Abstract
This paper presents and discusses the relation between cybersecurity and corporate governance in the
context of Latin America and the Caribbean. It notes that progress has been made in improving
corporate cybersecurity within the region mostly from a data protection perspective, either as a result
of internally driven or regulatory motivated corporate initiatives, but that not enough headway has been
made regarding the cyber risks affecting critical infrastructure and essential services in the hands of
private or State-owned companies. The paper describes some of the best corporate governance
practices and guidance for boards of directors to address cybersecurity issues, as well as a selection of
the regulatory incentives that lawmakers and regulators are deploying to incentivize boards to adopt
proper cyber risk management. Three case studies are presented as examples of these types of policy
interventions in the region.
Introduction
The World Wide Web has been around for merely 30 years, and only in 2018 access to it reached half of
the world population, but in the last decade the number of Internet users grew yearly by 10 percent on
average, to reach an estimated 4.1 billion users in 2019.1 This broadening access to the Web,
technological disruption and a move towards digital business models have made data some of the
world’s most valuable assets.
While not long ago most large firms were highly dependent on their control over expensive
tangible assets, the corporate titans of our time are light of physical assets and heavy on intellectual
assets. Microsoft, Apple, Google, Amazon and Facebook were the five largest stocks in the S&P 500 at
the time of writing,2 representing 17.5 percent of the market value of the index.3 The value
corresponding to intangibles (licenses, patents, R&D, data and the like) in the market value of US
corporations has moved from less than 20 to more than 8o percent in the last four decades.4
Behind these intangible assets of corporations there is a wealth of data, ranging from purely
commercial records to extremely sensitive personal information of clients, suppliers and employees.
From sensors monitoring and predicting the behavior of a jet engine to the fitness monitor around our
wrist, data are collected and processed for endless means.5 Businesses are mining these data in ways
that can boost their strategies with greater market access and scalability, offering bespoke goods and
services. Yet, as we continue to process the might of data and the scope of the potential impact they
can have over businesses, society and our own personal lives,6 we are also facing the challenge of
protecting them from theft and misuse in the face of sprawling cyber risks.
At the time of writing this paper, most of the world was confined to their homes because of the
disruption caused by the Covid-19 pandemic, and millions of workers and students had begun to
conduct their daily activities remotely through the web. Datareportal, a digital information hub, noted
an enormous increase in digital activity since the beginning of 2020, especially in countries that have
seen the strictest lockdowns.7 In turn, Google reported that during the first weeks of April 2020 the
volume of detected cyber threats related to Covid-19 reached 18 million malware8 and phishing emails,9
as well as 240 million spam messages, every day.
Those circumstances have beamed the spotlight on the crucial importance of ICT (information
and communication technology) systems and connectivity, but also on the relevance of strong
cybersecurity.10 For this report, cybersecurity is understood generally as the ability to control access to
networks, ICT systems and all kinds of information resources against cyberattacks or breaches of
information that can affect individuals and organizations.
Countless cybersecurity breaches in recent years have put numerous organizations and billions
of users at risk, causing massive damage, both for those that failed to secure their corporate property,
and those whose information was stolen, hijacked or corrupted. Prominent examples include the
Bangladesh Bank heist,12 the breaches at Yahoo13 and Marriott,14 several ransomware15 attacks against
public services and cities,16 the Cambridge Analytica-Facebook case,17 and the hacking of the U.S.
Customs and Border Patrol Agency.
As those examples show, cybersecurity risks can affect us all. Countering them requires
consistent, and ideally concerted, efforts by each link in a chain to safeguard the security of the whole.19
From the employee that becomes victim of phishing to the weakness in the design of information
systems that render restricted databases easily accessible to the public,20 there are plenty of potentially
weak points that can put ICT systems at risk, allowing hackers to gain access to our data and cause
serious damage.
The communities in the three groups have different objectives with respect to cyber risk, but
there is some overlap when they focus their attention towards the governance of firms, and the
expectations they have for what boards of directors should do to facilitate the completion of their
community’s objectives. This is more evident in the cases of cybersecurity and cyber-defense. In the first
case the attention is in mitigating potential damages to the company’s assets and in establishing
corporate liability and other incentives for firms to guard their stakeholders’ personal data. In the
second, it is in making sure that firms invest what is necessary to ensure that the critical services they
render will not be interrupted by a cyberattack, or will be quickly recovered afterwards.
These expectations for the role of boards and corporate governance in countering cyber risks are
being translated into law, regulation and policy. In the process, they are slowly shaping the agendas of
boards and top managers across the globe by pushing firms to adopt whatever technical, normative and
cultural means they need to keep their ICT systems safe. This paper seeks to describe and discuss those
emerging cybersecurity rules and frameworks, and their relation to corporate governance, with a special
interest in the situation in Latin America and the Caribbean.
Following this introductory chapter, the rest of the paper is structured as follows: chapter I
portrays some of the progress made and challenges remaining for corporate cybersecurity in
Latin America and the Caribbean. Chapter II presents three casea studies of sectors where cybersecurity
rules are tapping the corporate governance of firms in the region to protect critical infrastructure.
Chapter III outlines the conceptual rationale for the role of the board and corporate governance
frameworks of firms in addressing cyber risk. Chapter IV offers some conclusions. Finally, the Annex
contains a description of a selection of the relevant international frameworks and initiatives for
cybersecurity, some of which include relevant corporate expectations.
Views: 0
