by Arnold Y. Castillo, Jon Fowler, and Richard Finkelman

Cybersecurity is now a core element of legal, regulatory, and business risk management. In Latin America and the Caribbean, organizations face mounting pressure to demonstrate proactive compliance with evolving data protection laws, cybersecurity mandates, and cross-border disclosure requirements. Boards and legal departments are expected not only to prevent cyber incidents but also to prove due diligence, resilience planning, and rapid response capabilities when they occur.

The region’s cyber risk landscape is evolving rapidly, driven by increasingly sophisticated criminal tactics and heightened geopolitical attention, including rising foreign investments from China. In response, governments across Latin America and the Caribbean have introduced regulatory reforms at the global, regional, and national levels. These developments demand a more integrated cybersecurity strategy, one that goes beyond technical defenses and aligns closely with legal, organizational, and compliance priorities. Considering these rising threats, it is essential for businesses to adopt comprehensive cybersecurity strategies that align with both legal obligations and best practices. This includes focusing on internal security, enhancing employee training, and leveraging advanced technologies such as AI to navigate the complex and growing threat environment effectively. As the risks of cyberattacks increase, it is critical for companies to bolster their security measures to better manage this evolving landscape and ensure business resilience.

Evolving Cyber Threat Trends in Latin America

Latin America has seen a marked increase in cyber threats, driven largely by the region’s growing economic significance and the corresponding rise in foreign investment. Sectors such as banking and finance, energy (particularly oil and gas), and mining are increasingly targeted by cybercriminals, who conduct sophisticated social engineering operations. These criminals often map out corporate structures, targeting key areas like boards, accounting, supply chains and service providers or major organizations, to execute highly targeted phishing campaigns that infiltrate vulnerable systems.

Once inside, cybercriminals manipulate payment environments, rerouting millions of dollars to foreign accounts via altered payment instructions. A significant portion of these breaches can be attributed to inadequate staff training, a lack of awareness, and the absence of a robust cybersecurity culture. The influx of investments, particularly from China, into countries such as Mexico, Panama, Peru, and the Dominican Republic, has attracted increasingly sophisticated cybercriminal operations. Criminal groups often exploit vulnerabilities by bribing lower-level employees, especially those facing personal challenges, to gain access to sensitive information, which is then used in larger-scale fraud schemes.

Additionally, money laundering activities in countries such as Mexico, where drug cartels operate, are increasingly coordinated with international fraud networks in the United States and Europe. These operations fund illicit activities such as fentanyl production and support cartel operations, which are further facilitated by cyber capabilities.

Organized Crime and Advanced Cyber Tactics

Alongside rising foreign investment and digital transformation, Latin America faces heightened exposure to organized criminal networks with advanced cyber capabilities. These groups, often linked to illicit enterprises such as illegal mining and narcotics trafficking, operate with increasing technical sophistication. One notable case in the Caribbean involved a coordinated identity theft scheme that leveraged forged tax documentation to defraud public systems—raising questions about gaps in verification protocols, third-party oversight, and liability for compromised data flows.

Regulatory Actions and Legislative Changes

Authorities across Latin America and the Caribbean are intensifying their efforts to address cybersecurity risks through a variety of regulatory and legislative measures. Key areas of focus include data protection laws, cybercrime statutes, and digital transformation policies.

The Mexican government’s CERT-MX recent survey identified financial institutions, government entities, and supply chain vendors as the top targets for cyberattacks. These vendors, such as maintenance providers or logistics agents, are often the weakest links in the security chain.

Chile, effective May 30, 2025, has initiated the classification of “Operators of Vital Importance” (OIVs), a move that mandates a comprehensive review of security programs across various sectors. Under this framework, companies will be required to update their legal, organizational, technical, and operational security measures, align their internal policies with new legal obligations, and deploy advanced threat detection and response tools. Additionally, regular security audits will become a legal requirement.

