cybersecurity...- universities are adding to their portfolio of cybersecurity careers but not at a...

C Y B E R S E C U R I T YM A R K E T A N A LY S I S

BUSINESSINTELLIGENCE UNITUIN

Author:

Marco Erick Espinosa Vincens, Head of UnitClaudia Esteves Cano, Executive Director of StrategyJosé Manuel Cortés, Innovation and Knowledge Management CoordinatorJulio S. Rodríguez, Senior Project ConsultantLuisa Regina Morales Suárez, Editorial design

© January 2018, ProMéxicowww.promexico.mx

Produced by:

Images downloaded from:unsplash.com / pixabay.com / pexels.comIcons downloaded from:flaticon.com

TA B L E O F C O N T E N T S

EXECUTIVE SUMMARY

DIGITAL REVOLUTION

CYBERCRIME GLOBAL OVERVIEW

CYBERSECURITY GLOBAL OVERVIEW

REGULATORY OVERVIEW

BEST PRACTICES

DIGITAL TRENDS IN MEXICO

CYBERCRIME IN MEXICO

CYBERSECURITY OVERVIEW IN MEXICO

MEXICAN CYBERSECURITY SUMMARY

APPENDIX

4

6

14

22

27

30

37

40

45

55

63

4

E X E C U T I V ES U M M A R Y

5

E X E C U T I V E S U M M A R Y

Our analysis has reinforced the importance of the cybersecurity industry as a whole and its growth prospects, globally as well as in Mexico. Some specific areas of improvement were also highlighted. The main results have been as follows:

- Given the increasing connectivity in the personal, corporate and urban environments, dependence on technology and the related vulnerabilities and risks of cyber-attacks are increasing. Equally the cycles of technology innovation are shortening and impacting the adoption, as well as the reaction times.

- The megatrends that are becoming increasingly relevant across all geographies such as Big Data and Cloud solutions, Internet of Things (IoT), Industry 4.0 and the rapid development of Smart Cities will continue to be the main drivers for the industry.

- The higher the digitalization levels of an individual or a company, the greater is the vulnerabilities of the related devices and sys-tems. Cybercrime has had an estimated financial impact of US$575 billion per year, representing 0.5% of the global GDP. The main motive behind cyber-attacks remains financial and most exposed industries are financial services, as well as different branches of the public sector.

- As on global level, the market demand in Mexico is high, there are several large international companies but also some national ones benefitting from the growth of the industry. There is a clear requirement for an increased product offering (specifically for SMEs) and more competition within the sector. Dedicated IT Clusters could be a solution to develop lower-cost cybersecurity pro-ducts and services.

- There are several building blocks of the industry that will continue to enable its future development; the basis of the legal and re-gulatory environment has been established, a national cybersecurity strategy has been defined, both of which should make way for the necessary improvements in the execution of the defined laws and regulations.

- Universities are adding to their portfolio of cybersecurity careers but not at a sufficient rate and the costs of necessary certifications remain relatively high. All degrees might have a cybersecurity awareness course and investment in cybersecurity communication.

- General awareness building and training for companies as well as individuals on the good practices to minimize the risks to cyber-security are key for the user community to operate in the current/future digitalized and connected environment.

6

D I G I T A LR E V O L U T I O N

7

D I G I T A L I S I N C R E A S I N G LY B E C O M I N G A K E Y T O P I C I N B U S I N E S S S T R A T E G Y

of large enterprises are information-based businesses.

One of the top 3 priorities of CEOs for the next 3 years is implementing disrup-tive technologies and 47% are concerned whether their organization is keeping up with new technologies.

41% of CEOs said their company will besignificantly transformed in the next 3 years.

74% of CEOs said their company is stri-ving to be the disruptor in its sector.

Source: KPMG analysis with information from IDC and KPMG ‘s Global CEO Outlook 2017

CEOs recognize there is work to be done to protect their organization, with 58% of CEOs not feeling fully prepared for a cyber event.

30% of CEOs rank Cyber Security as one of the top 5 risks for the next 3 years.

56% of CEOs are concerned about the data they are basing decisions on.

Digital Transformation

TechnologicalEvolution

On top of CEO’s mind:Technology

CEO’s top of mind:Cybersecurity

65% of CEOs will have spent at least 5 years insome kind of a technology leadership role.

By 2020, 33%

8

T E C H N O L O G Y O V E R V I E W

T E C H N O L O G Y E V O L U T I O N

MAINFRAMES

1940-1970

PC/SERVER

1980’S

INTERNET

1990’S

E-COMMERCE/CLOUD

2000

DIGITAL

2010

Technology evolution had key moments through history like the first computer and the creation of the WWW, however in the late years its changes have been faster, deeper and more complex, changing interactions and human routines.

The first computer worked with a binary system and

a vacuum tube.

Later on, computerscould be reprogrammed

and worked withtransistors; allowing

computers to be cheaper, faster and smaller.

Minicomputers appeared in the 60’s with keyboard and monitor, increasing

their reliability and reducing their energy

consumption.

Computers could be personalized with

software.

Personal computers (PC) appeared in the

market which lead themicrocomputer industry boom.

Network file systems similar to local storage were

developed allowing users on a clients

computer access filesin a network.

Banks of servers were installed in several companies so data

rooms were created.

The World Wide Web was created and every company wanted a fast

internet connectivity and nonstop operations.

Server rooms started to grow which needed larger facilities, so the service of data center

became popular.

The Internet allowed a faster and more

efficient connectivity with access to

information and companies from over

the world.

Through simple websites delivery companies were

created allowing ecommerce.

Online marketplaces started increasing

allowing the customers to compare prices and

reviews.

Online storage and infrastructure services

were being developed, a predecessor to

cloudbased services.

First smartphones appear in the market allowing

internet acc cess in your hand.

Data centers became virtual and global becoming more

efficient and cheaper.

Companies used Big Data to store, analyze

and monetizeinformation of their

business, making datafication a trend.

Constant connection and communication hyperconnectivity

appear n the industry.

Digital labor and professional

augmentation.

Artificial intelligence.

Source: KPMG analysis with information from Dublin City Council and Forbes.

9

EMERGING TECHNOLOGIES MEGATRENDS HYPE CYCLE FOR EMERGING TECHNOLOGIES

The force and speed with which technological innovation is moving through the economy is creating an inflection point for the business sector.

In terms of technology, there are three main trends that cluster the expected improvements that will stren-gthen business capability:

Deep LearningDeep Reinforcement LearningArtificial General IntelligenceAutonomous VehiclesCommercial UAVs (Drones)Conversational User Interfaces

4D PrintingAugmented RealityBrain-ComputerInterfaceConnected Home

5GDigital TwinEdge ComputingBlockchainIoT Platform

Enterprise TaxonomyOntology ManagementMachine LearningSmart DustSmart RobotsSmart Workspace

Human AugmentationNanotube ElectronicsVirtual RealityVolumetric Displays

Neuromorphic HardwareQuantum ComputingServerless PaaSSoftware Defined Security

Source: KPMG analysis with information from 1) Gartner 2017, 2) Gartner 2017 Hype Cycle for Emerging Technologies.

ARTIFICIAL INTELLIGENCE EVERYWHERE:

TRANSPARENTLY IMMERSIVE EXPERIENCES

DIGITAL PLATFORMS


T E C H N O L O G Y T R E N D S

Time

Innovation Trigger

SmartData

Trough ofDisillusionment

Slope of Enlightenment

Plateau ofProductivity

As of July 2017

Peak ofInflated

Expectations

AugmentedReality

Blockchain

loT Platform

Software-Defined Security

Artificial General Intelligence

Deep Reinforcement Learning

Human Augmentation

Convetional User Interfaces

Serverless PaaSE

xpec

tati

on

s

Virtual Realty

5 to 10 years2 to 5 yearsless than 2 years

Plateau will be reached in:

more than 10 years

Digital Twin

VolumetricDisplays

5G

Enterprise Taxonomy and Ontology Management

Brain-Computer Interface

Quantum Computing

Neuromorphic Hardware

Augmented Data Discovery

Cognitive Expert Advisors

Smart Workspace

4D Printing

Commercial UAVs (Drones)

Cognitive CompetingNanotube Electronics

Autonomous VehiclesMachine Learning

Connected HomeVirtual Assistants

Smart Robots

Edge Computing

Deep Learning

10


STRATEGIC TECH TRENDS – SMART CITIES & INDUSTRY 4.0

SMART CITIES 1

MAIN IDEA

KEY TECHENABLERS

SHARED KEY TECH ENABLERS

INDUSTRY 4.0 2

In the strategic sphere for technology, two main trends are being promoted and considered as the highest level of digita-lization, Smart Cities in a Governmental/public approach and Industry 4.0 for the private businesses.

Source: KPMG analysis with information from 1) Department for Business Innovation & Skills and IEEE 2017 2) Gartner 2017 and IEEE 2017

A Smart City is an innovative city that through information & communication technologies (ICTs) and other meanseffectively integrate physical, digital and human systems to improve quality of life, efficiency urban operation and services, and competitiveness, while ensuring the satisfac-tion of present and future generation needs.

Networking and communications

Simulation and prototype

Augmented reality

Robotics

Processintegration

Open data UrbanOperating System

Cloudcomputing

Internet ofthings (IoT)

Industry 4.0 is the new industrial revolution that introduces digital technologies and digital transformation to the industries.

Industry 4.0 addresses the digitalization of com-plex value chains, aiming future cross-industry models with high digital technology use.

Additivemanufacturing

CybersecurityProcessintegration

11


TACTICAL TECH TRENDS - INTERNET OF THINGS

MARKET SIZE

OUR PERSPECTIVES

CONNECTED IOT 1 DEVICES IN 2017 AND EXPECTED CAGR

IoT connectivity has undergone consolidation as vendors´ portfolios have became larger. The IoT market is expected to grow at a 17.8% from 2017-2025, enabling smart solutions in major industries.

Note: (1) IoT: is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.Source: KPMG analysis with information from University of Maryland University College (UMUC), Cisco IBSG and IHS

In terms of people rather than of companies, IoT for medical uses, connected homes and wearable technology are expected to be the main trends.

IoT (1) installed base, global marketBillions USD

As Big Data and Cloud solutions mature, new applications for IoT solutions arise, driving growth for this industry. In global terms, Predictive maintenance, Smart agriculture and Smart cities are considered as key drivers for IoT industry.

By 2020 it is expected that 50 billion devices will be connected through IoT. Connected devices per person that barely reached 2 in 2010 are expected to grow at a 13% CAGR reaching 7 devices per person by 2020.

Key challenges to growth are the security and scalability of all new connected devices and the adherence to open standards to facilitate large scale monitoring of different systems

FORECAST

2015

$15

2016

$18

2017

$20

2019

$27

2018

$23

2020

$31

2021

$36

2022

$43

2023

$51

2024

$62

2025

$76

+17.8%

Military & aerospace 0.01

Automotive 0.20

Medical 0.32

Computers 1.70

Industrial 3.60

Communications 6.00

Consumer 8.00

Billion objectsConnected IoT 1 devices in 2017 CAGR

2015-2025

13%

22%

18%

2%

28%

9%

16%

12


TACTICAL TECH TRENDS – CLOUD

Rapid growth in the Cloud Computing Market can be attributed to increased customer confidence in technology mainly driven by customized service delivery models and cost effective product offerings.

