Copyright Page
IMF Country Report No. 22/340
MEXICO
FINANCIAL SECTOR ASSESSMENT PROGRAM
TECHNICAL NOTE ON TECHNICAL NOTE ON CYBER RESILIENCE AND FINANCIAL STABILITY
November 2022
This Technical Note on Technical Note on Cyber Resilience and Financial Stability for the Mexico FSAP was prepared by a staff team of the International Monetary Fund as background documentation for the periodic consultation with the member country. It is based on the information available at the time it was completed in October 2022.
Copies of this report are available to the public from
International Monetary Fund • Publication Services
PO Box 92780 • Washington, D.C. 20090
Telephone: (202) 623-7430 • Fax: (202) 623-7201
E-mail: publications@imf.org Web: http://www.imf.org
Price: $18.00 per printed copy
International Monetary Fund
Washington, D.C.
© 2022 International Monetary Fund
Title Page
MEXICO
FINANCIAL SECTOR ASSESSMENT PROGRAM
October 25, 2022
TECHNICAL NOTE
CYBER RESILIENCE AND FINANCIAL STABILITY
Prepared By
Monetary and Capital Markets Department, IMF
This Technical Note was prepared by IMF staff in the context of the Financial Sector Assessment Program (FSAP) in Mexico. The note contains the technical analysis and detailed information underpinning the FSAP findings and recommendations. Further information on the FSAP program can be found at FSAP program can be found at http://www.imf.org/external/np/fsap/fssa.aspx.
Contents
Glossary
EXECUTIVE SUMMARY
INTRODUCTION
A. Background: Cyber Risk as a Financial Stability Concern
B. Review Scope: Banks, Nonbanks, and Financial Market Infrastructures
STRATEGY AND GOVERNANCE
A. Cyber Strategy
B. Institutional Framework
C. Governance Arrangements
D. Coordination and Cooperation
E. Resources
F. Recommendations
FINANCIAL SYSTEM AND CYBER MAPPING
A. Cyber Map of the Financial System
B. Outsourcing and Third-Party Risk
C. Recommendations
CYBER REGULATORY FRAMEWORK AND SUPERVISORY PRACTICES
A. FMI Cyber Oversight
B. Cyber Supervision
C. Recommendations
MONITORING, RESPONSE AND RECOVERY
A. Monitoring
B. Response and Recovery
C. Recommendations
INFORMATION SHARING AND INCIDENT REPORTING
A. Information Sharing
B. Incident Reporting
C. Recommendations
CYBER DETERRENCE
BOX
1. Responsibilities of DG-ISS and DG-OTR at CNBV
FIGURES
1. Structure of Possible Financial Sector Cyber Map
2. FMI Landscape
TABLES
1. Recommendations on Cyber Resilience and Financial Stability
2. Responsibility of Divisions in the Directorate of Cybersecurity at Banxico
3. Cyber Incidents During 2020–2021
4. Cyber Incidents Reporting Regimes
Glossary
| ABM | Asociación de Bancos de México (Mexican Banking Association) |
| AMIB | Mexican Association of Brokerage Institutions |
| AMSOFIPO | Mexican Association of Popular Financial Companies |
| APT | Advanced Persistent Threat |
| BANCOMEXT | Banco Nacional de Comercio Exterior |
| Banxico | Banco de México (Central Bank) |
| BCBS | Basel Committee on Banking Supervision |
| CCP | Central Counterparty |
| CERT | Computer Emergency Response Team |
| CESF | Consejo de Estabilidad del Sistema Financiero (Financial System Stability Council) |
| CESI | Information Security Specialized Committee |
| CIDGE | Inter-Ministerial Commission for the Development of Electronic Government |
| CISO | Chief Information Security Officer |
| CNBV | Comisión Nacional Bancaria y de Valores (National Banking and Securities Commission) |
| CNSF | Comisión Nacional de Seguros y Fianzas (National Insurance and Sureties Commission) |
| CONCAMEX | Confederation of Savings and Loan Cooperatives of Mexico |
| CONDUSEF | Comisión Nacional para la Protección y Defensa de los Usuarios de Servicios Financieros (National Commission for Financial Services Consumer Protection) |
| CONSAR | Comisión Nacional del Sistema de Ahorro para el Retiro (National Commission for Savings for Retirement) |
| CPMI | Committee on Payments and Market Infrastructures |
| CPSS | Committee on Payment and Settlement Systems |
| CSD | Central Securities Depository |
| CSP | Cloud Service Provider |
| FGR | General Attorney Office |
| FMI | Financial Market Infrastructure |
| FSB | Financial Stability Board |
| FS-ISAC | Financial Services Information Sharing and Analysis Center |
| GRI | Information Security Sensitive Incident Response Group |
| GTL | Generic Threat Landscape |
| ICT | Information and Communication Technology |
| IMF | International Monetary Fund |
| INAI | Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (National Institute of Transparency, Access to Information and Protection of Personal Data) |
| IOSCO | International Organization of Securities Commissions |
| ISO | International Organization for Standardization |
| NIST | National Institute of Standards and Technology |
| OSSAT | European Central Bank’s Operational Security Situational Awareness Secretariat |
| SHCP | Secretaría de Hacienda y Crédito Público (Ministry of Finance and Public Credit) |
| SPEI | Interbank Electronic Payment System |
| SWIFT | Society for Worldwide Interbank Financial Telecommunications |
| TTP | Tactics, Techniques and Procedures |
Executive Summary1
Mexico’s financial system is digitalizing rapidly, increasing exposure to cyber risk. As in other jurisdictions, internet and mobile banking users in Mexico have increased substantially, but cyber incidents have also surged in recent years. The tight interdependencies within its financial system, and beyond, make Mexico vulnerable to evolving cyber threats. Thus, the Financial System Stability Council (CESF) has recognized cyber as a risk with potential to impact financial stability.
