As the digital landscape continues to evolve, cybersecurity has become a critical concern for businesses operating in Mexico. This article aims to provide an overview of the current state of cybersecurity in Mexico, the legal implications and the crucial role of legal professionals in this domain. We will also discuss the recent legislative developments and the future of cybersecurity in the country.
Mexico’s cybersecurity landscape: a statistical overview
Mexico has been a significant target for cyberattacks, with a surge in incidents recorded in 2023. According to a report by BlackBerry, Mexico was among the top six countries most targeted by cyberattacks, accounting for 4% of global attacks. In 2023, Mexico faced a surge in cyberattacks due to increased artificial intelligence use and inadequate regulations, with 44% of Latin American attacks targeting the nation. The successful attacks, which accounted for 52% of the total, incurred an estimated annual cost of USD 2 million. The industries most impacted included public institutions, industrial companies, financial organizations and retailers. However, Mexican car manufacturing plants have also been a desirable target. Being a particularly important industry in Mexico, automotive manufacturers should maintain legal teams with expertise in cybersecurity and create efficient communication pathways with government bodies focused on cybersecurity to allow them to exchange information about potential threats and effective strategies. Additionally, they must formulate plans to respond to cyber incidents.
Legal framework for cybersecurity in Mexico
Mexico’s legal framework for cybersecurity is dispersed across various subject areas, including finance, government procurement, telecommunications, labor, consumer protection, data protection and intellectual property. While there is no dedicated law for cybersecurity, different laws and regulations that include security obligations for businesses in Mexico include:
- the Federal Telecommunications and Broadcasting Law;
- the Federal Law of Protection of Personal Data held by Private Parties and its implementing regulations;
- the General Law on Transparency and Access to Public Information;
- the Federal Criminal Code;
- the recommendations issued by the Mexican data protection authority;
- circulars issued by the National Banking and Securities Commision; and
- Mexican standards, such as the NMX-I-27001-NYCE-2015, which outline the requirements for creating, maintaining and enhancing information security practices within an organizational context, among other laws, regulations and recommendations.
Mexico’s National Cybersecurity Strategy was published in 2017 by the government of Enrique Peña Nieto and then largely ignored by the administration of President Lopez Obrador. This key document outlined the Mexican state’s vision in cybersecurity, emphasizing the importance of information and communication technologies as a political, social and economic development factor in Mexico. Unfortunately, it was mostly disregarded by the departing administration, but we are looking forward to a push on this front from the upcoming administration.
In 2023, a couple “Federal Cybersecurity Law” initiatives were published. The leading initiative published by Javier Joaquin Lopez Casarin, proposes establishing a legal and operational framework for new cybersecurity authorities and defining crimes, as well as the creation of new crimes and institutions, such as the “National Cybersecurity Agency” and a prosecutor’s office specialized in cybercrimes. This initiative also proposes the appointment of specialist judges.
Involving legal professionals in cybersecurity is crucial. They play a pivotal role in interpreting and applying the existing laws, advising on compliance issues, and advocating for stronger legal protections. The legal community’s active participation in cybersecurity can help businesses understand their responsibilities, mitigate risks and respond effectively to cyber threats.
The future of cybersecurity in Mexico under President Claudia Sheinbaum
President Claudia Sheinbaum’s term could bring significant changes to Mexico’s cybersecurity landscape. Sheinbaum, a scientist by training, is expected to bring a reasoned and better-coordinated approach to engaging with cybersecurity issues. She proposed creating a national intelligence system to enhance investigation and law enforcement efforts and improve coordination among key agencies. Her administration is expected to continue using the armed forces to provide public security in Mexico.
The future of cybersecurity in Mexico under President Claudia Sheinbaum’s administration holds promise for improved coordination, enhanced legal protections and a more robust response to cyber threats. In addition, the majority that President Claudia Sheinbaum’s political party holds in congress could make it easier for new bills of law to pass. Furthermore, the recently published United Nations Cybercrime Convention provide the balanced cybersecurity framework that the government and civil law organizations pursued for years.
In conclusion, as cybersecurity threats continue to evolve, it is crucial for businesses and legal professionals in Mexico to stay informed about the changing legal landscape, understand the implications of new laws and regulations, and take proactive measures to protect their digital assets.
Mexico and the United Nations Cybercrime Convention
The recently published United Nations Cybersecurity Convention will be binding for Mexico once adopted by the United Nations General Assembly and ratified by Mexico. As a member state of the United Nations, Mexico participated in its negotiation and is expected to adhere to the convention’s provisions upon its formal adoption. Mexico’s participation in preparing the draft involved a collaborative effort from various government agencies.
The United Nations Cybersecurity Convention is a landmark agreement aimed at enhancing global cooperation to combat cybercrime. Its preamble underscores the necessity for international collaboration in addressing the growing threat of cybercrime.
The convention’s general provisions define key terms and outline the scope, covering both cyber-dependent crimes (like hacking and malware distribution) and cyber-enabled crimes (such as online fraud and child exploitation). It criminalizes core cyber-dependent offenses, cyber-enabled crimes and additional offenses like terrorism and drug trafficking facilitated through ICT.
The convention establishes procedural measures and law enforcement guidelines for investigating and prosecuting cybercrimes, including standards for handling digital evidence and defining jurisdictional reach. The convention promotes international cooperation through mutual legal assistance, extradition procedures and joint investigations.
Technical assistance and capacity-building are key components of the scheme, offering training, resources and technology transfer to member states. The convention also encourages public-private partnerships to bolster cybersecurity efforts.
Human rights and safeguards are integral to the convention, ensuring privacy, data protection, due process and nondiscrimination in its application. Implementation and monitoring mechanisms have been established to oversee the convention’s enforcement, requiring regular reporting and periodic reviews by member states.
Overall, the convention provides a comprehensive framework for tackling cybercrime globally, emphasizing cooperation, capacity-building and respect for human rights. The convention would require Mexico to update various different regulations and laws to align with international standards, while preserving privacy rights.
This article was originally published by El Financiero.