Source: KPMG analysis with information from KPMG Germany and Market media research

In terms of people rather than of companies, Cloud is still a disruptive trend mainly used for individual storage purposes and communication via Cloud based apps.

Global Cloud MarketBillions USD

Cloud Computing market is expected to almost quadruple in terms of value between 2015 and 2020, reaching 270 billion USD.

The main benefit of cloud solutions is that it is a capital expenditure free, flexible and scalable solution that can be accessed from any location, without having the hassle of maintenance. Growth in adoption is predominantly driven by an increased sense of security (trusted companies), customized solutions and lower cost for companies:• Security, privacy and regulatory concerns in cloud usage have led the growth of Cloud solutions. This helps accommodating traditionally

conservative industries such as Healthcare, the Public sector and Financial services.• Cloud services are shifting away from a “one size fits all” solution towards a more flexible business model in order to accommodate the needs

of individual businesses (e.g. capacity volume, maintenance and service levels).• As datacenters grow in size, cloud solution costs decrease rapidly, making it affordable and attractive for companies.

Key challenges to growth revolve around the reliability and real time accessibility of the network (e.g. minimizing the impact of maintenance downtime).

2015 2016 2017 2018 2019 2020

7395

122

159

208

270

FORECAST

+30.0%

Global Cloud Computing market structure

Required investment/ scale operation High

SaaS(Software As A Service)

PaaS(Platform As A Service)

IaaS(Infrastructure As AService)

Key

solu

tions

Cloud hosted softwaresolutions offered toclients via the internet.

Maintenance, storageand installation ofsoftware.

Operating system todevelop and runsoftware.

Platform that connectsclient software withdatabase software.

Physical data storageacross differentlocations.

Infrastructure (e.g.networks, servers).

Maintenance andadministration.

13


TACTICAL TECH TRENDS - URBAN OPERATING SYSTEMS (UOS)

By 2020 it is expected that the global market for smart urban systems will reach 400 billion dollars. The benefits of this technology are broad but should be compared to the cost of potential attacks.

Source: KPMG analysis with information from the University of Sheffield, Civil and Environmental Engineering MIT, and IEEE.

Connectivity, new urban mobility plan and security strategy are expected to be the main trends.

It is fed information from an integrated sensor network within theurban environment.

UOS provide one of the platform for the IoT. It enable Living Cities and Machine Learning Communication (M2M).

• Access to Mailbox everywhere in the city,• A complete transformation of retail and leisure,• An enhanced tourism,• Solutions for transportation,• Healthcare and public safety,• Facilitate the industrialization of the internet.

High cost, not enough server capacity, and lack of coverage.

Transportation-mobility electronic market for optimized travel, SMART “Future Mobility” project; the road to future urban mobility; estimating social welfare of traffic information systems.

Networks-motion coordination and vison-based control of unman-ned air and ground vehicles; resilient design of networked infras-tructure systems: models, validation, and synthesis.

Sensing and data mining, e.g.: mining big data to link affordable hou-sing policy with traffic congestion mitigation in Beijing, China.

Urban and regional systems, e.g. a simulation-based optimizationalgorithm for dynamic large-scale urban transportation problems.

Communication, security, availability, resiliency, energy efficiency, network bandwidth, focus on the citizens, Big Data and standards.

By 2020 it is expected that the Global Market for Smart Urban Sys-tems will reach 400 billion dollars.

Definition: Key areas:

UOS platform:

Challenges:

Benefit of UOS:

Limits:

Investment:

Main companies to offer Urban Operating System:

14

C Y B E R C R I M EG L O B A L O V E R V I E W

15

G L O B A L T R E N D S A N D T H R E A T S

GLOBAL CYBER RISKS

The higher the digitalization level of a company, the greater the vulnerability of its systems. Cybercrime costs the worldUS$575 billion dollars per year, representing 0.5% of the world Gross Domestic Product.

Source: KPMG analysis with information of CYBERCRIME LOSS AS A PERCENT OF GDP (McAfee 2014) and The Global Risk Report (World Economic Forum 2017)

Cyberattacks are ranked within the top 10 Global Risks in terms of likelihood of occurrence, together with extreme weather events, large-scale involuntary migration, natural disasters, and terrorist attacks. In terms of the impact, cyberattacks are positioned above the average of the eva-luated risks which within the top 3 risks include weapon of mass destruction, extreme weather events and water crises.

The rise of cyber dependency due to increasing digital interconnection of people among different infrastructure networks is increasing the scope for systemic failures.

.32%

.08%

.14% .19%

.01%

.11%

.11%

.14%

.17%

.64%

.17%

BRAZIL

SOUTH AFRICA

COLOMBIA

MEXICO

US

UKCANADA

NORWAY

ZAMBIA

KENYA

UAE

ITALY .04%

.16%

IRELAND

.20% 1.6%

.64%

SAUDIA

GERMANY

.18%

.41%

.17%

SINGAPORE

MALAYSIAFRANCE

NIGERIA

16

W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C

EVOLUTION OF CYBER-ATTACKS

From 2005 till 2017, 5,290 billion of identities and data have been stolen. Personal financial information accounted for almost 40% of data.

Data and identities stolen (in millions) 2005-2017

Source: KPMG analysis with information from Symantec volume 22, dTheftCentre and DataBreaches.net.

2002: Severalcompanies,

ShadowCrew, wasable to siphon 45million credit and

debit cardinformation, around

4000 members

2005: AOL,Citigroup,

CardsystemsSolution e-mail sold

to spammers andcredit card fraud

enabled

2006: US Dept of Vet Affair, T-Mobile, AOL, criminal stole

information from highprofile German citizens and a com-

puter containingimportant personal

data was lost

2007: TK /TJ Maxx, UK Revenue, TD

Ameritrade,Hannaford BrothersSupermarket Chain stole data on people and their credit and

debit cards

2008: Utah Hos-pitals & Clinics,

University of Miami, UK Ministry

of Defense, they stole social security, health information,

bank detail, address, salary

2009: Virginia Dept.Of Health, US

Military,Rock you, Heartland

patient records,incentive payment,

user accounts

2010: New York City Health & Hos-

pital, JP Morgan, Educational Credit

ManagementCorp, Bet fair, creditcard data, personal

records

2011: Washingtonpost, Tricare, SutterMedical Foundation,

Sony PSN, user ID,email, patient data,

personal data, creditcard data

2012: Zappos, Iranian banks, South

Carolina Gover-nment, 7-Eleven, Linkedin, Greek

government, Drop-box, Apple personal

information from patients,credit card

data

2013: Yahoo Japan,Vodafone, Tumblr,Snapchat, NMBS,

Living social, Kissin-ger cables, Everno-te, Adobe, personal

data, diplomatic records

2014: Yahoo, UPS,Target, Sony, NewYork Taxis, Japan

Airlines, Home Depot, Ebay, Gmail, personal informa-tion from patients,

credit carddata, GPS routes

2015: Voter Data-base, US Office of

PersonnelManagement, Mspy,British Airways, vo-ters data, personal

data (eyescolor, friends, etc)

2016: MySpace,Banner Health,Anthem, Daily-motion, Mobile

company, Telegram banking detail,

users, passwords, personal info

2017: Deloittehack, at least 350

key accountinformation

compromised

1,500

1,000

2005

44.2

2006

70.3

2007

156.3

2008

130.0

2009

256.8

2010

16.1

2011

229.0

2012

704.5

2013

1,252.3

2014

913.0

2015

429.0

2016

506.3

2017

601.0

500

0

17


GLOBAL CYBER ATTACKS (1/3) – TYPE OF TECHNOLOGY AFFECTED

It is not only about who is affected or why is it happening, the affected technology will determine the damage of an attack.Protecting a company is not enough if the user devices remain vulnerable.

Security incidents per type of assetPercentage Security incidents per type of asset

Incidents

User Devices 6,769

3,426

1,637

1,181

121

20

62%

14%

43%

14%

8%

51%

Server

Media

Person

Kiosk/Terminal

Network

Pattern Action Asset

Source: KPMG analysis with information from 2017 Data Breach Investigations Report Verizon

ElseWeb App Attacks

Payment Card SkimmersCyber-Espionage

Physical Theft and LossPrivilege Misuse

CrimewareMiscellaneous Errors

Denial of ServicePoint of Sale

Hacking and malware have grew within the past 10 years with a clear exponential pattern.

In terms of incident classification patterns, Web App Attacks, Cyber-Espionage and Privilege Mi-suse represent more than 50%.

HackingOf breaches featured hacking 81% of them leveraged stolen or weak passwords

Misuse14% of breaches involved privilege misuse

MalwareOver half of breaches included malware. Ransomware represents more than half of malware incidents

SocialWere social attacks

ErrorsErrors were causal events in 14% of breaches

PhysicalPhysical actions were present in 8% of breaches

User devices were clearly the main target in ter-ms of security incidents.

10.7%

11.5%

14.3%

14.9%

29.5%

8.0%

4.6%

0.3%

3.8%

2.4%

18


GLOBAL CYBER ATTACKS (2/3) - WHO IS BEHIND THE ATTACK

It is not only about filtering threats, but also about insiders learning capacity, because as long as stakeholders haveknowledge, motives and entries; cyber attacks will remain as a risk for countries, business and people.

Behind the breachesStakeholders

Groups

Source: KPMG analysis with information from 2016 Data Breach Investigations Report, Verizon

Cyber attacks will show different patterns and outcomes depending on the stakeholders behind them.

There are several groups whom attack for an specific reason.

Nation state - Cyber warfare - Cyber espionage

Organised crime

Individual criminal

Hacktivists

Insiders - Inadvertently or Deliberately

In these attacks, many times the organized crime is involved and sometimes work with other groups as internal actors, partners, outsiders and multiples parties.

75%

51%

18%

3%

2%

25%

Outsiders75% of the breaches were perpetrated by outsiders.

Organized criminal groups51% of the breaches involved organized cri-minal groups.

Internal stakeholders25% of the breaches involved internal actors.

State-affiliated stakeholders18% of the breaches were conducted by sta-te-affiliated actors.

Multiple parties3% of the breaches featured multiple parties.

Involved partners2% of the breaches involved partners

19


GLOBAL CYBER ATTACKS (3/3) - MAIN DRIVERS

Cyber attacks will remain existing as long as motives keep exceeding risks and regulations. While financial motives have driven attacks for many years, other have gained importance like information based power sponsored by espionage.

Threat actors motives


There are different motives that may trigger cyber attacks, thus a segmentation enables a more specific analysis not only for countries but also for industries.

Each of the following groups present a main motive for a cyber attack and sub categories or examples to explain the main idea.

FinancialMoneyBribery

Identity theft

EspionageCoercionMilitary motives

IdeologyProtest/Influence

JusticeGenerate chaos/

vulnerability

Others

Espionage

Financial

GrudgeImmobilize the

competitionRevenge

FunCuriosity

ChallengesAdrenaline

Others

During the last four years espionage has gained market share from financial in terms of motivation behind executing a cy-ber attack, exceeding 25% of the incidents.

