New cybersecurity law in Mexico!

Mexico is on the verge of significant change regarding cybersecurity, with the introduction of the proposed law presented to Congress in 2023. This initiative was referred to committees towards the end of that year and is likely to go to a vote in 2024. Although we will have to wait for its publication to learn the details, for now we can review the key points of this first version to familiarize ourselves with the new responsibilities of the parties bound by this regulation.

The proposed Federal Cybersecurity Law recognizes of the absolute relevance of the global virtual environment, its advantages and risks. It underscores the considerable increase in Internet access in Mexico—already at a rate of 70%—and the growing level of priority that cybersecurity has in the world. After mentioning a series of high-profile cybercrimes and digital attacks in the country, it concludes that there is a strong need to foster a culture of cybersecurity prevention, backed by cybersecurity regulation.

Key definitions and legal framework

Among the basic and highly relevant aspects for understanding the initiative are the definitions it sets out on cybersecurity. For example, for legal purposes, confidentiality means "the ownership of information, ensuring that it is accessible only to personnel authorized to access such information". Among other key concepts, Article 3 also defines cybersecurity or cyber incidents as "one or more undesired or unexpected events that are significantly likely to compromise or jeopardize organizational operations and threaten information security".

The text also addresses the functions and responsibilities of different state agencies such as the National Cybersecurity Agency and provides for the creation of the National Registry of Cybersecurity Incidents, which: "will consist of the information of the events that represent any attack, cybercrime or event that has resulted in a significant or material disruption or degradation to the operation within the technological infrastructure of a public or private organization". Under Article 18, managers of public and private critical information infrastructures, and all those who have suffered cybersecurity incidents that pose a risk to their operation or to the security of personal data of third parties, are required to submit information for this registry.

Obligations for companies and IT administrators

Headings Four and Five are of particular interest to companies that provide digital services, handle personal data or make use of digital and telecommunications infrastructure. They contain a number of obligations for organizations and their IT administrators, including:

• Protecting the confidentiality of users' personal data.
• Notifying the National Cybersecurity Agency and the data subject in the event of a breach of personal data security.
• Having legal representation in the country.
• Establishing technological security measures.
• Being responsible for the misuse of its services.
• Deregistering IP addresses and websites that break the law.
• Retaining information required for the investigation of cybercrime.
• Respecting confidentiality in the outsourcing of services.
• Cooperating with international authorities on cybersecurity matters.
• Registering in the National Registry of Technology Providers for Communications Intervention.
• Establishing cybersecurity measures if they provide banking or financial services.

Recommendations for compliance with the new regulations

In short, the spirit of this bill places a high degree of responsibility on companies and their managers. In this regard, in addition to knowing the information, a focus on prevention is vital. Once approved, having adequate security measures in place will also be necessary to comply with the Federal Cybersecurity Law.

So, here are three recommendations to get ready for and comply with this new regulation:

1. Implement a comprehensive cybersecurity program. This program should include technological security measures, such as firewalls, antivirus and intrusion detection systems. It should also include organizational security measures, such as cybersecurity training for employees and the implementation of security policies.
2. Develop a cyber incident response plan. This plan should outline the steps you will take in the event of a cyber incident, such as a ransomware attack or a personal data breach.
3. Establish a strategic partnership with a cybersecurity service provider. A cybersecurity service provider can help you implement and manage your cybersecurity program.

Having a law in this area is an important step to protecting user information and preventing cybercrime. All indications are that the future Federal Cybersecurity Law will make us jointly responsible for compliance.

If you are interested in learning more about the subject, we are at your disposal to answer any questions related to the protection of your information and digital infrastructures. We invite you to contact us or visit our website.