30 August, 2019
Brazil’s financial cybersecurity challenges

Latin America has been an early mover in offering digital services – but security has been a second thought. In Brazil, slow advances on cybersecurity regulations have created fertile ground for hackers and other malicious actors, argues Louise Marie Hurel of the Igarapé Institute

By Louise Marie Hurel, Igarapé Institute


Financial institutions are at the forefront of ensuring the security, stability, and resilience of digital infrastructure, systems, and networks. It’s a big responsibility. According to the World Economic Forum, data fraud and theft and cyber attacks are rated among the most dangerous risks facing business in 2019. These threats are hardly confined to wealthy countries.

There are examples across Latin America of increasingly disruptive cyber attacks. Many of which do not even reach international headlines. One case that attracted global attention was the 2018 attack against Mexico’s domestic interbank payment network SPEI, which resulted in US$15 million stolen from different institutions linked to the country’s financial system.

While Latin American firms have been early movers when it comes to digitizing services (apps, interfaces, mobile banking, fintechs), they have been less attentive to securing sensitive personal data as well as critical infrastructure. This has resulted in fertile ground for criminal groups, such as the Lazarus Group, to attack and exploit the vulnerabilities of financial institutions across the region. The digital economy across Latin America must be anchored in a culture of cybersecurity that has clear regulations and standards for data protection and privacy in order to curb emerging threats.  

Brazil is still developing a culture of cybersecurity across the financial sector. In 2018, 676.514 attacks, including malware, phishing and DDoS were officially reported. Financial institutions are still only starting to grasp the dimensions of the national threat landscape. While recent cybersecurity and privacy regulations and policies should incentivize changes in behavior, many institutions, in particular, small and medium enterprises, face considerable challenges at the implementation level. 

The stakes are high. In Brazil, there are 604 financial startups ranging from payment to financial management services. The financial sector is at the forefront of building a digital economy in the country and holds considerable responsibility over assets, transactions, and customers’ data. In 2018, the Brazilian Federation of Banks (Febraban) reported that of the 78.9 billion financial transactions registered in the country, 31.3 billion were solely through mobile banking — 24% higher than in 2017 and now accounting for 40% of all financial transactions. 


New communications strategies needed

Any effort to strengthen cybersecurity must include more efficient information sharing processes between banks, financial institutions, and state agencies. Having clear communication channels across sectors not only increases resilience across systems but also lowers the probability of reputational costs associated with attacks. 

Establishing more effective information sharing practices requires a degree of trust, shared guidelines, accountability, and transparency measures. Banks are currently testing new solutions. Launched in June by the Interbank Payments Clearinghouse (Câmara Interbancária de Pagamentos), the national Blockchain Network of the National Financial System aims to provide a secure environment for banks to share information on stolen devices. The expectation is that it will help banks draw more effective strategies for combating fraud. On the other hand, it raises data protection concerns, given the level sensitivity of the data being shared.


Regulation and self-regulation advances, slowly

Brazil has been working towards developing national and sectoral policies to address such challenges. National rules and regulations have only recently started focusing on security and data privacy. In early 2018, for example, the National Monetary Council issued a resolution (4658) making it compulsory for financial organizations regulated by the Central Bank to develop internal cybersecurity policies, an action plan for incident response, and abide by certain standards when contracting cloud services. This regulation was the first of its kind. Specific provisions require institutions to adopt the necessary capabilities to prevent, detect, and reduce vulnerabilities to implementing capacity building programs for internal security teams. A recent OAS report shows that only 56% of small-sized banks in Latin America and the Caribbean offer a mechanism for their clients to report incidents (successful attacks). 

Even so, there are some signs that Latin America’s financial sectors are setting out new thinking for self-regulation to promote cybersecurity. Consider the cybersecurity best practice guide published by the Brazilian Association of Institutions from the Financial Market (Anbima) which aims to share experiences and establish a common understanding of minimum security standards among their members. These complementary (yet essential) efforts may effectively aid in combining softer norms (e.g. Guides) and regulatory mechanisms (e.g. Resolution 4658). What is more, they also may significantly aid in establishing confidence, trust, and information sharing practices among like-minded institutions.

Meanwhile, a new National Data Protection Law sets the foundations for legal harmonization of at least 12 regulations that prescribe how personal data needs to be protected and handled by financial institutions. The Law — approved in 2018 and to come into force in August 2020 — also codifies key principles for managing personal data across different sectors and specifies how data controllers should maintain secure data processing and management practices.

But uncertainty remains: In July, a new version of the Law was approved, weakening penalties for non-compliance as well as revoking the requirement for human oversight of automated decision-making processes. These recent changes raise pressing questions as to the actual applicability and the overall strengthening of security and data protection mechanisms across financial institutions, private companies, and public sector bodies in Brazil.


‘Significant gaps’

As these developments indicate, technological breakthroughs and steep digitalization of the financial sector in Brazil have not been necessarily followed by robust security and data protection measures. Advances are still incremental and legal uncertainty over the implementation of the National Data Protection Law leaves significant gaps in the transparency and accountability of institutions implementing smart solutions for information sharing. Most importantly, it leaves an important question of what kind of cybersecurity culture Brazil wants to build. 

Louise Marie Hurel is a researcher at Igarapé Institute‘s Cybersecurity and Digital Liberties Program, ahead of cyber policy and strategy development.

LatAm fintech insights
Get the scoop on how your peers, competitors and clients are using fintech to get ahead. Leave your details to receive iupana's exclusive, in-depth coverage of banking technology in Latin America and the Caribbean in your inbox on Monday mornings. (You can unsubscribe in one-click if you decide it's not for you.)
Español English Português

Webinars on-demand