Although there is an expected growth within espionage moti-vation, market’s perspective states that the financial motives will remain as the key factor for the cyber attacks.

26.0%

11.0%

63.0%

20


AFFECTED INDUSTRIES

Depending on the nature of a business and the sector in which it operates, a company is exposed to its own set of cyber risks.

Data breaches per industryPercentage

Most affected industries


Financial institutions and healthcare sector are the most ex-posed industries in terms of cyber risks, not only because ofthe number of data breaches that have occurred but also because of the sensitivity of the data and the impact of each loss, fluctuating from economic to life.

Energy, utilities and transport and telecommunications sec-tors are becoming key industries in terms of cyber risks be-cause of the sensibility of data and the severity of the possibleoutcomes.

A major cyber-attack or incident involving an energy or utility company could result in a significant outage, physical damage, or even loss of life, while a cyber war between two countries could disrupt internet services around the world.

Professional 5.6%

Administrative 1.4%

Information 5.8%

Unknown 3.5%

Other services 6.3%

Education 3.8%

Manufacturing 6.4%

Retail 4.8%

Accomodation 10.4%

Public

Healthcare 15.3%

Finance 24.3%

12.4%

21


THE REAL COST OF A STOLEN RECORD

Due to the sensitivity of the information, data across industries is not worth the same. In average, a stolen record cost $141 dollars, while for the Healthcare Industry more tan $380 dollars and for the public sector $80 dollars.

Average cost of a stolen record

US Dollars

Cost reduction of each stolen record with Cyber Security implementation

US Dollars

Source: KPMG analysis, with information form 2017 Cost of Data Breach Study: Global Analysis Ponemon Institute/ IBM

Consumer

Public

Energy

Media

Research

Industrial

Retail

Communications

Technology

Transportation

Life science

Hospitality

Education

Services

Financial

Healthcare

Cost incrementation of each stolen record

US Dollars

380141

-19-16

-13-11

141 2 3 68 9

11

210

-8-7 -6

-6 -5-5

37

-74%

132

137

119

101

149

154

150

165

123

188

124

200

223

245

71

Inci

dent

resp

onse

team

Exte

nsiv

e us

e of

Enc

rypti

on

Prov

ision

of I

D p

rote

ction

Cons

ulta

ns e

ngag

ed

Rush

to n

otily

Lost

or s

tole

n de

vice

s

Use

of m

obile

pla

tafo

rms

Com

plia

nce

failu

res

Exte

nsiv

e cl

oud

mifr

ation

Third

par

ty in

volv

emen

t

Empl

oyee

trai

ning

BCM

Thre

at s

harin

g

Use

of D

LP

Insu

ranc

e

CISO

Use

of S

egur

ityan

alyti

cs

Dat

acl

assifi

catio

n

Boar

din

volv

emen

t

CPO

appo

inte

d

+49%

22

C Y B E R S E C U R I T YG L O B A L O V E R V I E W

23

C Y B E R S E C U R I T Y G L O B A L O V E R V I E W

CYBERSECURITY MARKET SIZE

The global cybersecurity market is estimated to grow at a CAGR(1) of 18.1% to reach 203 billion USD by 2021, even though the growth projection is unlikely to be linear. The lack of reported incidents historically and an ever-changing environment of the industry makes future projections challenging.

Note: (1) CAGR, Compound annual growth rate: is the mean annual growth rate of an investment over a specified period of time longer than one year.Source: KPMG analysis with information from Cyber Security market report q4 2016 and Gartner.

Cybersecurity marketBillion USD

Cybersecurity market size is expected to grow at a two digit CAGR for the next 5 years, exceeding 200 billion dollars by 2021.

Cybersecurity industry growth is expected to be driven mainly by 3 factors, including the increase of people’s connectivity, cybercrimes anddigital trends.

Protection needs against cybercrimes will boost cybersecurity industry. Cybercrime damage cost is expected to double within 6 years reaching 6 trillion dollars.

The rapid development in the IoT devices and cloud adoption pose many changes that will act as important drivers for the cybersecurity industry, for example, the struggle with security of critical infrastructure as it becomes ¨smart and connected”. As the number of devices that areconnected to a corporate network increases, security moves away from the corporate perimeter to the end point devices including IoT devices,increasing the network’s vulnerability.

Cloud usage leads to less hardware on the premise, changing the dynamics of what needs to be secured in an organization´s digital environment.

2015 2016 2017 2018 2019 2020 2021

$75

$89

$105

$124

$146

$172 $203+18.1%

24


CYBERSECURITY EVOLUTION (1/2)

RISK MANAGEMENT

1940-1970

DEVELOPING DECADES

1980’S

RESILIENCE ATTITUDE

1990’S

RESILIENCE, REACTIVE APPROACH

2000 2010

Digital revolution has occurred at a fast pace thus driving an important growth in cybersecurity, forcingsuppliers and customers to evolve and react.

Process to manage natural disaster

First disaster recovery in response to system

failure

Virus protection developed

Emergence of a an antivirus industry

Business switched to online

Outsourcing of services (e.g Cloud)

Increase in connectivity

Global shocks of phenomena: terrorist,

climate, political

Cyber espionage and cyber turned

state-sponsored

Development of modern encryption

Hardware: Firewall for the biggest companies

Network: password, token

Software: Antivirussignature

Standard: BS 7799, Part 1

Hardware: Firewall

Network: private corporate network,

password

Data: Layers

Software: patch, update

Standard: BS 7799, Part 2

Capacity: IT department

Capacity: shortage of qualified securityprofessionals, IT department and

cybersecurity department

Standard: ISO/IEC 27003:2010

Hardware: SIEM, AntiDDoS-DoS

Network: IAM (1)

Data: Layers, encryption

Software: Encryption, DLP, HIPS, Virtual SIEM, Ne-

twork Forensics

Standard: ISO/IEC 27001, ISO/IEC 27005

Cost of attacks: $USD 455 million in 2002

Note: (1) identity and access management.Source: KPMG analysis with information from Cisco, The Wall Street Journal, MITRE, Graham, CSI/FBI 2002 Computer Crime and Security Survey, Juniper Research, Speakers of BlackHat and Gartner

MAINFRAMES PC/SERVER INTERNET E-COMMERCE/CLOUD DIGITAL

25


CYBERSECURITY EVOLUTION (2/2)

PRO-ACTIVE, HOLISTIC, RISK-BASED APPROACH

DIGITAL DISRUPTION

2020-2027

The adaptive cybersecurity defense is addressing the new relentless and smarter threats. For the next 10 years, cyberse-curity trends are expected to be focused on protecting valuable information and mitigating those threats.

The digital age will need a strong security and ethics during the customer journey

Hardware: Firewall, Deception traps, Threat Protection Systems, Orchestration solutions

Network: private corporate network (users right), recognition technology, IDaaS (2), network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms, nSIEM UBA /UEBA,

Data: Layers, encryption, SSL Visibility, IOC, YARA Rules, SDN, NFV

Software: machine learning and artificial intelligence technologies, update, Enterprise Immune System, File integrity Monitor, Proactive hunting Solutions and Playbooks

Standard: ISO IEC 27032, UL 2900-1

Capacity: enough qualified security professionals, cybersecurity department

Policy: cyber security policy

Note: (2) Identity-as-a-ServiceSource: KPMG analysis with information from Cisco, The Wall Street Journal, MITRE, Graham, CSI/FBI 2002 Computer Crime and Security Survey, Juniper Research, Speakers of BlackHat and Gartner

26


GLOBAL INDUSTRY SUMMARY

Digital trends increase system’s vulnerability, increasing cyber risks and boosting cyber security evolution.

“Digital” is increasinglybecoming a trending topic inbusiness strategy driven by therequirements of the operatingenvironnment.

Digital

The higher the digitalization levelof a company, the greater the vulnerability of its systems.

Cyber risks

Legal, technical, organizational,capacity building andcooperation are key pillar todevelop and strengthen cybersegurity industry.

Country Analysis

27

R E G U L A T O R Y O V E R V I E W

28


GLOBAL ANALYSIS

Extending the rule of law into cyberspace is a critical step to create a trustworthy environment for people and businesses.However, many countries from Latin America are lagging behind the most advanced as Singapore and USA.

Data protection law around the world: regulation and enforcement

2017

Critical infrastructure law

Limitec

Heavy

Budapest conventionE- commerce data logistic regulation

Note: (1) Critical infrastructure: energy, transport, financial services, health, financial services and food supply chain.Source: KPMG analysis with information from DLA Piper, eMarketer and G20 report.

Critical infrastructure(1) is one of the main concerns of government, the newattacks like botnets are becoming prevalent in 2017. An inability or destruction asset could have an effect on security, like in 2016 attacks in Ukraine and Israel.

Personal data laws and system/infrastructure obligations are not integratedor reconciled in 2017.

In 2017, President Trump signed an Executive order on “Strengthening the Cy-bersecurity of Federal Networks and Critical Infrastructure” and in 2016, the Federal Energy Regulatory Commission (FERC) developed the Critical Infras-tructure Protection (CIP), one of the cybersecurity standards for the US power grid. The North American Energy Standards Board (NAESB) has also approved several cybersecurity standards for various segment of the energy industry.

It serves as a guideline for many countries, in 2017, 56 countries had signed the treaty.

Through the Budapest agreement (effective in 2004) there is an in-ternational guideline to help countries fulfill with their requirements against attacks.

Retail e-commerce sales reached $USD 1.915 trillion in 2016, which represents 8.7% of total retail´s spending worldwide. It is expected to reach $USD 4.058 trillion in 2020 (14.6% of total retail´s spen-ding in the same period).

National laws have been influenced by the United Nations on Inter-national Trade Law (UNCITRAL), Commission´s Model Law on Elec-tronic signature (2001) and Electronic Communications in Interna-tional Contracts (ECC) (2007). Actually “trust and security” are still a challenge.

Moderate

Robust

29


REGIONAL ANALYSIS

All regions in the world have one leader country involved in an advance program on Cybersecurity in 2017, difficulty for them is to find a representative speaker and coordinate a common strategy.

Source: Source: KPMG analysis with information from European commission, “Observatorio de la ciberseguridad en América Latina y en el Caribe”, BID, 2017, ITU GCI and several Governments data bases.