Banco de México (Banxico) and Comisión Nacional Bancaria y de Valores (CNBV) have made significant progress in enhancing the cyber resilience of the financial sector, but further work and enhancements are needed. Each authority has within its organization a dedicated division in charge of promoting cybersecurity and cyber resilience in the financial sector. Formal agreements to improve coordination and cooperation within the financial sector in the field of cybersecurity are an excellent example of coordination and cooperation, in comparison to international peers. Banxico has developed a cybersecurity strategy. However, both authorities would benefit from an enhancement to the cyber strategy that specifies how to effectively identify, manage, and reduce cyber risk for the financial sector and the financial market infrastructures in an integrated and comprehensive manner at a systemic level.
Banxico should strengthen the cyber risk oversight of financial market infrastructures (FMIs). Although Banxico’s supervision of participants that connect into the Interbank Electronic Payment System (SPEI) is strong, Banxico should set clear regulatory requirements for all the FMIs under its mandate, leveraging the CPMI-IOSCO guidance, thereby increasing the cyber resilience of the FMIs. In addition, intensive cyber training of overseers, combined with a structured, comprehensive cyber oversight approach and adequate tools, would increase the capabilities and effectiveness of the oversight function.
The payment system oversight function should be given adequate independence and resources to conduct thorough oversight of the SPEI system. Banxico applies three lines of defense model (i.e., operations, risk management, and internal audit) to operate the SPEI system, as well as secured transmission of information and accountability rules, benefiting from strong cybersecurity and operations units. But there is no formal oversight to conduct its own independent, continuous, and intensive oversight of SPEI as a systemically important payment system in the context of the CPMI/IOSCO principles. Granting adequate independence from the SPEI operators and resources will help the oversight division, within the Directorate General of Payment Systems and Market Infrastructures, to fulfill Banxico’s mandate towards all payment systems, including SPEI.
Cyber risk regulation and supervisory practice need significant improvements. CNBV is encouraged to issue enforceable guidance or regulation to all its supervised financial entities on cyber risk, not only for credit institutions and fintech.2 CNBV should also implement a more structured, risk-based approach to cyber supervision, supported by adequate tools. Onsite inspections of financial entities have just started in April 2022, and offsite supervision would benefit from clear identification of possible risks, like transmission of information not well secured and the lack of accountability rules. Finally, the cyber supervision unit should be given sufficient resources to discharge its responsibilities and use a mix of different regulatory tools (e.g., use of independent auditors), thereby maximizing efficiency with its limited resources.
Banxico and CNBV would benefit from considering developing a cyber map of the financial system. While cyber mapping is an emerging field, it will help deepen the understanding of how financial entities and FMIs are operationally and technologically interconnected, the steps they have taken to guarantee the security of the information, and which transmission channels could trigger financial instability via cyber-attacks. Based on this analysis, they should develop a range of cyber contagion scenarios and use these in their joint faculties to build stronger sector-wide crisis preparedness.
Mexico would benefit from improving its public and private platforms for threat intelligence and information sharing. By exchanging cyber information and intelligence within a sharing community, financial entities can improve their defensive capabilities, threat detection techniques, and mitigation strategies. Banxico should work with the financial sector to develop an industry-wide cyber information and intelligence sharing network.
