Mexico.-the Commission National Bank and de Valores (CNBV) must provide public version of “Report events of loss of information managed through media electronic”, which It contains information about the harms generated cyberattacks to entities of the Mexican financial system, instructed the National Institute of transparency, access to information and protection of personal data (INAI). Introducing the matter before the House, the Commissioner Joel Salas Suárez stated that, in this case, the public information is a key tool that allows citizens to understand the vulnerabilities of the financial system and learn about the actions of the authorities to prevent cyber attacks.
CNBV must report on Cyber entities: INAI. Photo: Courtesy “agree SonicWall, developer tools of cybersecurity, Mexico is the third country with more cyber attacks in the world. Only in the last year, 78 per cent of the companies and institutions had at least one attack and it is estimated that, per month, 17 percent of Mexicans who have access to the internet experienced them”, said the Commissioner. Salas Suárez pointed out that public information will allow to assess whether all possible actions to mitigate future cyber-attacks have been taken. “The last big attack in Mexico was against the financial system during April and may 2018. Five financial institutions lost more than 300 million pesos for intentional failure in connecting the system of payments electronic interbank (SPEI), through which were unauthorized transfers to false accounts”, it said. He added that cyber-attacks like this, are one of the biggest threats for Mexico, because of the risks involved, including identity theft and million-dollar losses. In this context, a particular requested the CNBV information about cyber attacks to the Mexican financial system entities, broken down by origin, damage, detainees and the instance which contain the problem. The CNBV reserved information for five years, arguing that inform it could represent a risk to the stability of the financial system and, in addition, would obstruct verification, inspection and audit, among other activities. Dissatisfied, the particular filed judicial review before the INAI, in which he stated that the requested information does not compromise the integrity of the Mexican financial system. To have access to classified information, the presentation of the Commissioner Salas Suárez warned that the “report events of loss of information managed by means electronic” would answer to the request for information. On the grounds of classification given was determined that to publicize the damage caused by an unauthorized computer intrusion happened in the past does not affect the present functioning of the system, so provide information would not put at risk the stability of financial institutions and the financial system of the country. The other argument that wielded the obligated subject to book data was that four surveillance procedures were underway in this regard, it was found that the information contained in the “report events of loss of information managed through media electronic”, is not linked with the activities of the monitoring procedure. I.e., the dissemination of information about the damages caused by cyber attacks does not constitute a provable and identifiable risk to the public interest; so limiting the right of access to information, in this case, is disproportionate, because do not notice the motivation or damage necessary to safeguard the required documentation. Based on the arguments presented, the plenary of the INAI decided to modify, by majority, the response of the CNBV and instructed him to prepare a public version of the “reporting events of loss of information managed through media electronic”, where only You can classify the personal data, the name of the financial entity that suffered the attack, the address of the headquarters where the security incident occurred and identification data of third parties who administered the information. In this note: Mexico INAI cyberattacks
