mexico. The rule is that any infrastructure is deemed critical when that infrastructure is considered strategic because it is related to the provision of goods and essential public services, and because compromising the infrastructure could compromise national security in terms of the applicable law on national security. 

In this sense, many public infrastructures may be deemed critical, depending on the evaluation of the infrastructure by the authorities and how the authorities want to protect it. 

To be honest, Mexico is lagging behind on this topic, as no relevant developments have been made in the past year.

The only sector which has seen any development on this is the financial sector. The developments in this sector arose from specific attacks that were carried out on certain banks through the Inter-banking Electronic Payment System. Due to this, Mexican Central Bank issued a Cybersecurity Strategy in order to prevent cyber-attacks. This strategy also encompassed the formalisation of several collaboration agreements with regulated institutions and with the authorities, the purpose of such agreements being to define a co-ordination mechanism to provide an effective response to information security incidents in the financial sector.

The most relevant pending changes are the development of a new National Cybersecurity Strategy which will be in line with the National Development Strategy and the new government. 

Regarding the financial sector, there may be new administrative regulations regarding the basis of co-ordination in the field of information security, as the existing basis, dated 24 May 2018, was issued in response to specific attacks on the financial sector, and no additional agreements have been made in this regard since. 

The following key laws apply:

• regarding critical infrastructure – the National Security Law; 
• regarding the financial sector –
1. Guideline 8/2019 addressed to the participants in the Interbank Electronic Payments System;
2. general provisions applicable to credit institutions;
3. principles for strengthening cybersecurity for the stability of the financial system, June 2018;
4. basis for co-ordination in the field of information security, 24 May 2018;
• regarding data protection – federal and general laws for the protection of personal data held by the private and public sectors;
• regarding crimes on cybersecurity – the criminal codes of each state and the National Code of Criminal Procedures; and 
• regarding the telecoms sector – the Telecommunications and Broadcasting Federal Law, as well as related guidelines on security and justice collaboration.

There are no specific regulators for cybersecurity areas in Mexico. 

In general terms, the regulators that oversee a specific sector will also oversee the cybersecurity matters related to that sector. 

As there is no specific cybersecurity agency in Mexico, no specific details can be provided on this topic. 

Nevertheless, there are open discussions regarding the creation of an autonomous agency, the National Informatic Security Agency, which will develop and regulate the National Strategy on Cybersecurity. The discussions have been among the public and private sectors and have also covered the extra authority that has been given to the Federal Police. 

INAI is in charge of enforcing the Mexican Data Protection Laws (applicable to both the private and public sectors) as well as the Transparency and Access to Public Information Law.

In terms of data protection, the obligations that arise in the applicable laws are complied with by implementing internal compliance strategies, rather than having specific notification or registry obligations. 

In this sector, there are several authorities which may be relevant:

• the Ministry of Finance and Public Credit (SHCP);
• the National Banking and Securities Commission (CNBV);
• the Mexican Central Bank (Banxico); and
• the National Commission for the Protection and Defence of the Users of Financial Services (CONDUSEF).

In terms of cybersecurity, there do not appear to be any other relevant regulators or agencies, as this matter is not specifically regulated. 

It is worth noting that any standard which may be followed in any other country, may be freely followed by the private sector in Mexico. Due to this, self-compliance standards would be considered optional for companies in Mexico.

As in many other countries, ISO IEC 27001 triggers cybersecurity management systems and policies.

There are no developments on this for Mexico. 

In the financial sector, the latest developments in Banxico regarding cybersecurity for this regulated sector deal with the following topics:

• governance, compliance and organisation;
• data protection;
• security risk management;
• identity and authentication management;
• incident response;
• third party and vendor management;
• end point equipment protection;
• application and database protection;
• network and data centre protection; and
• security training and awareness.

And these topics follow these principles:

• protect the information and its processes;
• approach cybersecurity from a proactive perspective of defence and risk prevention;
• focus on information security for the entire financial ecosystem that interacts with Banxico; and
• strengthen the governance of information security, reorganising areas, providing human resources, and designing institutional cybersecurity policies.

On an international level, Banxico has been collaborating with several international organisations regarding information security:

• the Financial Stability Board (FSB) – Banxico is part of the FSB working group (called "Cyber Incident Response and Recover"), along with 20 other countries and five international organisations; 

• the Bank for International Settlements (BIS) – to establish new channels among central banks for the exchange of knowledge about cybersecurity practices;

• the Centre for Latin American Monetary Studies (CEMLA) – for the development of a cybersecurity collaboration forum; and 
• the Association of Supervisors of Banks of the Americas (ASBA) – to share information and disseminate knowledge on information security with ASBA.

