67% of the executives of Mexican companies surveyed by PwC believes that “increased public information sharing and transparency in cyber matters is a risk and can lead to the loss of competitive advantage,” according to PwC’s Digital Trust Insights 2023.
why does it matter Notifying authorities of cybersecurity incidents is a good practice in cybersecurity, which could be included in an upcoming cybersecurity regulation in Mexico.
85% of respondents said that “increased (cybersecurity) reporting to investors will be a net benefit to the organization and the entire ecosystem.”
For 82% of companies, “mandatory disclosures of cyber incidents that require comparable and consistent formats are necessary to gain the trust of stakeholders.”
62% of executives surveyed by PwC said that when they share “information about cyber incidents at our organization with law enforcement authorities, our organization receives direct and tangible assistance in responding to threats.”
In other words, according to the responses given by Mexican companies, while they are concerned about the competitive effects that sharing information on cybersecuritythey are already taking actions to report cyber incidents to the organization itself and to the authorities.
For Juan Carlos Carrillo, director of Cybersecurity and Data Protection at PwC, this is due to two reasons: because there is not a level playing field for all Mexican companies and there are no incentives or punishments for those who report or not a cybersecurity incident .
“When there is not a level playing field and a company suffers a cyber incident and publishes it, this has a negative effect that is not suffered by competitors who also suffered an incident and did not publish it. Since there is no regulation for everyone equally, then I don’t say it because the one in front doesn’t say it either,” Carrillo said in an interview.
carrot and stick
Carrillo added that within the Mexican regulation there is no incentive or exemplary punishment for those companies that notify or fail to notify the authorities that they were victims of a cyber attack. There is neither a carrot nor a stick.
“What is the advantage of me notifying you that I had that leak? Is the government going to help me? The Mexican regulation regarding personal data protection in the possession of individuals obliges you to notify the owners of the data, not even the authorities, and if I do not do so, they may open an investigation and sanction me, but there is no benefit for doing so,” said Carrillo.
The new edition of PwC Digital Trust Insights 2023for whose Mexican edition the consultancy surveyed 147 Mexican executives from the areas of technology, information, finance, information security, as well as general managers, between July and August 2022, delves into the potential arrival of a regulation on the matter cybersecurity to Mexico.
Last September, the Morena legislator, Cristóbal Arias Solís, presented an initiative for a draft decree to create a National Center for Cyber Security. Senator Arias’ proposal joins the 13 initiatives to create laws and reform articles on cybersecurity that have been presented to the Congress of the Union and that could soon materialize in a regulation on cybersecurity in Mexico.
For Juan Carlos Carrillo, cybersecurity regulation should consider at least the following two aspects:
A government entity dedicated exclusively to addressing complaints from citizens and companies regarding digital crimes.
A cybersecurity commission that protects the infrastructure of the federal government itself.
For the PwC executive, what Mexican legislators should avoid when regulating cybersecurity is to establish inequalities, valleys and mountains, between the different sectors to comply with obligations and good practices in cybersecurity that delay the development of the companies against other jurisdictions.