EUROPE ASIA AMERICA AFRICAMEDITERRANEAN & MIDDLE EAST

CY

BE

R R

EG

ULA

TIO

N

AN

D L

AW

S F

RO

M

CO

UN

TR

IES

UN

ION

CO

-OP

ER

AT

ION

RE

SPO

NSE

TO

CY

BE

RC

RIM

E

Directive on security of network and information systems

(NIS Directive)

Directive on attacks against information systems

2013/40/EU

General Data Protection Regulation

Neither global regulation nor laws

No global regulation neither laws

No globalregulation neither laws

No global regulation neither laws

- Budapest Convention- United Nations (Resolutions

55/63 and 56/121)- The European Network and

Information Security Agency’s(Regulation 460/2004) (ENISA)

- Budapest Convention- United Nations

(Resolutions 55/63 and 56/121)- ENISA

- The ASEAN Cyber Collaboration Centre (ACCC)

- APEC Telecommunications and Information Working Group


(Resolutions 55/63 and 56/121)- G-8 24/7 Network



- Budapest Convention (3)- United Nations


- Interpol / G-8 24/7 Network- Nato (Cyber Defense Centre of Excellence)- Europol’s European

Cybercrime Centre (EC3)- The EU institutions’ Permanent

Computer Emergency Response Team (CERT-EU)

- European Defense Agency (EDA)

- Interpol / G-8 24/7 Network- OECD guidelines

(ICCP: Computer and Communications Policy,

WPISP: Working Party forInformation Security and Privacy)- Several CSIRTs (computer secu-rity incident response team) for

the most advanced cybersecurity countries: Japan, Singapore

- Nato (Cyber Defence Centre of Excellence)

- The APEC Telecommunications and Information Working

Group (TEL WG)- OECD guidelines (ICCP, WPISP)

- Interpol / G-8 24/7 Network- Several CSIRTs for the most

advanced cybersecuritycountries: USA, Canada

- Interpol / G-8 24/7 Network- Several CSIRTs for the most

advanced cybersecurity countries: South

Africa, Tunisia

- OECD guidelines (ICCP, WPISP)- Interpol / G-8 24/7 Network- Several CSIRTs for the most

advanced cybersecurity countries:Oman, Israel

30

B E S T P R A C T I C E S

31


COUNTRY SELECTION

Based on the Global Cybersecurity Index we selected 4 countries who’s overall maturity situation in terms of cybersecu-rity represent an example for the understanding of key milestones and development in order to strengthen a cybersecu-rity market.

Source: KPMG analysis with information from ABI Research and ITU,

• Cybercriminal legislation

• Cybersecurity regulation

• Cybersecurity training

LEGAL

• National CIRT

• Goverment CIRT

• Sectorial CIRT

• Standards for organizations

• Standards and certification for professionals

• Child online protection

TECHNICAL

• Intra - state cooperation

• Multilateral agreements

• International fora participation

• Public - private partnerships

• Inter - agency partnerships

COOPERATION

• Standardization bodies

• Good practices

• R&D programmes

• Public awareness campaigns

• Professional training courses

• National education programmes and academic curricula

• Incentive mechanism

• Home - grown cybersecurity industry

CAPACITYBUILDINGORGANIZATIONAL

• Strategy

• Responsible agency

• Cybersecurity metrics

32


MOST COMMITTED COUNTRIES IN CYBERSECURITY

Singapore with a recent increase in the ranking, United Sates as a leader, Malaysia and Oman as a potentialfuture model for neighboring countries, were some of the highest ranked in terms of the GCI index.

Source: KPMG analysis with information from ABI Research and ITU.

Singapore Global Cybersecurity Index 2017Ranked first in 2017

Legal

Legal Legal

Legal

Technical

Technical Technical

Technical

Cooperation

1 1

1

1

0.9 0.9

0.9

0.9

0.8 0.8

0.8

0.8

0.7 0.7

0.7

0.7

0.6 0.6

0.6

0.6

0.5 0.5

0.5

0.5

Cooperation Cooperation

Cooperation

CapacityBuilding

CapacityBuilding

CapacityBuilding

CapacityBuilding

Organizational

Organizational Organizational

Organizational

GCI Score

GCI Score GCI Score

GCI Score

United States Global Cybersecurity Index 2017Ranked second in 2017

Oman Global Cybersecurity Index 2017Ranked third in 2015

Malaysia Global Cybersecurity Index 2017Ranked fifth in 2017

33


CYBERSECURITY REGULATION (SINGAPORE)

Singapore is adopting in 2017 a strict regulatory regime and focus on resilience issues. Due to a rapid growthof connected objects and the lack of suitable programs in Universities they built their own cyber academy.

Source: KPMG analysis with information from from ITU and Singapore government.

Legal and regulatory experience:

• 2005 - Cybersecurity master plan

• 2014 - MAS 2014 issued Third parties publication on consultationpaper on outsourcing and vulnerability assessment directive

• 2008 - 2nd National cyber security master plan

Control framework: Detailed and comprehensive framework of controls - broadly aligned to ISO 27001/27002

Main strength: Singapore´s Internet Content Providers (ICPs) and Internet Access Service Providers (IASPs) are licensable under the Broadcasting Act and they are requie-red to comply with the internet Code of Practice to protect children online. All service providers have been legally obligated to offter filtering services with Internet subs-criptions and to make this known to consumers when they subscribe or renew.

Industry collaboration: Internet Content Providers (ICPs) and internet Access Service Providers (IASPs) are obliged to comply with the Internet Code Practice to protect children online.

Training | Certification: CSA Academy partner with FireEye.

• 2015 - MAS issues early detection of incidents directive• 2011 - MAS issues IT outsourcing directive

• 2016 - Cybersecurity Strategy• 2013 - National Cyber Segurity Master plan 2018

• 2013 - Extensive guidance in Tech Risk Management Guidelines

Agencies to fight: Cybersecurity agency (2015) ex Singapore Infocomm Tech-nology Security Authority (SITSA) with the Singapore Computer Emergency Response Team Incident Reporting Detailed approach to incident manage-ment including mandatory MAS notification of incidents. RAFFLES series of cross-market resikience exercises.

International cooperation organized the Singapore International Cyber Week and host the 2nd ASEAN Ministerial Conference on Cybersecurity.

34


CYBERSECURITY REGULATION (USA)

Leading the ranking in terms of legal environment and capacity building, United States sets an important benchmark for other countries. The intention to coordinate cybersecurity among all states within USA is one of the key initiatives of this country for the Cybersecurity Industry.

Nota: (1) ICANN: the Internet Corporation for Assigned Names and Numbers, (2) National Infrastructure Protection Center, (3) National White Collar Crime Center, (4) Internet Fraud Complaint CenterSource: KPMG analysis with information from ITU and US government.


• 1984 - first effective law as The Computer Fraud

and Abuse Act. (CFAA)

Control framework: NIST Framework saw growth in adaption and started to overtake ISO

Main strength: Vision to coordinate cybersecurity among all states-creation of Resource Center for State Cybersecurity, which offters best practices, tools and guidelines.Interagency partnerships / Cross-government security information sharing agreement. The Multilateral Information Sharing Agreement (MISA) binds government agencies from defense, health, justice, intelligence community and energy to work collaboratively to enbence cybersecurity information sharing.

Industry collaboration: 2008 the second annual Cyber Storm conference was exercised, involving 9 states, 4 foreing governments, 18 federal agencies and 40 private companies, ICANN 1 in 2009 signed an agreement with the United States Department of Commerce, 2010 National Cyber Security Aliance´s public awareness campaign, Internet Service Providers (ISP) are encouraged to fight against cybercrime, The Federal Financial Institutions Examination Council (FFIEC) issued in 2015 a Cybersecurity Assesment Tool.

Training | Certification: several private initiatives,NICCS Education, Free Government Cybersecurity Training, National Centers of Academy Exce-llence (CAE) program, ICS-CERT.

• 2003 - Can-spam law

• 2002 - Cyber Security Enhancement Act (CSEA)

• 2001 - Patriot Act

• 1996 - The National Information Infraestructure Protection Act (NIIA)

• 2005 - Anti-Phishing Act

• 2009 - released Cybersecurity Report and policy

• 2010 - Cybersecurity Act

• 1998 - Digital Milennium Copyright Act (DMCA)

• 1999 - Cyberspace Electronic Segurity Act

Agencies to fight: FBI, NIPC 2, NWCCC 3, IFCC 4, Computer Crime and Intellec-tual Property Section of the Department of Justice (DoJ), Computer Hacking and Intellectual Property Unit of the DoJ, and Computer Emergency Readiness Team/Coordination Center (CERT/CC).Incident Reporting: Information sharing between private companies and federal govermment througt FS-ISAC Information sharing legislation passed by congress.

International cooperation: USA signed and ratified the Budapest convention(Europe Union regulation) and participated in G8/DECD/APEC/OAS/U.S. China meetings (cutcomes to be signed).

35


CYBERSECURITY REGULATION (MALAYSIA)

Leading the ranking in terms of technical institutions and capacity building, Malaysia sets an important benchmark for other countries. The creation of the Information Security Certification Body, which manages information security certi-fication is one of the key Malaysia’s differentiators.

Source: KPMG analysis with information from Malaysia Cybersecurity annual report 2015 and Malaysia government.


• 1997 - operation of Malaysia Computer Emergency Response Team

Control framework: The National Cybersecurity Policity (NCSP) is taking of the Critical National Information Infrastructure, certified under Information Security Ma-nagement System (ISMS), ISO|IEC 27001

Main strength: Scores 100 on capacity building due to a range of initiatives in that pillar. Cybersecurity Malaysia, the goverment entity responsible for information security in the country offters professional training via higher education institutions in Malaysia. It maintains the Cyberguru website, dedicated to professional security training.

• 2008 - Electronic transactions Act• 1997 - Digital Signature Act, Copyright (Amendment) Act, Computer Crimes Act

• 2007 - Cybersecurity Malaysia

• 2009 - Malaysia´s Malware Research Center

• 2010 - Personal Data Protection Act

• 1997 - 1998 . Communications and Multimedia Act

• 2001 - National ICT Segurity and Emergency Response Centre (NISER)

Agencies to fight: Cybersecurity Malaysia under the legislation of the Ministry of Science, Technology and Innovation (MOSTD, Malaysia Computer emergencyResponse Team (MyCERT), CyberDEFIncident Reporting: Cyber999 Help Centre

Industry collaboration: annual CSM-ACE (public-private community part-nership event), “National Security Councills Directive No. 24: Policy and Mechanism of the National Cyber Crisis”Management

Training / Certifications: MyCC Scheme, based on the Common Criteria ISO/EC 15408, CSM27001 Scheme, bassed on Information Security Mana-gement Sysmen (ISMS) ISOIEC27001Malaysia Trustmark, based on the WTA Guidelines,Cyber Security Professional Development Program

International cooperation: involved in regional collaborations among ComputerEmergency Response Teams (CERT) such as APCERT andOrganization of Islamic Cooperation Computer Emergency Response Team OIC-CERT, Asia Pacific Computer Emergency Response Team (APCERT)

• 2005 - NISER established as a separate entity under the legislationof the Ministry of Science, Technology and Innovation (MOST|)

36


CYBERSECURITY REGULATION (OMAN)

During the last 15 years, Oman built a high level security strategy, a master plan and a complete roadmap evolving from atargeted country for cybercrime to a robust entity.

Source: KPMG analysis with information from ITU and Oman government.


• 2002 - The Telecom Act

Control framework: Oman Information Technology Authority has an official cybersecurity framework based upon ISO 27001 standard.

Main strength: Establishment of the eGovemance Framework, a set of standards / best practices and process management systems enhance the delivery of government services in alignment with the mission of e.oman. The framework spells out the rules and procedures that ensure that government. IT proyects and systems are sustainable and in compliance with the Informations Technology Authority (ITA) strategies and objetives.