Further improvements in the response and recovery capabilities are recommended. CNBV would benefit from formalizing internal and cross-border crisis management protocols for cyber incidents, whilst both Banxico and CNBV should put in practice concrete actions in connection with the Bases of Coordination to improve the cross-agency crisis management framework for cyber risk.3 By improving the coordination and cooperation between the public and private stakeholders, Mexico will be better placed to manage a systemic cyber incident. Finally, Banxico and CNBV in their joint faculties should regularly conduct market-wide cyber crisis table-top based simulation exercises, including different agencies (e.g., the Ministry of Finance and Public Credit and IPAB) and financial entities/FMIs, based on a range of extreme but plausible scenarios.
The authorities need to increase awareness within the financial sector on the cyber deterrence processes around the Bases of Coordination. It sets out the protocols for cyber deterrence and investigation and prosecution of cybercriminals. The responsibility for investigation and prosecution lies with the General Attorney, but there are some key challenges: for example, financial entities must formally request an investigation but are reluctant to do so, as it leads to confiscation of key assets; and there is a need to build technical expertise amongst judges and investigators to analyze the crime and evidence. Banxico and CNBV could play an effective role in issuing guidance for financial entities on how to store, handle, and administer evidence to facilitate investigations and raise awareness on the important needs for developing expertise inside financial entities and to conduct effective investigations of cyber incidents.
The authorities should improve the implementation processes around the Bases of Coordination. It provides a good basis for coordination and collaboration between the public and private stakeholders in Mexico, although formally there is no lead agency at this moment that is responsible for its overall implementation. The Bases of Coordination needs to be translated into operational structures, policies, and procedures, with a clear leadership structure. Banxico and CNBV should set out clearly how they will work together—with each other, with the industry, with other authorities, etc.—without compromising their individual mandates. Work is being done to formalize these structures and processes, with Banxico and CNBV proposing that they take on the role of leadership between themselves. Implementing these structures and processes should be a priority as greater coordination and cooperation will enable a more integrated and holistic approach to building cyber resilience in the financial sector.
Mexico: Recommendations on Cyber Resilience and Financial Stability
I Immediate (within 1 year); NT Near Term (within 1-2 years); MT Medium Term (within 3-5 years).
Mexico: Recommendations on Cyber Resilience and Financial Stability
| Recommendations and Authority Responsible for Implementation | Timing | Responsible Authorities |
|---|---|---|
| Strategy and Governance | ||
| Banxico and CNBV should keep developing their cyber strategies, both in their own mandates as well as in their joint functions, for the financial sector and FMIs, with a clear vision and objectives, clear articulation of roles and responsibilities in operationalizing the strategy, initiatives and tools required to operationalize the strategy, roadmap for implementation and timelines, and estimates of resources and investment required to achieve the strategy (¶31). | I | Banxico, CNBV |
| Banxico and CNBV in their joint faculties should clarify their different roles and responsibilities, in terms of internal coordination and external cooperation, regarding cyber risk (¶32, 33). | NT | Banxico, CNBV |
| Banxico and CNBV should formalize the operational structures, policies, and procedures to operationalize the Bases of Coordination and Information Security Sensitive Incident Response Group (GRI), to enable cross-agency information sharing, cooperation, and coordination, with a clear articulation of the roles and responsibilities of the different stakeholders (both public and private) in the Mexican financial sector, with clarity on the role of the lead agency or agencies (¶34). | NT | Banxico, CNBV |
| Banxico and CNBV should increase their capacity to fulfill their roles in strengthening the cyber resilience of the Mexican financial sector, taking into consideration a range of different approaches, such as increased resources and tools (¶35). | NT | Banxico, CNBV |
| Financial system and cyber mapping | ||
| Banxico and CNBV in their joint faculties should consider developing a cyber map of the financial sector to analyze the different transmission channels, document a range of different contagion scenarios, and develop playbooks and conduct exercises, as well as consider potential stress testing scenarios, based on these scenarios (¶45). | MT | Banxico, CNBV |
| CNBV should maintain a specific database of third-party service providers of systemically important financial entities and FMIs and conduct analysis to identify the critical third-party service providers and determine whether there is concentration risk in the Mexican financial system (¶46). | NT | CNBV |
| Cybersecurity Risk Oversight (Banxico) | ||
