MEXICO Law and Practice Contributed by: Alejandro Mendiola Diaz and Gunter Schwandt, Nader Hayaux & Goebel
• Coordinating Bases for Information Security ( Bases de Coordinación en Materia de Segu- ridad de la Información ) – established by the Ministry of Finance ( Secretaría de Hacienda y Crédito Público , or SHCP), Banxico, the CNBV, the CONDUSEF and other govern - mental agencies and market participants; and • the Cybersecurity Strategy of Banxico 2024–27 (see 1.1 Cybersecurity Regulation Strategy ). Additionally, Mexico is an active participant in several international treaties, agreements, and frameworks that focus on cybersecurity, financial sector resilience, and digital crime prevention. Mexico has not formally ratified the Budapest Convention on Cybercrime, but it has aligned its financial cybersecurity regulations with inter - national standards through frameworks such as the Financial Action Task Force (FATF) ( Grupo de Acción Financiera Internacional , or GAFI) (of which it is a member), Basel III guidelines on operational risk and cyber-resilience, and G20 initiatives. Furthermore, regional and bilateral cooperation – particularly with the USA, the Organization of American States, and the Pacific Alliance – enhances its financial sector’s opera - tional and cyber resilience. 3.2 ICT Service Provider Contractual Requirements Information and communications technology (ICT) service providers in Mexico are obligated to meet specific contractual and regulatory require - ments when working with financial institutions. Such requirements focus on cybersecurity, data protection, operational resilience, third-party risk management, and the ability to afford regula - tory supervision. These requirements are set by Banxico, the CNBV, the Federal Telecommu - nications Institute ( Instituto Federal de Teleco- municaciones , or IFT) and the INAI. Please note
that the authority and functions of these two last agencies are in the process of being transferred to other agencies within the federal government as a result of recent constitutional reforms. ICT service providers working with financial insti - tutions must adhere to outsourcing and cyber - security regulations issued by Banxico and the CNBV, which include: • cybersecurity requirements for ICT providers handling banking systems; • data encryption, access controls and authen - tication measures; • service-level agreements; • audit rights; and • incident response obligations. Such providers must also comply with Banxico’s cybersecurity and operational resilience stand - ards and grant Banxico regulatory oversight and audit access. Under Mexico’s Personal Data Protection Law, ICT contracts must establish data protection obligations, and providers must implement tech - nical and organisational security measures. If an ICT provider processes personal data on behalf of a financial institution, the contact must specify processing purposes and permitted activities, data retention policies, and obligations to notify data breaches. Mexico is expected to introduce enhanced out - sourcing regulations for ICT providers, similar to those set forth in EU’s Digital Operational Resil - ience Act (DORA). 3.3 Key Operational Resilience Obligations As pointed out in 3.1 Scope of Financial Sec- tor Operational Resilience Regulation , Mexico
191 CHAMBERS.COM
Powered by FlippingBook