Cybersecurity Priorities for Mexico’s Financial Ecosystem

Financial inclusion in Mexico has made significant strides, driven by the growing adoption of digital platforms and the rapid expansion of the fintech sector. However, this shift has also brought new cybersecurity challenges, which both traditional financial institutions and fintech companies must now address.

"The strategic goals of financial inclusion must be in sync with those of cybersecurity. We cannot afford a disconnect between business expansion and user protection," said Jenny Mercado, CISO, Odessa, during the Mexico Business Forum 2025.

As mobile banking platforms become the primary access point for millions of users, the risks also increase. The University of San Diego reports that the surge in digital financial services has been accompanied by a rise in threats, with identity theft and fraud among the top concerns. The sector now faces the challenge of ensuring both security and ease of access for users.

“The financial inclusion agenda has always been about rebuilding trust between the financial sector and underserved communities. But that trust can only exist if there is security,” said Valther Galván, CISO, Prosa. “We must empower businesses to adopt a security-first approach, without compromising their growth.”

While financial inclusion has opened up vast opportunities for Mexico's economy, it has also placed significant pressure on financial institutions to adapt to an increasingly complex and global cybersecurity environment. Key issues such as vulnerabilities in legacy systems and the lack of unified security standards must be urgently addressed.

Solving these challenges requires a comprehensive, multi-layered cybersecurity strategy that integrates both old and new systems. Experts stressed the importance of developing hybrid frameworks that allow different infrastructures to work together while ensuring compliance with both local and international security standards. "Security is expensive, but reputation is priceless—and once damaged, often irreparable," said Carlos Ortiz, Country Manager, Veeam México. "CISOs must serve as internal consultants, converting technical risks into top-level priorities."

Multi-factor authentication and identity management solutions are essential in safeguarding access and transactions in financial services, especially on mobile platforms. These technologies have proven effective in reducing risks like identity theft and unauthorized access. Additionally, process automation and AI can be efficient tools for fintechs that need to protect large amounts of data cost-effectively.

In terms of practical solutions, technologies such as multi-factor authentication, identity and access management (IAM), and zero-trust architectures are seen as crucial tools. These technologies help organizations secure mobile transactions and protect user data without undermining system performance or accessibility.

“Cybersecurity should be seen as a business enabler, not a cost center,” said Mercado. “We need scalable investment models that start with internal audits and grow from there.”

Experts agree that aligning cybersecurity investments with overall business goals is crucial. While not every company can afford large-scale overhauls, most can start by assessing their current systems and identifying the most pressing risks.

One of the main barriers remains resistance to change. Many organizations delay infrastructure upgrades due to cost concerns or outdated thinking. "The mentality of ‘if it is still working, do not fix it is one of the biggest dangers," warned Adrián Alva, CISO, Mizuho Bank. “What matters is not whether a tool still works, but whether it can defend against modern threats.”

While these solutions offer a path forward, implementing them comes with challenges, particularly in integrating new technologies into existing infrastructures and training staff. Many fintechs still struggle to balance introducing new solutions while maintaining the stability of legacy systems.

Process automation and AI can also be valuable tools for fintechs dealing with large volumes of user data and limited resources. Galván emphasized that striking the right balance between profitability and security can help develop products that are both secure and marketable.

However, this balance often involves trade-offs. “If we demand lower prices from our technology providers, we must also accept a reduction in quality,” cautioned Alva. “This limits the full potential of these technologies.”

Among the most significant challenges are legacy system vulnerabilities, fragmented security protocols, and outdated governance structures. These issues are further compounded by the fact that a large portion of Mexico’s population still lacks digital literacy or reliable internet access.

As Ortiz pointed out, there is a critical need to bridge the gap between those who can offer secure digital financial services and those excluded due to limited internet access or the absence of smartphones.

“The challenge is immense,” said Ricardo Sheck, VP of Cybersecurity, Tec 360 Cloud. “But aligning cybersecurity with core business strategies and adopting robust frameworks like cyber-resilience programs and zero-trust architectures is no longer optional—it is the only way to remain competitive.”

Another critical issue is the regulatory landscape, which varies significantly across Latin America. As Mexican fintechs expand regionally, they must ensure compliance with multiple legal frameworks. Experts suggest that adopting flexible, international cybersecurity standards—rather than rigid local models—can help ease expansion challenges.

"Public regulation must evolve to strengthen baseline security standards, especially in sectors that impact national digital infrastructure," said Sheck.

At the same time, innovations in biometrics and AI will create both new opportunities and new risks, particularly concerning the protection of personal data. As a result, companies will need to increase investments in privacy safeguards.

Strengthening collaboration between regulatory bodies and private companies will be essential to advancing cybersecurity maturity at the system level. A coordinated approach to new threats, particularly those targeting underserved populations, requires shared accountability.

“Security must be about more than just technology—it is about building trust and fostering collaboration,” said Galván. “We are no longer just offering financial services. We are offering secure, user-centered digital experiences.”