Inter-American Dialogue's Latin America Advisor asked Marcela Cristina Blanco, associate attorney in Diaz Reus’ Bogota, Colombia office: How Well Do Latin American Banks Protect Against Cyber Attacks?
Latin America Advisor:
More than half of Latin American financial institutions have experienced some type of electronic breach of their secure information within the past 12 months, according to a recent study by Deloitte. Financial institutions in Colombia and Peru have had the largest quantity of such incidents, while Guatemala and Mexico have had the fewest. Why have Colombian and Peruvian financial firms experienced so many attacks? How adequate are Latin American banks’ safeguards against such incidents? What additional steps should financial institutions in the region take in order to protect their information and their customers’ assets?
Colombian financial firms have experienced electronic breaches because of the low level of cybersecurity awareness, which precipitates unsafe online habits, causing vulnerable Internet users to be defrauded. Also, cybercriminals have become smarter, better organized and more persistent. Common gaps in IT security policies for financial institutions include malware, access to sensitive data using non-approved computer systems and an avalanche of new third-party business applications being downloaded to users hardware and institutional servers. The exponential growth of mobile devices also drives security risks. Every new smart phone, tablet, or other mobile device opens a new window for a cyber attack.
Insufficient police training on advance attacks and difficulties in preserving and examining digital evidence are significant impediments to stopping cybercrime in Colombia. However, the country is taking steps to combat it. First, Colombia approved a cybersecurity and defense policy in 2011, becoming the first country in Latin America to adopt a national strategy to tackle cybercrime. To improve cybersecurity, Colombian financial institutions must now know the channels through which all of their information assets are accessed. It is no longer sufficient to secure the IT perimeter; it is necessary to secure the data wherever it travels and wherever it lives. Second, management responsibility and accountability are typically dispersed and fragmented in financial institutions. Now, they must clearly define cybersecurity governance structures, including specific oversight responsibilities. Third, financial institutions are expected to extend security to the device level as well the application layer. And, finally, financial institutions must check and double check users' identity and implement stronger identity-management methods.
Early detection, policing and tighter security on financial transactions and procedures will eliminate some of the risk, but not all. We have much yet to do in our efforts to fight cybercrime.