• 2008 - The Electronic Transactions Law

• 2011 - The Cyber Crime Law

Agencies to fight: Oman Computer Emergency Readiness Team

Incident Reporting: Oman Computer Emergency Readiness Team

Industry collaboration: Cyber Security Informations Exchange

Training / Certifications: Oman National CERT with strategic collaborations like ISC, SANS and EC - council,350 public sector professionals certified,7 govermment and public sector agencies certified.

International cooperation: ITU, FIRST, APWG, Malware alliance, GGG CERT/OIC CERT

37

D I G I T A L T R E N D S I N M E X I C O

38

D I G I T A L T R E N D S & D I S R U P T I O N I N M E X I C O

INTERNET PENETRATION IN MEXICO

The number of internet users in Mexico has grown at a CAGR of 9.8% over the past 5 years mainly driven by the millennialgeneration. The increase in connectivity has spurred the growth of the Mexican digital economy.

Mexican Internet UsersPercentage of total population

Internet users in Mexico per age groupPercentage

Source: KPMG analysis with information from INEGI, CISCO, FMI and OEDE

Internet users went from 5% in 2000 to 59.5% in 2016. For the past five years, Internet users in Mexico grew at a 2 digit CAGR.

Today 75% of mobiles are smartphones due to their reduced cost and increased functionality and connectivity. As connectivity grows, thevulnerability of an attack increases, as each smartphone becomes a potential target for cybersecurity attacks.

Typically people between 18 to 24 years old use the Internet with highest frequency, but it also has a very important penetration for thegenerations between 12 and 34 years old . On average, Mexican Internet users spend 7 hours a day on the Internet. This number represents anincrease of an hour compared to one year ago.

A program promoted by Mexican Federal Government developed “Mexico Conectado” in 2014 to increase the access to free broadband Internet.This program is working to reduce digital gaps within the country through the deployment of more than 100,000 public space Internet spots.

2012 2013 2014 2015 2016

41%46% 46% 47%

60%+9.8%

25 to 34 years old

34 to 44 years old

45 to 54 years old

55 + years old

18 to 24 years old

12 to 17 years old

6 to 11 years old 53%

71%

56%

42%

18%

83%

85%

39


MOBILE PENETRATION IN MEXICO

Smartphone adoption has grown as technology has evolved. Whereas for 2015, 50% of total connection numbers weresmartphones, this number is expected to exceed 70% by 2020.

Not subscribed

Mobile internet 3G+4G subscribers

Mobile internet 2G subscribers

Voice only subscribers

Smartphone penetration (% of connections)

Source: KPMG analysis with information from GSMA Intelligence and OECD

Over the years, Mexican users have become loyal smartphones customers, growing at 3 digit CAGR since they started as the technology hasevolved. There is an expectation for the usage of this devices to continue growing at a 7% CAGR from 2015 to 2020.

Along with technology evolution, customers usage has migrated through different stages. Not only non subscribed users are expected tobecome less than 16% of total population but also 3G + 4G has become the most used technology, expecting to achieve more than 60% ofthe mobile audience by 2020.

Mobile penetration in MexicoPercentage of population

2000

88.0%

12.0%

33.0%

67.0%

40.0%

41.0%

22.0%13.0%

8.0%

63.0%

16.0%

11.0%

36.0%

31.0%

7.0%

12.0%

0 0

30 30

60 60

90 90

10 10

40 40

70 70

100 100

20 20

50 50

80 80

2005 2010 2015 2020

40


IoT OVERVIEW IN MEXICO

IoT technologies have been gaining importance not only within countries but also for entire regions. It is expected that IoT market size in Mexico will exceed 4 billion USD by the end of 2017.

Source: KPMG analysis with information from IDC

Latin America’s IoT market share almost reaches 2% of the Worldwide Industry. Mexico’s IoT market represents more than ¼ of LATAM share.

IoT market in Mexico is expected to grow at a 26% CAGR from 2016 to 2017 reaching 4.16 billion dollars by the end of the year. This growthis expected to be mainly driven by the interest in IoT technologies for industrial cases.

Investment in IoT technology will be mainly driven by the most impacted industries including transportation, manufacturing and energyapplications.

IoT market sharePercentage

Cyberattacks in Mexico

IoT market sizeBillion dollars

USA

Latin America

México

CHINA

Other Countries

2015

1.90

43.3%

28.6%

26.5%

1.2%0.4%

2016

3.30

2017

4.16+73.7%

+26.0%

41

C Y B E R C R I M EI N M E X I C O

42

C Y B E R C R I M E I N M E X I C O

CYBERCRIME VULNERABILITY IN MEXICO

58% of Mexican CEOs do not feel confident about their cybersecurity preparation. Cybersecurity incidents impact on Mexican Economy exceeded 3 billion dollars in 2016.

Source: KPMG analysis with information from CANIETI, PONEMON, INEGI, LexisNexis Millennials and Kaspersky.

Risk to leaks / attacks on sensitive and confidential data in workplaces2017

Mexico is ranked as the 2nd country in Latin America with most cyberattacks within a year.

Mexican economic situation along with FDI and GDP figures expect to increase the interest of cyber attackers. Thanks to its strategic positionand links with North America, Mexico is an attractive target for nation-state espionage groups.

The 2018 Mexican Presidential Elections could serve as a trigger for cyber attacks against governmental and political parties’ websites.

Millennials are considered as a high risk for sensitive and confidential data in the work place as they represent 39% of total population and donot use additional security systems to block their mobile devices (83%) whereas they tend to carry a lot of personal information on theirsmartphones and other connected devices.

18 to 34 (millennials)55% 39%

35 to 50 (gen X)25% 26%

51 to 69 (baby boomers)20% 10%

Greatest risk per age group Population percent

43


CYBERCRIME OVERVIEW IN MEXICO

Nowadays reporting an incident not only is not related with real solutions, but also may imply a public weaknessdemonstration.

Source: KPMG analysis with information from CANIETI, PONEMON, INEGI, Norton, LexisNexis Millennials and Kaspersky, (1) Information obtained based for Kaspersky Mexican clients

Driven by the fact that current regulation and institutions have opportunity areas to generate reaction plans, now-a-days reporting an incident not only is not related with real solutions, but also implies demonstrating a weakness, thus the number of real attacks is expected to be signifi-cantly higher than research shows.

In 2016 39.1% of computers users were affected by malicious programs, the 10 safest countries had an average of 16%.

Cyberattacks are not only becoming more frequent within Mexico, but they are also becoming more expensive.

Most common cybercrimes that consumers experienced2016

Cyberattacks in Mexico

Total maximum incidents per day(1)September 2017

Spam

Networks attacks

On demand scan

Local infection

Web threat

Infected mail

Vulnerabilities

Botnet activityMobile device theft Password theft Hacked email

1,401,135

730,735

454,477

276,564

43,525

12,603

-5,307

33.0%

26.0%

20.0%

21

44


FINANCIAL CYBERCRIME IN MEXICO

The online financial fraud is in constant increase in Mexico with a CAGR of 70.3% for the past 5 years, representing ~65million dollars in financial impact.

Source: KPMG analysis with information from CANIETI, CONDUSEF, PONEMON, INEGI, LexisNexis, Arbor Networks and Comisión Nacional Bancaria y de Valores (CNBV)

In 2017, 100% of millennial have been preoccupied by stolen identities, 91% by stolen credit card information and another 91% have verylimited faith in financial institutions to protect their data.

Out of $USD 64.94 million claimed on online fraud, the online retail operations are responsible for half of the total.

There is a large increase of cyber financial fraud cases in 2017 with a CAGR of 70.3 over the past 5 years.

Mexican Financial Institutions received between 60% and 70% extortion threats and it is estimated that 15% actually paid.

In Mexico, banks lost 150 million pesos due to attacks in 2015, 2016 and 2017 together but the recovery could be higher.

Total cyber attacksPercent by industry, 2017

Internet operation

Cell phone payment

Cybernetic

Traditional

Financial

Telecommunication

Retail

Insurance

ICS

Other

Internet retail

Personal operation

Cell phone bank

Total claims for cyber-financial fraudPercent by industry, 2017

Cyber financial fraudThousands

56.6%24.0%

2013

1,490

2014

1,349

2015

1,684

2016

2,672

2017

3,341

8.6%

15.0%

15.0%

5.0%

5.0%

21.0%

39.0%

10.5%

0.2%

1,303

188

1,116

233

1,379

304

1,835

837

1,763

1,678

+22.4%

45

C Y B E R S E C U R I T YO V E R V I E W I N M E X I C O

46

C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O

GENERAL REGULATORY FRAMEWORK

In 2017, there is no specific incentive to improve the companies´ cybersecurity measures but when they comply with a selfregulation scheme, authorities are softer when imposing penalties or sanctions for any occurred breaches.

Source: KPMG analysis with information from dlapiperdataprotection, council of Europe and expert reports,

Creation of Mexico’s Computer Emergency Response Team - CERT-MX under the jurisdic-tion of Mexico’s Armed Forces, responsible for protecting critical infrastructure, managing cyber incident response, investigating electronic crimes, analyzing evidence and responding to digital threats that would affect the integrity of critical networks.

Specialized Information Security Committee

The Federal Institute for Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos) (IFAI) and the Ministry of Economy (Secretaría de Economía).

Scientific Division of the Federal Police (División Científica) to operate forensic and criminology laboratories in coordination with the nation’s intelligence agencies and to monitor and investiga-te cyber offenses, in particular identity theft, child pornography, cyber fraud and phishing.

Coordination Center for the Prevention of Digital Crimes (Coordinación para la Prevención de De-litos Electrónicos) to monitor and protect critical infrastructure.

Data Protection Authority in Mexico (INAI) in charge of solving any controversies derived from the exercise of personal data.

Federal Criminal CodeIt contains specific chapter related to cyberthreats provide criminal penalties for those persons who use, re-produce, distribute, store, sell or lease, among other conducts, copyrighted material, in a malicious way, seeking financial gain and without the corresponding authorization.

The Federal Criminal Code regulates as the crime of sabotage the damage, destruction or harming of roads, pu-blic services, or state services; steel, electric or basic industries; centres of production or distribution of weapons, ammunition or military equipmen, with the aim of disrupting the economy or affect their ability to defense.

Law of Credit InstitutionsIt sanctions diverse actions that affect any kind of financial payment instruments (eg, credit or service cards) or the information contained on them. It may result in 3 to 9 years´ imprisonment and a monetary penalty.

Telecommunications lawTelecommunication licensees should be able to handle the requests of information, geographic localization and private communication surveillance.

Federal Law on the Protection of Personal Data held by private parties Is regulate by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares). Every private party, individual or organization that process personal information has the obligation to appoint a data protec-tion officer.

Regulation applies when data controller is located in Mexican territory or on behalf of a Mexican data controller, as a consequence of Mexico’s adherence to an international convention and uses means located in Mexico to process personal data (unless such means are used only for transit purposes). It applies to private individuals or legal entities which process personal data, and not to the government.

Violations of the Law may result in monetary penalties or imprisonment from 3 months to 5 years

Authorities

L E G A L

47


MEXICAN CYBERSECURITY MARKET OVERVIEW

During the last 5 years the cybersecurity market has become more fragmented with many competitors joiningin. Currently, not a single Mexican company is among the leaders in the market where main solutions are carried out by leading multinationals.

