Financial Crime World

Here’s the article converted to markdown format:

Cybercrime and Financial Institutions in Paraguay: A Growing Concern

In today’s digital age, cyber threats have become increasingly common. The last decade has seen a proliferation of cyber incidents and crimes committed through digital media.

Overview of Cyber Threats

  • Unauthorised access to accounts, systems or data
  • Malware
  • Scanning
  • Brute force attacks
  • Denial of services
  • System compromise
  • Spam
  • Scams

Regulatory Framework in Paraguay

Paraguay has taken steps to regulate cybersecurity. In 2017, the Executive Branch drafted a National Plan on Cybersecurity, which aims to coordinate public policies in this area.

Legislation Applicable to Specific Sectors

  • Criminal Code
  • E-Commerce Law
  • Personal Credit Data Protection Law

Central Bank of Paraguay’s Security Manual for Financial Institutions

In 2021, the Central Bank of Paraguay issued a Security Manual for Financial Institutions, which requires every financial entity to:

  • Create a monitoring centre
  • Appoint a security department independent of the IT department
  • Implement an emergency plan
  • Constantly perform risk assessments and elaborate periodic reports

Credit Data Law

The Credit Data Law, enacted in 2020, provides that data controllers shall notify the regulatory agency of any data breach incident.

Collaboration between Public and Private Sectors

Collaboration between the public and private sectors is key to creating awareness and drawing emphasis on permanent education in new techniques and cyber threats.

Reporting Cyber Incidents

Cyber incidents may also be reported in light of criminal claims filed based on the perpetration of activities falling under the category of cybercrime. Both the National Police and the Prosecutor’s Office have created specific departments committed to the investigation and prosecution of infringements carried out in the digital sphere.

Sanctions for Infringement

In case of an infringement of local regulation, the applicable sanctions would depend on the nature of the infringement. Regulatory agencies may order the company/organisation to:

  • Limit the scope of its activities
  • Pay fines up to $1,785,800 for the infringement of the Central Bank Law and approximately $650,000 for the violation of the Credit Data Law
  • Suspend their activities
  • Close down entirely

Assessing Cyber Risk

Companies are beginning to understand that compliance with local regulations is not enough. A company’s name, image, and value can be severely affected if the tools to impede or swiftly revert an attack are not timely adopted.

Good Practices and Adequate Policies

Attacks are inevitable, and minimising their effects depends entirely on the capacity of a company to adopt good practices and adequate policies, besides complying with the legal framework.

About the Authors

Néstor Loizaga is a partner at FERRERE in Asunción, and has extensive experience in data protection, IT law, and intellectual property.

Montserrat Puente is a senior associate at FERRERE in Asunción, and focuses her practice on data protection, IT law, and cybersecurity.