On the protection of personal data, the general rule is that any controller must establish security measures to protect personal data. For the public sector, specific requirements on security measures may be specified depending on the type of personal data. 

There are no security requirements or other reporting, certification or external requirements in Mexico regarding material business data or material non-public information.

As there are no specific lists of critical infrastructures in Mexico, the type of infrastructure will determine whether certain requirements are applicable. For example, a telecommunications network may be deemed a critical infrastructure, and in this case, specific regulatory obligations arising from the Telecom Law would be applicable. Although the aim of such obligations may not be to protect information, the obligations may be relevant for the overall functionality of the network and may, therefore, be considered relevant.

There are no security requirements or other reporting, certification or external requirements to prevent denial of service attacks or other similar attacks on a system, data availability or integrity.

There are no security requirements or other reporting, certification or external requirements for the internet of things (IoT), software development, supply chains or other data or systems.

A data security breach is defined as:

• unauthorised loss or destruction of personal data;
• theft, loss or unauthorised copying of personal data;
• unauthorised use, access or processing of personal data; or
• damage, alteration or unauthorised modification of personal data.

In addition to this, in order for a breach to be subject to a notification, such breach must significantly harm the economic and moral rights of the data subjects. 

The data covered by data protection is all personal data. Personal data is any type of data which identifies or which may help to identify any individual. 

The notification to data subjects must include:

• the nature of the incident;
• the personal data involved;
• the recommendations to the subject regarding the measures that they may adopt to protect their interests;
• the corrective actions carried out; and
• the means to obtain further information on the breach. 

Any breach in any type of system would be covered by data protection. 

No information on this topic is available for Mexico. 

No information on this topic is available for Mexico. 

For IoT, only breaches of personal data are required to be reported. If no personal data is involved, there is no need to notify or implement any type of corrective measures. 

There are no regulatory requirements regarding secure software development. However, contractually, it is common for the parties to agree on matters related to certifications, vulnerabilities, liabilities, etc. 

Whenever there is a breach of personal data that harms the moral or economic rights of data subjects, this has to be reported to the individuals concerned, and other companies or organisations that are affected. 

It is not clear what type of harm to the economic or moral rights of the data subjects is needed in order for the controller no notify the breach, nevertheless, this would not require to be notified to the Data Protection Agency. However, it is understood that any type of breach harms, in one way or another, the rights of the data subject, and because of this, it is suggested that all breaches are reported in order to comply with the obligations pertaining to the processing by the controller.     

As mentioned above in 5.8 Reporting Triggers, no "risk or harm" threshold is required for Mexican purposes, and the only requirement is that there is harm to moral or economic rights.

Due to the lack of specific regulations on cybersecurity, no specific practices are permitted or restricted for network monitoring and other cybersecurity defensive measures.

Private communications in Mexico may be intercepted by the competent authorities only when there is a specific court order on this. 

In the private sector, provided the business is not a regulated entity, there is no obligation to disclose or share information of a cyber-attack with the government.

In the financial sector, financial institutions or companies subject to financial laws are obliged to disclose cyber-attacks to the relevant authorities.

There are no benefits in sharing information with the authorities when a company is not obliged to share such information. 

No significant actions are carried out by INAI regarding data breaches or cybersecurity attacks related to personal data. 

From the publicly available information, INAI appears to have imposed no specific sanctions on controllers that have suffered data breaches. 

However, in the financial sector, with regard to the new measures to be adopted for the security Interbank Electronic Payments System, Banxico determined that many financial institutions were not in complete compliance with the new rules and imposed economic sanctions on the non-complaint institutions. 

There are no applicable legal standards in Mexico. 

Litigation involving cybersecurity allegations or data security incidents or breaches is deemed confidential in Mexico and because of this, no public information is available. 

Class actions, collective redress and representative actions are not permitted for these types of activities in Mexico. 

One of the key aspects of cybersecurity and due diligence arises from the specific agreements which may be in place regarding security measures. Also, it is important that any cloud provider complies with the requirements of the data protection law regarding the hiring of cloud providers located locally or abroad.

There are no specific rules on processes to be followed in due diligence, so any matter arising from due diligence is understood to be mutually agreed by the relevant parties. 

There are no specific laws in Mexico requiring public disclosure of an organisation’s cybersecurity risk profile or experience.

There are no further considerations regarding cybersecurity regulations in Mexico.