Note: (1) Hardware could include: data center, routers, servers; software is related to email, malware, intrusion protection, VPN and services is about management, compliance, defense and cyber response.Source: KPMG analysis with information from Gartner and cybersecurity experts.

Hardware and Software companies

Technology services

Risk consulting

Security administration

• Cisci Talos

• Intel Security (McAfee)

• IBM

• KPMG Cárdenas Dosal,S.C.

• Scitum

• BlackBerry

• Dell (SecureWorks)

• PrincewaterhouseCoopers

• Kio Networks

• Nokia

• Microsoft

• Deloitte

• Bestel

• ZeroFOX

• Symantec

• Accenture

• Axtel

• Arbor Networks

• Trendmicro

• Atos Origin

• Guideance Software

• Tata Consultancy Services• TrapX

• Trustware• Darktrace

• FireEye• Nuix

• WhiteHat security• MetricStream

• T-systems• Verizon

• Accessdata

Hardware Software Main solutions 11Commodity product Innovate, leaders ServicesSCADA/ICS security

T E C H N I C A L

48


LEADING CYBERSECURITY COMPANIES IN MEXICO

IBM has invested in two data centers in Mexico and Microsoft is doing the same this year. Services and digital services are the new products (cloud, SaaS, etc.) that these companies are focusing on.

Source: KPMG analysis with information from Nexis, Factiva and annual report.

Even if the market for cybersecurity is mainly occupied by players such as Cisco and Symantec, new companies like Palo Alto Networks, Fortinet, Proofpoint, FireEye will keep growing in the overall SaaS space´s sub-segment.

There are 4 cyber insurance companies in México: Zurich/XL, Chubb, AIG y GNP. They mainly cover for the direct damage: lost of income, digital asset replace-ment and blackmail. They also have third part damage covering: stolen data, civil responsibility in web content, expense for security breach and legal.

- HQ: Mexico city and Reynosa (factory)- Net Sales in México ($USD): 7,459.07m (2015)- Increase in revenue in 2016: 3%- No. of employees: 130

- Insight: $4 billion, worth of expansion in Mexico between 2016 and2018. It should develop the creation of 270 jobs and 77 indirect jobs.

- HQ: Mexico city and Jalisco (factory)- Net Sales in México ($USD): 24.99m (2017)- Increase in revenue in 2016: N/A- No. of employees: 350

- Insight: Intel, sold in 2017 a majority stake in McAfee to free thecompany to spend more time on core areas while still retaining afoothold in the cybersecurity world

- HQ: Mexico city and one Innovation center in Nuevo Leon- Net Sales in México ($USD): 211.56m (2013)- Increase in revenue in 2016: N/A- No. of employees: 505

- Insight: In 2017, they acquired Hexadite, a technology provider toautomate responses to cyber attacks and the company initiated afacility to fight against cyber crime in Latin America with newCybersecurity center in Mexico.

- HQ: Mexico city, Monterrey and Guadalaja Campus- Net Sales in México ($USD): 549.9m (2013)- Increase in revenue in 2016: -14.5%- No. of employees: 4,500

- Insight: In 2017, IBM is changing their core products to cloudcomputing, cybersecurity and data analysis to mitigate the decrease insales for hardware and software

Cisco Talos Intel Security

Microsoft IBM

T E C H N I C A L

49


GOVERNMENTAL STRATEGY (1/2)

The growth and complexity of cyberattacks in the last years have forced governments and organizations to be more proactive on cybersecurity and commit to it as a key element within its security processes for the digital transformation.

Source: KPMG analysis with information from OAS, Wilson Center and Mexican government and BBVA.

National Security Program 2014-2018 (Programa para la Seguridad Nacional 2014 - 2018)

- Initiated in 2013-2018 Plan for Development (Plan Nacional de Desarrollo 2013-2018) by current president Enrique Peña Nieto,- It was created the Specialized Information Security Committee with the purpose to draft the National Strategy for Information Security,- The program is focusing on protecting and promoting national interests. Main promises were: - Promoting actions to prevent and combat cyber-attacks, - Strengthening mechanisms for preventing incidents in the Federal executive sites, - Maintaining compliance and development of procedures to evaluate and strengthen the performance of the response teams to incidents, - Improving human capital skills and technological infrastructure to address cyber security incidents, - Establishing international cooperation on cyber security and cyber defense in particular with North American countries to prevent and address attacks on the computer systems of the country.

The Financial Technology Law (ley Fintech)

- Fintech sector was not prepared to received attacks, a new regulation was necessary. Most of the Fintech manage data privacy from their client such as names, addresses, mobile phones, signatures, accounts which make them a perfect target.

- The new law released in October 2017 aimed at regulate crowfunding and tech-enabled payment platforms. It should help banks to reduce their ope-rating costs but above all crowdfunders, startups will be mandated to report the credit information of their clients. The purpose will be to address to the bank and clients more transparency, formality and information to put an end to money laundering and banking fraud.

O R G A N I Z A T I O N A L

50


GOVERNMENTAL STRATEGY (2/2)

National Cybersecurity Strategy is a first framework document build to evolve in a response to the technology evolution and the social dynamics in a short, medium and long term.

Source: KPMG analysis with information from OAS, and Mexican government.

National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad, ENCS) till 2030

- ENCS, published in november 2017 is a cross-wise strategy articulate around in 2013-2018 Plan for Development, Close and Modern Government Program (Programa Gobierno Cercano y Moderno 2013-2018), National Public Security Program (Programa Nacional de Seguridad Pública 2014 2018) and National Security Program (Programa para la Seguridad Nacional 2014- 2018).- Purpose is to strengthening the international cooperation, the economy, the society, government and the national security. The document is aimed for civil society, university, private sector and public institution.- Mexican government will have the Inter-American Committee support against Terrorism (CICTE) of the OAS.- Several recommendations were made for the strategy among them: state the high-level objectives, it must be supported at the highest level of government, establish a clear institutional framework, include the application of federal and state legislation on cybercrime and promote the cybersecurity education.- ENCS strategy to reach the main goal considers 5 strategic goals, which development requires 8 cross axis based on the 3 main principles

Cross axis

• Cybersecurity culture• Capacity development• Coordination and collaboration• Research and development in ICT• Standard and technical criteria• Legal framework and self regulation• Monitoring and measuring

3 main principles

• Human rights expectation• Risk management focus• Multidisciplinary collaboration and several players

Cybersecurity subcommittee regulator tasks:

• Approve and make public the Strategy• Follow up and coordinate the implementation• Spur the inter-institutional cooperation framework• Promote the civil society, private sector, technicalcommunity and university cooperation

Economy andinnovation

Society rights

Publicsecurity

Publicinstitution

National security

5 strategic

goals


51


CYBERSECURITY INFRASTRUCTURE IN MEXICO (1/3)

AT&T made an important move into Mexico in 2015, buying Iusacell and Nextel. They are building an LTE-M network in Mexico ready at the end of the year which is expected to reinforce the infrastructure and increase connectivity options.

Source: KPMG analysis with information from INEGI, IFT, Euromonitor and BMI

Mexico geography makes difficult to roll out infrastructure and provide investment to rural areas however growth is maintained in the country with the invest-ment in network expansion led by AT&T.

It is expected the mobile market to end 2021 with 109mn subscribers by 2021 with a 9.5% CARG. Driver being data services as 3/4G subscribers.

In 2014, in Mexico there was a direct relationship between ICT adoption and the economic unit size (number of employee). Micro companies were 97.6%, small 2% and medium 0.4% but the lack of policy in small companies could lead to security incidents.

2015

Forecast

+9.5%120,000

100,000

80,000

60,000

40,000

20,000

0

2016 2017f 2018f 2019f 2020f

3G & 4G phone subscribersComputer Internet

Telecommunication mobile landscape in Mexico from 2015 to 2021

Thousand susbcribers

Yearly growth rate of non-residential fixed broadband connection

by technologies in 2015

Computer and internet adoption by economic unit (EU) size in 2014

Growth percentage

2021f

106%

Model (coaxial)

10 employees (E) 11 to 50 (E) 51 to 250 (E) 251 or more (E)

Fiber optic DSL (copper)

-3%

52%

63,600 74,730 83,847 92,986 99,774 105,062 109,895

20% 86% 94% 96%

16% 81% 92% 94%


52



With the prospect of a number of uncertainties with regards to the US market and its future policies, México could seeopportunities for the creation of a regional hub to offer outsourcing services, datacenters, and cloud computing.

Source: KPMG analysis with information from INEGI, Euromonitor and BMI

Computer manufacturers are expected to show a 3% CAGR from 2016 to 2021 due to retail cannibalisation of tablets and low-end notebooks. However ser-vers sales should increase at a 6.87% in the same period driven by cloud applications. In general a positive outlook is expected from 2017 to 2021, supported by the increase in middle class income and a positive demographic development of population aged 15-64 forecasted to increase at a CAGR of 1.4% over 2018 till 2021.

According to 2020 forecast the growth for the industry will come from a boost in Cloud computing with main inhibitor being the relatively high broadband charges. However an exit of the US from NAFTA would be a massive blow to the Mexican electronics industry.

Other inhibitors to continued growth include logistical challenges (for distribution of physical computer components, tablets, smartphones), informal retail and economy and security issues.

2009 2009

$13.61

$15.24

$13.65 $13.39

$15.29

$21.92

$24.07 $24.81 $25.56

$26.34$27.14 $27.97 $28.82

$5.47

$6.83 $6.55$7.22 $7.49

$8.09

$9.58 $9.87 $10.18

$10.48$10.80 $11.13

$11.47

2010 20102011 2011

Computer exportation

Total computer manufactured in Mexico from 2009 to 2021

Billon pesosForecast Forecast

Total electronic component manufactured in Mexico from 2009 to 2021

Billon pesos

Electronic component exportation

Computer manufacturing for national consumption or storage Electronic component manufacturing for national consumption or storage

2012 20122013 20132014 20142015 20152016 20162017 20172018 20182019 20192020 20202021 2021

+9.8%

+10.0%

+3.0% +3.0%


53



Driven by the private sector as well as public sector initiatives such as Prosoft 3.0 (1) implemented in 2014, the ICT mar-ket is to reach $USD 58bn in 2024.

Total software sales in México from 2015 to 2021

Billion pesos

Total services sales in México from 2015 to 2021

Billion pesos

Nota : (1) PROSOFT is looking for supporting IT companies to grow their competitiveness at national and international level and sustain their growth to a long-term objectives.Source: KPMG analysis with information from Euromonitor and BMI

Mexican enterprise will see a strong growth in data analytics and cybersecurity. Manufacturer are looking to offset losses in hardware by increasing demand in software and services. From 2015 to 2021 CAGR for software industry is estimated at 9.4%.

Increasing dependence in information of the public and private sectors will general demand for integration and consulting. Besides cloud computing and IoT will drive a faster growth.