| Banxico should develop and issue regulatory requirements, based on the CPMI-IOSCO guidance and its cyber strategy, for the FMIs under its oversight mandate, including SPEI (¶61). | I | Banxico |
| Banxico should follow a more structured and comprehensive process for cyber risk oversight. This includes utilizing a portfolio of tools and techniques to assess measures used to address cyber risk against set requirements, reaching clear conclusions, and identifying specific remedial measures or thematic findings. Such assessments and findings should be taken into consideration as part of the definition of future actions. In addition, Banxico should provide appropriate cyber training to its overseers (¶61). | NT | Banxico |
| The oversight division, within the Directorate General of Payment Systems and Market Infrastructures, should be given enough independence and resources to formally conduct thorough oversight of the SPEI payment system, or fulfill that oversight function under Banxico’s mandate in any other organizational arrangement (¶62). | NT | Banxico |
| Banxico and CNBV in their joint faculties should collaborate to effectively operationalize their respective oversight and supervisory responsibilities for DALI, CCV, and Asigna, setting clear regulatory requirements and developing an effective process for joint cyber oversight and supervision of the aforementioned FMIs (¶61). | NT | Banxico, CNBV |
| Cybersecurity risk supervision (CNBV) | ||
| CNBV should issue enforceable guidance or regulation to all its supervised financial entities on cyber risk, based on international standards and best practices (¶63). | I | CNBV |
| CNBV should follow a more structured approach for cyber supervision. This should include more intrusive on-site cyber risk inspections and a more structured approach to offsite supervision, including use of other supervisory tools (e.g., use of independent third-party reviews) given the limitations in resources (¶64). | NT | CNBV |
| Monitoring, Response and Recovery | ||
| Banxico and CNBV should consider developing a Generic Threat Landscape (GTL) Report, which sets out the specific threat landscape of the Mexican financial system, taking into consideration the geopolitical and criminal threats unique to the jurisdiction (¶75). | MT | Banxico, CNBV |
| Banxico should consider conducting a full scope red team test on its IT environment, to test the full range of its protection, detection, and response controls (¶76). | MT | Banxico |
| Banxico and CNBV, in their joint faculties, should regularly conduct market-wide cyber crisis simulation exercises, including different agencies and financial entities, based on a range of extreme but plausible scenarios (¶77). | NT | Banxico, CNBV |
| CNBV should develop and document crisis communication protocols, setting out the roles and responsibilities of all the relevant stakeholders during an incident, as well as the procedures to manage an incident, whether domestic or international. This should include a playbook for different cyber scenarios (¶78, 85). | NT | CNBV |
| Information sharing and incident reporting | ||
| Banxico should work with the financial sector to develop and operationalize a cyber information and intelligence sharing network (¶84). | MT | Banxico |
| Cyber deterrence | ||
| Banxico and CNBV in their joint faculties could play an effective role in enhancing cyber deterrence by issuing guidance for financial entities on how to store, handle and administer evidence to facilitate investigations and by raising awareness amongst the General Attorney’s office on the importance of effective investigations of cyber incidents in the financial sector (¶90). | MT | Banxico, CNBV |
I Immediate (within 1 year); NT Near Term (within 1-2 years); MT Medium Term (within 3-5 years).
Mexico: Recommendations on Cyber Resilience and Financial Stability
| Recommendations and Authority Responsible for Implementation | Timing | Responsible Authorities |
|---|---|---|
| Strategy and Governance | ||
| Banxico and CNBV should keep developing their cyber strategies, both in their own mandates as well as in their joint functions, for the financial sector and FMIs, with a clear vision and objectives, clear articulation of roles and responsibilities in operationalizing the strategy, initiatives and tools required to operationalize the strategy, roadmap for implementation and timelines, and estimates of resources and investment required to achieve the strategy (¶31). | I | Banxico, CNBV |
| Banxico and CNBV in their joint faculties should clarify their different roles and responsibilities, in terms of internal coordination and external cooperation, regarding cyber risk (¶32, 33). | NT | Banxico, CNBV |
| Banxico and CNBV should formalize the operational structures, policies, and procedures to operationalize the Bases of Coordination and Information Security Sensitive Incident Response Group (GRI), to enable cross-agency information sharing, cooperation, and coordination, with a clear articulation of the roles and responsibilities of the different stakeholders (both public and private) in the Mexican financial sector, with clarity on the role of the lead agency or agencies (¶34). | NT | Banxico, CNBV |
| Banxico and CNBV should increase their capacity to fulfill their roles in strengthening the cyber resilience of the Mexican financial sector, taking into consideration a range of different approaches, such as increased resources and tools (¶35). | NT | Banxico, CNBV |
| Financial system and cyber mapping | ||