Phishing and Financial Sector Vulnerabilities

Phishing, despite extensive awareness campaigns, remains a critical threat to financial institutions across the region due to persistent gaps in authentication protocols and internal verification processes. The legal implications of such breaches are significant, particularly when organizations cannot demonstrate that they implemented reasonable safeguards to prevent fraudulent transfers or data exposure.

A particularly concerning example of phishing involves Business Email Compromise (BEC). In one instance, two companies engaged in a transaction involving goods valued at several hundred thousand dollars became victims of a phishing attack. A third party intercepted the email chain, creating a fake domain and continuing the conversation between the two parties. As a result, the final invoice included altered bank account details, and the funds were sent to the fraudster instead of the legitimate vendor. This attack highlights the critical need for secure communication channels and constant vigilance in financial transactions.

AI and the Future of Cyber Investigations

As cyber threats escalate, legal and compliance teams are increasingly turning to artificial intelligence (AI) to meet the demands of detection, investigation, and regulatory compliance. AI-driven forensic tools can rapidly identify compromised systems and affected data sets, accelerating breach response and supporting disclosure obligations. AI platforms also detect account compromise by monitoring irregular user behavior, such as unusual access patterns or login locations. Predictive analytics further enhance threat anticipation by flagging emerging risks based on historical data, helping reduce exposure and investigative timelines. In digital forensics, AI processes large volumes of data efficiently, making it easier to extract and analyze critical evidence.

Brazil’s $148 Million Cyber Heist: A Stark Lesson in Third-Party Risk

In July 2025, hackers exploited a critical vulnerability in C&M Software, a fintech provider integrated with Brazil’s Central Bank’s PIX payment system, causing a major breach. Using compromised employee credentials, the attackers gained access to reserve accounts held by financial institutions, draining approximately 800 million Brazilian reais (USD 148 million). This attack, a supply chain compromise, bypassed direct targets such as the Central Bank by exploiting a smaller, yet critical vendor.

The criminals involved in this heist utilized cryptocurrency to launder the stolen funds, underscoring the risks associated with outsourcing critical infrastructure and over-reliance on third-party platforms. The event highlights the urgent need for increased security vigilance in supply chain management.

Five Key Recommendations for Cybersecurity Leaders in Latin America and the Caribbean

As cybersecurity threats evolve, corporate legal departments, CISOs, and compliance leaders in Latin America and the Caribbean are being held to higher standards of accountability. Beyond securing IT infrastructure, they must ensure that governance frameworks align with regional regulatory developments, contractual obligations, and cross-border data protection laws. To manage the growing complexity of the threat landscape and satisfy increasingly strict regulatory expectations, organizations should prioritize the following five strategic measures:

1. Third-Party Continuous Auditing
   Organizations must enforce strict compliance checks for third-party vendors, requiring certifications and conducting regular Penetration (Pen) tests. Strengthening supply chain due diligence, particularly for critical vendors and subcontractors, is essential for minimizing external risks.
2. Privilege Segmentation
   No employee should have unrestricted access to company systems without a clear technical justification. Role-based access controls and the principle of least privilege must be implemented and actively monitored to limit access to sensitive information, reducing the risk of internal breaches or accidental data exposure.
3. Real-Time Threat Detection
   Invest in advanced anomaly detection tools and establish 24/7 monitoring systems. Early detection of breaches is crucial for minimizing damage and ensuring quick response times.
4. Social Engineering Stress Testing
   Conduct regular red teaming exercises and phishing simulations to test employee awareness and resilience against social engineering tactics, which remain one of the most common attack vectors.
5. Legal-Centric Crisis Management
   Design and regularly update a crisis response framework that integrates legal, regulatory, and reputational considerations. This includes pre-drafted notification templates for data breaches, pre-approved external legal counsel and forensic investigators, and documented escalation protocols aligned with local disclosure timelines. In an era where legal liability can stem from both action and inaction, a well-executed cybersecurity response plan is no longer optional, it’s a critical business asset.