The majority of our activities are carried out online – social networks, work, shopping, studying, among many others – and, without a shadow of a doubt, digital tools are one of our greatest allies. However, we are exposed to a number of risks, which is why we must use the digital world responsibly.
At Santander Mexico, we not only have a series of policies in place in this area, but we also constantly raise awareness among our employees about how to safeguard our Institution’s data and information. These policies are based on industry standards, compliance and good practices within the sector.
The Board of Directors reviews and approves the Corporate Cybersecurity Framework and any applicable updates to it, which define the key processes and essential elements in the governance of this area, in addition to the roles and responsibilities that are aligned with the principles of the three lines of defense.
The Cybersecurity Requirements for Technical Users policy includes a section covering data protection cybersecurity requirements.
This policy provides managers from Grupo Financiero Santander México with compulsory requirements for the development, implementation and maintenance of safeguards and control measures that protect third-party information and data, in addition to protecting the Bank’s internal data and information. Furthermore, our Data Loss Prevention program, as described in the Cybersecurity Requirements for Technical Users policy, allows us to detect data leaks.
The Cybersecurity Requirements for Technical Users policy outlines good data protection practices stemming from the cybersecurity and technology risk framework. These good practices are based on the data security and technology risk goals set by the Bank to safeguard the confidentiality, integrity, availability and traceability of information. Its function is to provide guidance regarding how to avoid, mitigate or manage reputational or business risks through Santander’s key cybersecurity standards.
Our Corporate Cybersecurity Framework aims to establish cybersecurity risk management standards and responsibilities, including personal data protection, throughout the organization, and identify the vulnerabilities in information systems that pose a risk to data security. It is based on industry standards such as NIST/ISO/IEC 27001/ISO/IEC 27002.
The purpose of this Corporate Framework is to help make Santander a cybernetically resistant organization through proactive and holistic risk management, allowing the Bank and its customers to continue prospering and benefitting from the enormous opportunities that digital technology has to offer. As such, the effective management of growing risks requires a global cybersecurity approach in all geographical and business areas.
In Mexico, local authorities - such as the National Banking and Securities Commission (CNBV) through the Bank Circular (CUB) and the Bank of Mexico through a number of circulars that outline the standards for payment methods - establish the reporting of relevant cybersecurity incidents within the fixed timeframes and terms stipulated in the regulations with which our Cybersecurity Requirements for Technical Users policy (Cyber Incident Management section) is aligned. In addition to the operating manuals and circulars issued by the Bank of Mexico (BANXICO) and the Federal Law on the Protection of Data Held by Individuals (INAI).
Furthermore, our Cybersecurity Requirements for Technical Users policy (Cyber Incident Management section) provides the management team in Mexico with the minimum obligatory requirements for cybersecurity incident management behaviors and capabilities, which includes the trends, frequency and origin of attacks on systems, data and information. The communication and scaling of incidents is undertaken based on this policy and its applicable regulations.
For Santander, new and emerging cyberthreats and the attack vectors associated with cybersecurity risks focus on three key elements:
These risks can originate both outside and inside the company. The impact of cybersecurity risks can encompass financial risks, reputational damage, regulatory fines, loss of strategic advantages, and interruptions to operations.
Our Cybersecurity Requirements for Technical Users policy (Cyber Intelligence section) outlines the minimum obligatory requirements for compiling, processing, analyzing, communicating and integrating intelligence regarding cyberthreats that include payment methods and attack vectors, among other types of ransomware.
Cybersecurity is a responsibility shared by all our employees, and in order to ensure cybersecurity throughout the Bank, we act based on good practices that focus on the use of technologies and data protection. As such, we have a Corporate Cybersecurity Standards for the Protection of Santander policy, which outlines the minimum obligatory requirements for developing, implementing and maintaining safeguards and controls.
We constantly strive to develop strategies and a data security training and awareness campaign that includes internal communication campaigns, training sessions, compliance courses and other activities, including data security and technology risk days, all of which are aimed at our employees.
Our five standards of Cybersecurity Conduct are:
During 2022, we coordinated the following activities:
| Name | Description |
|---|---|
| Hacktober | October is our Cybersecurity Awareness month. The goal is for all our employees to have the opportunity to develop knowledge about how to defend themselves against cyberthreats. |
| Ethical Phishing (Corporate) | Quarterly ethical phishing exercises for all the Bank’s employees. The goal is to measure employee behavior when faced with a real phishing threat. |