| Banxico and CNBV in their joint faculties should consider developing a cyber map of the financial sector to analyze the different transmission channels, document a range of different contagion scenarios, and develop playbooks and conduct exercises, as well as consider potential stress testing scenarios, based on these scenarios (¶45). | MT | Banxico, CNBV |
| CNBV should maintain a specific database of third-party service providers of systemically important financial entities and FMIs and conduct analysis to identify the critical third-party service providers and determine whether there is concentration risk in the Mexican financial system (¶46). | NT | CNBV |
| Cybersecurity Risk Oversight (Banxico) | ||
| Banxico should develop and issue regulatory requirements, based on the CPMI-IOSCO guidance and its cyber strategy, for the FMIs under its oversight mandate, including SPEI (¶61). | I | Banxico |
| Banxico should follow a more structured and comprehensive process for cyber risk oversight. This includes utilizing a portfolio of tools and techniques to assess measures used to address cyber risk against set requirements, reaching clear conclusions, and identifying specific remedial measures or thematic findings. Such assessments and findings should be taken into consideration as part of the definition of future actions. In addition, Banxico should provide appropriate cyber training to its overseers (¶61). | NT | Banxico |
| The oversight division, within the Directorate General of Payment Systems and Market Infrastructures, should be given enough independence and resources to formally conduct thorough oversight of the SPEI payment system, or fulfill that oversight function under Banxico’s mandate in any other organizational arrangement (¶62). | NT | Banxico |
| Banxico and CNBV in their joint faculties should collaborate to effectively operationalize their respective oversight and supervisory responsibilities for DALI, CCV, and Asigna, setting clear regulatory requirements and developing an effective process for joint cyber oversight and supervision of the aforementioned FMIs (¶61). | NT | Banxico, CNBV |
| Cybersecurity risk supervision (CNBV) | ||
| CNBV should issue enforceable guidance or regulation to all its supervised financial entities on cyber risk, based on international standards and best practices (¶63). | I | CNBV |
| CNBV should follow a more structured approach for cyber supervision. This should include more intrusive on-site cyber risk inspections and a more structured approach to offsite supervision, including use of other supervisory tools (e.g., use of independent third-party reviews) given the limitations in resources (¶64). | NT | CNBV |
| Monitoring, Response and Recovery | ||
| Banxico and CNBV should consider developing a Generic Threat Landscape (GTL) Report, which sets out the specific threat landscape of the Mexican financial system, taking into consideration the geopolitical and criminal threats unique to the jurisdiction (¶75). | MT | Banxico, CNBV |
| Banxico should consider conducting a full scope red team test on its IT environment, to test the full range of its protection, detection, and response controls (¶76). | MT | Banxico |
| Banxico and CNBV, in their joint faculties, should regularly conduct market-wide cyber crisis simulation exercises, including different agencies and financial entities, based on a range of extreme but plausible scenarios (¶77). | NT | Banxico, CNBV |
| CNBV should develop and document crisis communication protocols, setting out the roles and responsibilities of all the relevant stakeholders during an incident, as well as the procedures to manage an incident, whether domestic or international. This should include a playbook for different cyber scenarios (¶78, 85). | NT | CNBV |
| Information sharing and incident reporting | ||
| Banxico should work with the financial sector to develop and operationalize a cyber information and intelligence sharing network (¶84). | MT | Banxico |
| Cyber deterrence | ||
| Banxico and CNBV in their joint faculties could play an effective role in enhancing cyber deterrence by issuing guidance for financial entities on how to store, handle and administer evidence to facilitate investigations and by raising awareness amongst the General Attorney’s office on the importance of effective investigations of cyber incidents in the financial sector (¶90). | MT | Banxico, CNBV |
I Immediate (within 1 year); NT Near Term (within 1-2 years); MT Medium Term (within 3-5 years).
This Technical Note has been prepared by Emran Islam (IMF, Monetary and Capital Markets Department, Financial Supervision and Regulation Division). The FSAP thanks the authorities for the constructive dialogue and the many insights that they have shared.
For the purpose of this note, banks, nonbanks, and other types of financial institutions supervised by CNBV shall be referred to as financial entities, whilst financial market infrastructures shall be referred to as FMIs. It should be noted that CNBV has a draft regulation, which is expected to be issued this year.
The Bases of Coordination is a formal agreement signed by the Ministry of Finance and Public Credit (SHCP), Banxico, CNBV, CONDUSEF, CONSAR, CNSF, FGR, ABM, AMIB, AMIS, AMIG, AMAFORE, AMSOFIPO, AAGEDE, ASOFOM, the FinTech Association, AFICO and CONCAMEX to establish the basis for collaboration, in coordination with the Trade Associations and financial entities, on information security.