Rising Cyber Threats
The region's increased use of new technologies has come with a hidden cost: cyber vulnerability. Following the Covid-19 pandemic there was a surge in many organisations and individuals moving their life online, with an increase in innovation in areas like fintech and e-commerce in Latin America. However, many of the new technologies and systems implemented have not been matched by the cybersecurity investment required. Why? Because of the level of initial costs involved. Larger corporate companies have Multi-Factor-Authentication installed, but it is rare for this to be seen at SME/PYME level. The statistics for attempted cyber attacks reveal that, for most SMEs/PYMEs the companies lack basic security measures on their employees' mobile phones, which is where many cyber attacks begin. For some it is a trust issue on new technology, and for others, it is the lack of awareness. There needs to be more training provided as threat actors are taking advantage of user's lack of knowledge to extract credentials, which are then used to carry out cyber attacks.
What type of cyber attacks are happening and where? In short, all of the same cyber attacks which are being seen world-wide. Although, not all attacks in Latin America are solely financial. Latin America has had its fair share of social unrest, and this is also mirrored in its cyber attacks. In recent years, the region has seen many of its Government agencies and bodies attacked which acted as a wake up call for organisations across Latin America:
- Argentina: In 2021, Argentina's entire populations' data appeared for sale on the dark web when the Registro Nacional de las Personas was hacked. The data which was leaked included home addresses, social security numbers, ID numbers and government photo ID's. At the time, Argentina's population was 45 million.
- Brazil: In 2020, Brazil's Superior Court of Justice was hit by a ransomware attack where its systems were offline for over two weeks, followed by its Ministry of Health in 2021 where the data of millions of citizens' Covid-19 vaccination details were deleted.
- Colombia: Colombia saw the data of Medellíns' citizens data leaked when its public energy company was targeted by the BlackCat group in 2022.
- Mexico: Mexico has also experienced hackers siphoning around $20 million from its banking system. In 2022, a threat actor group calling themselves Guacamaya (the Spanish word for macaw) hacked the Mexican Defense Ministry which included details about the president's health.
- Costa Rica: Costa Rica declared a 'state of emergency' when it experienced a series of ransomware attacks shortly after President Rodrigo Chaves was elected. Conti has now claimed that they launched the attack and pressured Costa Rican citizens to pressure their government to pay the $20 million ransom. The Government refused to pay the ransom and Conti's extorsion site indicates that it published 50% of the Costa Rican government data.
- Chile: In 2023, the Chilean military were impacted by a Rhysida ransomware attack where threat actors released 360,000 documents stolen from the government.
Latin America's organisations are also being targeted, not matter the size. In fact, it is not immune to supply chain cyber attacks, as they are becoming more prevalent. In October 2023, Chile saw a telecommunications company, GTD hit by the Rorschach ransomware gang which saw 3,500 companies impacted.
A study from 2023 found that BlackCat, Vice Society, Lazarus APT and LockBit 2.0/3.0 were the groups which targeted Latin America the most. There is also a theory that some lesser known threat actor groups use Latin America as a testing ground before expanding their operations. This was seen when ARCrypter targeted the Chilean Government and then expanded its ops worldwide. As we approach 2024, we predict that the cyber threat landscape will increase and the countries will also face more Business Email Compromise incidents together with more sophisticated phishing campaigns. Ransomware will remain a concern, but other types of incidents will also increase.
Many organisations require assistance with preparing a robust cyber incident response plan, which is key to mitigate any form of cyber attack. It is clear that more education is required still, even though the region has seen a dramatic increase in awareness, but it would be helpful to see more intelligence initiatives and information-sharing across the region.
Data Protection Compliance Requirements
Cyber attacks and/or incidents are a global problem. Countries which have introduced data protection laws have seen organisations take priority in the introduction of cybersecurity measures because of the scrutiny they may face by the regulator if they do not. Although Latin America might be lagging behind in its data protection legislation, there are a number of laws that have been passed in the different countries to match the efforts and regulation in UK and EU. The countries which have data protection legislation and regulation in force are Argentina, Brazil, Colombia, Costa Rica, Ecuador, Mexico, Peru and Uruguay. Other counties are developing data protection laws, or adapting their existing data protection laws based on the GDPR.
Latin American countries appear to lean toward a data incident 'notification to the authority' model, but not all do. In fact, some countries do not require notification at all nor do they have a specific data protection authority. Some Latin American countries, such as Mexico and Peru, have laws requiring notification to the data subjects, but not to the authority. In Chile, for example, there is no data protection regulator and only specific institutions for regulated markets are required to notify a breach, such as financial institutions. Colombia is similar to Brazil in that notification to the authority is required, with Brazil being one of the first countries in the region to issue hefty fines.
Cyber Market Opportunity
The rising frequency and sophistication of cyber attacks in Latin America creates a demand for (re)insurance coverage to protect organisations of all sizes from the liabilities arising out of the cyber incidents.
Prior to the Covid-19 pandemic, there was uncertainty in the London Market by underwriters, but we have recently seen a dramatic change in approach with appetite returning, although there is still much more room for growth. Latin America is a huge market with organisations of all sizes. Given so many governmental agencies have been victims of cyber attacks recently, cyber threat awareness is increasing in the region. Many organisations have dramatically increased their cyber security maturity and are, in turn, similarly looking for the appropriate cyber insurance coverage.
- Interest in cybersecurity is increasing in Latin America but more education is required.
- Latin American countries are developing privacy and data protection laws in harmony with EU regulation.
- Cyber attacks, most notably, ransomware attacks are a serious problem in the region.
- Awareness of cyber attacks and threats are growing with organisations increasing their investment in cybersecurity.
- Cyber Insurance uptake is on the rise but there is room for growth.
With market-leading insurance and dispute resolution practices in Bogotá, Buenos Aires, Mexico City and Santiago de Chile as well as London and Madrid, DAC Beachcroft is uniquely placed to advise throughout Latin America – for both breach response and cyber coverage matters. DAC Beachcroft is also linked with Demarest in Brazil.
For more discussion on cyber (re)insurance in the Latin America region, please feel free to contact the authors. Astrid Hardy, an Associate in the London team is currently on an inter-office secondment to DAC Beachcroft Chile working alongside Nicolás Le Blanc and Andrés Amunátegui for the next 3 months.