Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, there are non-mandatory guidelines drafted by certain federal regulators (such as the Network for Integrity (INAI)) to complement existing provisions and allow the organisations to implement self-regulations.

How does the government incentivise organisations to improve their cybersecurity?

Not applicable.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are several standards of computer security, starting with the group of standards ISO/IEC 27000 [7], which integrate an information security management system that is focused on the security of information under an explicit administrative control of it.

ISO 15408 [8] is a standard developed in what is known as the Common Criterion and allows many different software applications to be integrated and tested in a secure manner.

RFC 2196 [9] is a memo published by the Internet Engineering Task Force for the development of security policies and procedures for information systems connected to the internet; it provides a broad and general vision of information security, including network security, incident response or security policies. The document is very practical and focused on the day-to-day operations.

For the industrial field, in 2007, with the working group of the International Society for Automation (ISA), the ISA-99 standard called Security for Industrial Automation and Control Systems was started with the publication of the ANSI/ISA-99.00 standard. 01-2007 Security for Industrial Automation and Control Systems: Concepts, Terminology and Models, in conjunction with the technical report ANSI/ISA-TR99.00.01-2007, Security Technologies for Manufacturing and Control Systems. At the beginning of 2009, the ANSI/ISA-99.02.01-2009 standard, Security for Industrial Automation and Control Systems: ANSI approved the establishment of an Industrial Automation and Control Systems Security Program. Finally, in 2010, it was changed to the ISA/IEC 62443 standard to align the numbering of the standard documentation with the corresponding standards of the International Electro Technical Commission (IEC).

Are there generally recommended best practices and procedures for responding to breaches?

There are specific guidelines issued by governmental authorities intended to address best practices on cybersecurity, below are the most frequently used:

  • Guidelines for the secure deletion of personal data. Accessible through: http://inicio.ifai.org.mx/DocumentosdeInteres/Guia_Borrado_Seguro_DP.pdf;
  • Guidelines to prevent identity theft. Accessible through: http://inicio.inai.org.mx/nuevo/Guia%20Robo%20 Identidad.pdf;
  • Guidelines of the Internet Mexican Association. Accessible through: https://www.asociaciondeInternet.mx/es/estudios;
  • Cybersecurity Strategy for Financial Institutions. Accessible through: www.banxico.org.mx/spei/d/%7BD8F9F341-00E7-459A-D35D-5F487FA05AA1%7D.pdf; and
  • ICC Cybersecurity Guide for Business. Accessible through: www.iccwbo.org/Advocacy-Codes-and-Rules/Areas-of-work/Digital-Economy/Cyber-Security-Guidelines-for-Business/ICC-Cyber-Security-guide-for-business/.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Not applicable.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

On 12 June 2018, the Mexican Official Gazette published that Mexico has adopted the Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, and its Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and cross-border data flows. Both are binding international instruments that protect the individual against any abuse of the collection and processing of personal data and at the same time they seek to regulate the cross-border flow of personal data. On 9 September 2017, the PGR announced in the Mexican Official Gazette a new investigation unit to combat cyber and technological crimes and enhance investigations. To March 2018, 312 files were opened by the unit to investigate crimes related to the distribution, storage and production of child pornography, initiated upon notices received from Interpol. The PGR unit is also actively working with the Bank of Mexico to identify and sanction all those responsible for a cyber-attack on several financial institutions on the bank’s interbank electronic payments system.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, insurance for cybersecurity breaches is available and is becoming more common.