2015

Forecast Forecast

$61.16$98.34$67.42

$104.38$111.82

$119.69$129.45

$143.56

$158.78

$72.49$78.32

$85.82

+9.4%+8.3%

$94.75

$104.79

20152016 20162017f 2017f2018f 2018f2019f 2019f2020f 2020f2021f 2021f


54


CYBERSECURITY TRAINING IN MEXICO

There is currently a lack of around 157,934 trained professionals to fill employment positions associated with informa-tion technologies, specifically related to cybersecurity networks and operations; a number that should be slightly redu-ced by 2019, although there could still be 148,052 unfilled job positions.

Education and training in 2017 Most relevant cybersecurity certifications in Mexico

Source: KPMG analysis with information from IDC, CISCO, 2017 and Global Information Security Workforce Study” (GISWS)

The main reasons for worker shortage are expressed as follows: 35% say that qualified personnel is difficult to find, 45% say that correct requirements are not understood by leadership, 46% say that business conditions couldn´t support additional personnel, in 21% of cases security workers were difficult to retain and in 39% of cases there was no clear information for a cyber security career path.

The main cybersecurity job position required in Latin America is the “Incident & Threat Management & Forensics specialist” with 63% of the votes.

In Latin America the training cost often falls on the employee, representing 44% of the total cost whereas in North America it´s only around 22%.

Educational entity Career/ Major Institution Certification

Security GeneralKnowledge

ISACAInstituto Politécnico Nacional Maestría en Ingeniería en Seguridad y Tecnologías de la Información

Licenciatura en Seguridad en Tecnologías de Información

Maestría en seguridad de tecnología de información

Diplomado en Ciberseguridad

Varios

Maestría en Seguridad Informática (Online)

Maestría en Seguridad Informática (Online)

Ingeniería en seguridad informática y redes

Maestría en Ciberseguridad

CISA, CISM, CRISC

ISC

Universidad La Salle

CISSP

CompTIA

Universidad Autónoma de Nuevo León

CompTIA A+, Security+

CompTIA

UNITEC

Network+

SANS

UNAM

GIAC,GPEN, GWAPT

SEC-Council:

Escuela de Inteligencia para la Seguridad Nacional del Centro de Investigación y Seguridad Nacional (ESISEN)

CEH, CHFI

CISCO

Universidad Internacional de la Rioja (UNIR)

CCSP, CCNP, CCIP,CCDP

RSA

Universidad Internacional de Valencia

Instituto Tecnológico y de EstudiosSuperiores de Occidente

Various

Specialist

Product / Brand

C A P A C I T Y B U I L D I N G

55


SECURITY CERTIFICATION IN MEXICO

In 2016, two main factors were motivating companies to seek certification: compliance with contractual requirements and generating a positive image and opinion. Information technology company were mainly looking for certification.

Registered certifications in Mexico from 2006 to 2016

Amount

Global ISO 27001 certification share in 2016

Percentage

Source: KPMG analysis with information from ISACA, ISO and experts

ISO 27001 (NMX-I-27001-NYCE-2015 Mexican equivalent norm) is an international standard, with worldwide recognition, which lays down the requirements for the establishment of an information security management system. It applies to any organization type, however their implementation and certification is optional. Cost can vary from $200,000 pesos to 1 million.

ISO 20000 is the first worldwide standard specifically created for IT Service Management (ITSM), establishing metrics to manage the services supported by Information Technologies. NMX-I-20000-1-NYCE-2012 is the equivalent Mexican norm.

ISO 22301 determines potential threats to an organization, impacts that could affect the operations of the business and provides a framework for building the capacity of organizational reaction in an efficient manner in case of eventualities. NMX-I-22301-NYCE-2015 is the equivalent Mexican norm.

For the main certification the CAGR was 43.2%. Other certifications are available for company in México: PCI-DSS is a standard of data security for the credit card in-dustry, PROY-NMX-I-27032-NYCE-2017 is a guideline for cybersecurity. Additional to these standards, Sarbanes-Oxley Act legislation, needs to be satisfied by national companies that would like to invest in the US stock market.

Main professional fee certifications (ISACA, CISSP) in Mexico are approximately from $USD 500 to $USD650 with a renewable cost.

C A P A C I T Y B U I L D I N G

9 1331 49

56

+43.2%

70 7580

96

134

327

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

94

104

221

2 28 8

98

ISO 27001ISO 20000ISO 22301

Information technologies

Transport, storage and communication

Other Services

Electrical and optical equipment

Financial intermediation, real estate, renting

73.3%

16.0%

4.5%3.5%

2.8%

56

M E X I C A NC Y B E R S E C U R I T YS U M M A R Y

57

M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y

CYBERSECURITY OVERVIEW

Mexico currently has several improvements to make in terms of dedicated institutional structures such as a specialized public sector agency certified under internationally recognized standards. Capacity building could also be improved.

Note: (1) Inter-American American Committee against Terrorism, (2) CNI: Critical National Infrastructure. (3) There is no specific legislation on cybersecurity, but it is included in the FCC.Source: KPMG analysis with information from Cybersecurity-Are-We-Prepared-in-Latin-America-and-Caribbean.

Regulatory and other experience:

• 19313 - Federal Criminal Code (FCC) contain chapters regarding: theft, fraud, forgery, offences related to minors, disclosure of secrets; as well as in a later pu-blication offences to computer and systems, infringement of copyrights.

• 1990 – Law of Credit Institutions in relation with misuse of payment systems, illegal electronic transfer of funds, interception of private communications.

• 2010 – Creation of Mexico’s Computer Emergency Response Team - CERT-MX, in charge of citizen complaints and incidents which could affect other countries.

• 2010 – Federal Law on Protection of Personal Data.

• 2014 – Conference for an accession to the Budapest Convention onCybercrime and Mexico hosted a workshop on in Latin America.

• 2014 - telecommunications law (stipulates different data retention practices and provisions)

• 2014 - National Security Program to: strengthen international coo-peration; identify, prevent, contain risks and threats to national secu-rity; improve human capital skills and technological infrastructure to address cyber security incidents.• 2017 – First forum “Fortaleciendo la Ciberseguridad para la Estabilidad del Sistema Financiero Mexicano” for bank cybersecurity.

General control framework (not mandatory): Cybersecurity framework based upon ISO 27001, ITIL and Cobit.

Achievement: In 2012 was created the Specialized Information Security Committee, in charge of the National Strategy for Information Security. Mexico has a specific legisla-tion on child protection: Law for the Protection of Children and Adolescents. Sinaloa was the first state to regulate and punish cybercrime in the Mexican Republic.

Industry collaboration: CERT-MX established communication and cooperation directly with private institutions.The Direction General of Digital Economy of the Ministry of Economy is also part of APEC’s Electronic Commerce Steering Group.The Federal Telecommunications Commission (Comisión Federal deTelecomunicaciones Cofetel) is part of APEC’s Telecommunications and Information Working Group (APECTEL).

Training / certification: several certifications are available through the private sector.Specialized training from the Police Development System of Mexico (SI-DEPOL) and UNAM-CERT.

Agencies : Military department is enrolled in the national cybersecurity. CERT-Mx is involved in CNI (2) protection.

Federal Police is responsible for investigating cybercrimes: Cyber Police Unity. Other private entities to respond are UNAM-CERT and Scitum-CSIR.

Incident Reporting: Information sharing

International cooperation: Mexico is member of APEC, CICTE and OAS. CERT-Mx is key component of the global Forum for Incident Response and Security Teams (FIRST). Participation with other team: Mnemo-CERT. Mexico stayed as an observer in the Budapest convention.

58


SUMMARY: SURVEY AND INTERVIEWS

Cyberattacks are still a sensitive topic inside organizations. All professionals interviewed identify ways to reinforce theMexican cybersecurity and almost all of them see opportunities to improve cybersecurity for SMEs.

Note: (1) Specialized company refers to company working only on cybersecurity matters.

24 specialists from 22 entities were interviewed; 7 interviewees from top management and the rest as technical experts.

Sector selection was done in relation to the number of attacks. Some additional specialized companies (local and transnational) were chosen because oftheir technology and services knowledge. In addition, interviews were conducted with experts, universities and public institutions.

All the experts and directors were working in Mexico DF due to the concentration of company headquarters.

Most of the candidates asked to stay anonymous because of the confidentiality policies.

Company names which can be revealed are: IPN, La Salle, Kolibërs, KPMG, Axtel, CNBV and Banorte.

Following the interviews we made an analysis and extracted some guidelines in every chapters from the SWOT.

Company survey share

Percentage of sector

Industry survey share

Percentage of sector

Independent consultant

Bank44.4%

36.0%

20.0%

16.0%

12.0%

8.0%

8.0%

22.2%

22.2%

11.1%Energy

Retail

Telecommunication

Specialized company (1)

Public / GovernmentAcedemy

Industry

Internal

59


SWOT ANALYSIS OF CYBERSECURITY IN MEXICO

There is currently a lack of around 157,934 trained professionals to fill employment positions associated with information technolo-gies, specifically related to cybersecurity networks and operations; a number that should be slightly reduced by 2019, although there could still be 148,052 unfilled job positions.

Strengths/ Maintain Weaknesses/ Solve

Opportunities/ Take advantage Threats/ Protect

L - Current regulation covers the relevantcybersecurity axes, a good starting point forfurther regulatory development.L - Well established child online protectionregulation.T - National, Governmental and sectorialCERTs/CRITs/CSIRTs.T - Cybersecurity professional standards andrequirements are clearly established.T - A Cybersecurity Council is currently beingestablished.O - Recent publication of a new cybersecuritystrategy (Estrategia Nacional deCiberseguridad 2017).

L - The law is not applied and crimes are notpenalized.L - Laws have many key elements that are optio-nal, not mandatory.L - Development and modification of laws take long periods of timeT - Use of outdated IT products & services.T - Lack of advanced cybersecurity technology.T -Lack of defined national cybersecurity stan-dards (data protection etc).T - Low speed of innovation for new technologiescompared to cyberattack sophistication.T - Long attack detection time.O - There is no responsible for following up oncybersecurity incidents

L - Active environment for setting new regula-tionsL - Cybersecurity standards required for tradetransactions with some countries.T - International progress in technology productsand services.T- Clear market with space for new participants.T - Fast technology evolution and increasedrequirements by clients.T - The country is experiencing an increase in ecommerce penetration making cyber products/services more relevant.T – Cybersecurity insurance trends

L - International attacks that can not be penalizedby the Mexican law.L - Industries generating historic personal data.T - Increased dependence on technology.T - Availability of cybercrime as a service.T -Digital transformation boom across all industr-yand customer lifecycles.T - High cost protection / weakest link.T - Incremental trends of made to order cyber-crime.T - Cybercrime increasingly becoming morecomplex.

O - Strategic standardizationinitiatives across different states.C - Training courses available bothface-to-face and on-line (universityprograms etc).I - Cybersecurity has already beenidentified as an area of focus anddedicated forums are beginning totake place.I - The development of aCybersecurity Council in progress.

O - Lack of a specialized authority to define and lead on cyber issues.C - Scarcity of cybersecurity specialists.C - Weak career offering for cyber specialization.C - Getting a certificate in cybersecurity takes a long time.C - Mexican society is largely unaware of cybersecurity issues.C - Few cybersecurity research centers.C - General staff within companies is poorly trained in cyber issues.C - Lack of budget to invest in cyber.I - Incidents are mostly not reported.I - Low levels of coordination betweengovernment, private sector and acade-mia.

