The rising threat of cyber war in Latin America

A journalist asked me 3 weeks ago to answer five questions about the rising threat of cyber war in Latin America for an article she wrote for the online review of the Latin American Corporate Counsel Association:

  • Do you think most organizations fully understand cybersecurity risks and related legal obligations in Latin America?
  • Do you think certain sectors are more at risk than others? If so, which and why do you think this is the case?
  • What do you think the major issues concerning cybersecurity are for companies? And what can general counsel and compliance officers do to ensure they are properly protected?
  • Do you think there needs to be more legislation on matters relating to cybersecurity, data security, and privacy in Latin America?
  • What do you think the future holds in store for cybersecurity related matters?
"Cyberwar" by watchingfrogsboil. Available under an "Attribution-NonCommercial-ShareAlike 2.0 Generic (CC BY-NC-SA 2.0)" Creative Commons license at https://flic.kr/p/bMAZBz.

“Cyberwar” by watchingfrogsboil.

 

Here are my answers:

1. Does you think most organizations fully understand cybersecurity risks and related legal obligations in Latin America?

With many Latin American clients, the mentality is still not to invest and act before getting into trouble, and taking cybersecurity risks into account only when it’s too late, which usually ends up costing much more than taking preventive measures.

2. Do you think certain sector are more at risk than others? If so, which and why do you think this is the case?

Companies that process financial and patrimonial personal data (banks, insurers, retailers,…) are more attractive to cyber criminals because the data that can be stolen can be used for higher profit opportunities.

3. What do you think the major issues concerning cybersecurity are for companies?

And what can general counsel and compliance officers do to ensure they are properly protected?

Manage trust among their customers, clients and business associates by showing they have taken preventive measures to mitigate the risk of a data breach not only for the company but also for their clients and customers.  As data breaches will inevitably occur one day or another, companies can no longer bury their head in the sand waiting for the storm to go by, but should proactively establish incident response and risk mitigation strategies.  Unfortunately, in many Latin American countries, the trend is still for a company to hide a breach affecting their clients and customers’ personal data instead of establishing a relationship of trust with them by, e.g., explaining them what they are doing to diminish the impact of a breach and notifying them, once a breach has occurred, of the ways to mitigate its impact.  Most of the cases of corporate breaches I could point to in Latin America and that I have been aware of are cases where the company’s clients have not been notified and are at a higher risk of identity theft than if the company had duly informed them of how the breach affected them.

4. Do you think there needs to be more legislation on matters relating to cybersecurity, data security, and privacy in Latin America?

A couple of countries in Latin America have already legislated on cybersecurity and breach notification; many have already on data protection issues.  However, it is less the legislation that will provoke changes in companies’ ways of doing business.  It is rather the strength of enforcement, which will increase, and the impact of customers’ reactions (broken trust) on companies’ profits, that will modify corporate behavior.  Like in the US and the EU, it will take more than a decade for companies to adapt the way they do business with the growing body of data protection rules that have been enacted in many states in Latin America.

5. What do you think the future holds in store for cybersecurity related matters?

Unfortunately, as more business is done online for a growing number of industries, cybersecurity risks are only meant to increase, and with them the risks that the relationship between companies and their users, customers and consumers will be put to the test.  It’s the relationship of trust between a company and its clients that will be the determining factor of success of companies operating in Latin America, as in other regions in the world.

 

See interview at: Alison O’Connell, “Your Weapons in the Cyber War”, The Latin American Corporate Counsel Association, 24 March 2014.  The article is available here for subscribers.  It is also available in full here [pdf].

Extracts below:

As governments and the private sector across the globe look for ways to deal with the rising threat of cybersecurity, Latin American general counsel are being placed on the front line to protect their organizations.

As any general counsel worth their salt knows, risk and opportunity are intimately intertwined. So while organisations are happily and fully exploiting the business benefits of society’s move online and increased connectivity, so too are they faced with increasingly significant risks by those who exploit such benefits to attack organisations.  […]

With such breaches posing a significant, and potentially devastating, impact on a company’s reputation and financial position, it is no surprise that businesses globally are waking up to the risks. In fact, the same report by The Ponemon Institute stated that 41 per cent of large organisations said they now consider cyber risk to be more important than other insurable business risks. In addition, nearly a third of those surveyed in Consero Group’s General Counsel Survey in 2013, acknowledged having experienced a corporate cyber breach in the previous year.  […]

“Unfortunately, in many Latin American countries, the trend is still for a company to hide a breach affecting their clients and customers’ personal data instead of establishing a relationship of trust with them by explaining to them what they are doing to diminish the impact of a breach and notifying them, once a breach has occurred, of the ways to mitigate its impact,” says Cédric Laurant, data privacy lawyer and public policy expert, based in Mexico City. […]

Now is the time to be proactive, as Laurant points out. “Data breaches will inevitably occur one day or another.  Companies can no longer bury their head in the sand waiting for the storm to go by, but should proactively work to establish incident response and risk mitigation strategies.”