IQSEC Calls for Overdue Cybersecurity Legislation

Mexico’s cybersecurity legislation has failed to keep pace with the accelerated evolution of cyberthreats, forcing companies to inflate budgets to combat cyberattacks independently. Lessening this economic pressure calls for a legislative framework that establishes corresponding sanctions to reduce high rates of digital insecurity, says cybersecurity and digital identity company, IQSEC. 

Despite recent discussions of cybersecurity legislation at the nation’s legislative branch, little to no progress has been made, leaving the country with a framework that does not correspond with a rising digital economy. This has left people and organizations vulnerable and without the mechanisms to defend themselves from an increasingly hostile cybercriminal landscape. Given this panorama, IQSEC established five key points to outline a cybersecurity legislation that discourages cybercriminal activity and provides people and organizations with the instruments needed to establish a proactive cybersecurity posture. 

As a starting point, the document should include explicit language outlining what constitutes cyberdefense, which IQSEC defines as a subset of actions covering the identification, visibility, neutralization and control of cyberthreats through immediate response and/or automatization, and cyber resilience, understood as the ability to prepare and overcome cyberattacks and maintain trust of the environment to avoid economic and social capital losses. “This with the aim of safeguarding the security of critical assets of a [state institution or organization] for the protection of people, data and substantive operations.” 

Outlining a national cybersecurity strategy should be based on industry-recognized best practices across identification, protection, detection, response and recovery to institute a proactive cybersecurity stance. Furthermore, it should be reinforced by protection mechanisms and frictionless legal instruments that punish and classify serious cybercrime including the use of false and stolen identities as an immediate starting point, suggests IQSEC. This is especially relevant to Mexico’s emerging digital economy that is increasingly making use of digital identities to use both public and private services. 

Consequently, establishing cybersecurity compliance mechanisms should be considered, so that public and private organizations can demonstrate proactivity in protecting the identity, data and confidential information of third parties. In the event of a security breach, the affected party can assume corresponding liability in the event of non-compliance through omission. Currently, there is no legislation specifically regulating cybersecurity, which means companies without cybersecurity controls are not subject to any obligations, according to law firm CMS. 

Finally, the federal government should look to establish social engineering cyberattack awareness campaigns and programs at all levels of society to strengthen the weakest link in cybersecurity infrastructure: people.