O - Open environment derived from the recent publication of the National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad 2017).C - Mexican audience susceptible toawareness campaigns.C - Research investment globally that could foster alliances.C - Mexico is a country that attractsforeign investment (a total of US$30bn annually).I - Global trends of participation ininternational cooperation forums.I - Public and private sector alliances.

O - International attacks more fre-quent.O - Recently published strategy deve-loped at a high level thus subject tointerpretations.C - A lot of SMEs that still can not afford cybersecurity protection tools.C - Political cyber attacks.C - Organized and budgeted cyber-crime.I - Mexico is identified as an US entryplatform.

S

O T

W

60


STRENGTHS- MAINTAIN

Legal Technical Organizational Capacity Building Cooperation

Penalties / fines / prison.Building a scheme of

applicable penalties inaccordance with other

countries Mexico has a treatywith.

Creating a dedicated unit of cybersecurity-police to focus

on the industry relatedcrimes.

Implement more robustSecurity Operations Center

(SOC) services in order toimprove incident response

time.

Using PROSOFT 3.0 such as cybersecurity platform toreinforce the different IT

clusters.

Promoting NationalCybersecurity Strategy

across different industries,including key milestones for

expected success

Increase specific cybersecu-rity degree offering as well as

legal degrees with minor incybersecurity.

Universities offering stu-dents the possibility to stren-gthen their IT degrees with a

minor in cybersecurity.

Making certifications moreaffordable and closely alig-

ned with Mexico’s needs.

Develop of a low cost opensoftware within universities.

Mexico shouldadhere to international

cooperation agreements.

Including cybersecurity topics within INADEM’s

meeting agenda to stren-gthen the cybersecurity

business vision ofthe participants.

61


WEAKNESSES- SOLVE


Create an institutionresponsible for supporting

the judges involved in cyber trials in order to support

their knowledge and unders-tanding of the industry and facilitaten decision making.

Definition of stricter controls for segments of the regula-tion that are currently not

obligatory (i.e. follow ups on vulnerability/stress-testing).

Establishing sponsors oradvocates on behalf of the

private sector to align infor-mation and interests

ahead of meeting withregulators.

Identify emergingtechnologies and tendencies

in order to accelerate theregulatory changes required

in the future.

Regulation is needed related to infrastructure as well as

software & apps.

Software companies without sufficient controls, security

measures and mandatory compliance rules required.

Development of cybersecuri-ty tools for mobile devices,

detection and monitoring ofthreats and response

mechanisms.

Need to create services that integrate various measures, ensuring an end to end so-

lution as opposed to a short term incident fix.

Application of advanced tools such as Artificial Intelligence in order to better understand

the security threats.

Increased regulation orincentives in order for mobile

carriers to improve their areas of activity and respon-

sibility in reducing threats.§ Increasing awareness in behalf of the companies in

order to improve their often obsolete infrastructure (criti-cal as well) and upgrade to a

better protected one.

Understanding that sharinginformation is an imperative

step to achieve betterresponse speed.

Generating appropriatepolicies and controls to

achieve an alignment withISO 27001.

Business strategy shouldintegrate software, new

generation firewall, trainedpersonal and a designated

security team led by a CISO.

Establishment of acybersecurity team aligned

with core business decisionsand supported by C-level

executives. This team shouldbe independent from thesystems department to

ensure a universal reachinstead of an isolated effort.This recommendation does

not depend on business size,also applies to SMEs.

Curriculum study focused on problem solving, not on specific products. Integral

training with business vision and technical capacity.

Bachelor’s and master’s degrees much more focused on the industry. Efforts with industry leaders to establish

programs that bring talent to companies and encourage

research.

Include a strong cybersecuri-ty component in the curricu-lum of all technology careers,

mainly for developers.

Master´s degrees offerconnected with the businessneed and development of the

industry.

Allocate more resources (pu-blic and private initiative) toresearch. Join efforts for the

development of researchcenters.

Provide training to all employees on the risks and

mitigating actions for cybersecurity.

Joint regulationsthat allow countries

to comply, cooperate and monitor crimes.

Establish a coachingsystem by those

who are moreadvanced in

cybersecurity andlearn from their

experiences.

62


OPPORTUNITIES – TAKE ADVANTAGE


Provide more detail on thenational strategy with

specificregulations applicable to

Mexico.

Analyze main commercialpartners in order to prioritize

laws and agreements withthose countries first.

Development of biometric data technology to increase

security and access measures.

Initiatives to support public and private projects in therelevant/related manufac-turing space, boosting the

in-house technology development.

Develop a “settling-in team” with both technical and lan-guage knowledge in order to

fully benefit from international cybersecurity solutions.

Developing consulting services to support the tools as tools on their own don´t offer sufficient

protection.

Offering cybersecurity insurance policies.

Encourage companies to build a business cybersecurity strategy

regardless of theirindustry and current cyber

risks.

Internal SWOT analysis toidentify main risks,

weaknesses and threats, inorder to define their

investment budget protecting their key assets/capabilities.

Strategy evolution towardsprevention, detection and

reaction.

Business strategy alignmentwith digital transformation

trends, considering riskmitigation plans for the maintechnologies such as IoT and

Cloud Services.

Awareness course(s) in alluniversity degrees aboutcybersecurity impact and

relevance of attacks.

Improved awareness coursesfor companies and individuals.

Increase the investment incommunication to show theimportance of investment in

cybersecurity.

Forums and events for C-Levelexecutives in order to raise

their awareness aboutcybersecurity.

There is anopportunity to

exchange specializedknowledge with other

countries.

Partnerships betweenthe public and private

sectors.

Efforts with otherLATAM countries.

Opportunity to workwith Brazil or to

establish itself as aleader in Latin

America.

Partnerships betweenuniversities in other

countries to shareinformation /

learnings / careerprospects.

Public and privateinitiatives via jointevents and forums.

63


THREATS- PROTECT


Data protection regulationneeds to be strengthened,

especially for industriesgenerating historic personal

data.

Definition of regulatoryrequirements per sector,

focusing on the mostimpacted ones but also the

ones that will experienceincreasing number of attacks

in the future.

Developing internationalnormativity and agreements

that will allow persecutingcyber-crimes in Mexicooriginated from another

country/ geography.

Harmonizing federal and state laws, guaranteeing theprotection of personal data

and encouraging theexchange of information.

Development of cost effecti-ve SaaS for SMEs as most

commercial solutions remaincostly.

Development of intellectual property rights and replica-

ble frameworks.

Ensure new generationproducts and services includethe disruption by the cybera-

ttacks and thereby includeimproved solutions to

confrontthese.

Third party contracts should include clauses covering

security breaches, related penalties and minimum

requirements.

Support the development of the cyber industry and

infrastructure in Mexico inorder to not share local

information out of the coun-try just because the solutions are being developed outside.

Data and analytics as inputsfor cybersecurity tools in

order to preventsophisticated attacks.

Cyber exercises with red,blue and purple teams to

improve their IncidentResponse Training.

SME strategy developmentcovering at least the

minimum securityrequirements for their

largest clients/key data.

Develop and offer securityawareness programs.

Automation trend of thesecurity management

processes withincompanies. Frameworks

needed to generateautomatic responses for the

identified threats.

Run attack simulations /phishing tests / ethical

hacking.

IT defined procedures within the companies to protect

their cybersecurity integrity by penalizing errors.

Events and forums looking to bring closer those sectors

that have not yet been a priority for cybercrime.

Reports creation bythe industry itself

to share among theparticipants in a

mandatory mannerand generate

knowledge andalliances to dealwith organized

crime.

Collaboration,sharing information

betweencompanies,

nationally andinternationally.

Government supportto SMEs in terms of

financial supportand knowledge

assessment.

64


CONCLUSIONS

Increased digitalization and connectivity of the current environment makes cybersecurity a key industry in terms of relevance and growth opportunities. This trend is at the same time contributing to a rise in cyber-attacks and an improved user and company pro-tection is required. Mexico is however facing a perceived lack of awareness and incentives to invest in cybersecurity.

Note: (1) ENCS: Estrategia Nacional de Ciberseguridad, (2) data from interviews.Source: KPMG analysis with information from ITU, BMI, OECD and experts

Drivers

Increased targeting of enterprises and governmentagencies by cyber-attackers.

Increased state involvement in cybersecurity policiesthrough compliance and regulatory requirementdirectives.

Regional expansion of smart cities and digitalinfrastructure projects.

Inhibitors

SMEs lack of incentive to invest while cyber-attacksfocus mainly on large businesses. High cost ofcybersecurity investment beyond the means of mostsmall and medium-sized businesses.

Wide availability of unsecure pirated software andcontinued reliance on old, unprotected devices.

Opportunities

Cybersecurity insurance policies could be a newproduct insuring company a minimum awarenessabout the risk. Boost the in-house technologydevelopment.

Awareness course(s) in all university degrees aboutcybersecurity impact and relevance of attacks.

Provide more detail on the national strategy withspecific regulations applicable to Mexico andstrengthen laws and agreements with maincommercial partners.

Encourage companies to build a businesscybersecurity strategy.

More partnerships between the public and privatesectors.

Challenges

Shortage of cybersecurity professionals.

Consumers and SMEs will continue to suffer a lack ofawareness of the sophistication of cyber threats.

Anything that can be connected can be hacked.

Rising adoption of cloud-based services andapplications means that cybersecurity can be bundledin by service providers and not left to end-users.

Proliferation of smart city projects will lead to anaccelerated device replacement cycle and mayaccelerate the regulatory changes required in thefuture.

Cyber security fraud (2013-2017) CAGR: 70.3%

Investment around 2 o 3% ofIT budget in 2017 (2)

Products are available abroad (2)

Established the ENCS (1)

and can be updated

2017, Windows 7 users:market share was 43.5%

Only specialized degrees hadcybersecurity awareness (2)

Guadalajara Smart Connec-ted City initiative

In 2017, lack of 157,934trained professionals

Main Universities are for now: IPN, Unam, la Salle

Reliance on hardware morethan on awareness

Espected Cloud CAGR from2015 to 2021: 21.22%

Mexican companies uninfor-med about cyberattacks (2)

In 2016, 8 million IoTs

65

A P P E N D I X

66

KEY DRIVERS OF TECHNOLOGY TRENDS (GENERAL)

Tech trends are not aligned to a single time frame. In order to be able to achieve IT success is vital to understand thedifference between strategic/long term trends, tactical/planning technology and organizational tech enablers.

Source: KPMG analysis with information from Gartner

The 3 levels abovementioned will intrinsically bring benefits, challenges and risks, thus, understanding not only the potential but also the effect of each trend will be

crucial to manage connected cities, connected industries and connected people.

Disappearing data centers

Interconnect fabrics

Containers, micro services andapplication streams

Smart Cities

Industry 4.0

Business-driven IT

DCaaS-IT delivers services, notinfrastructure

Stranded capacity

Urban operating systems

Remote device (thing) management

Micro-and edge computing environments

New roles in IT

STRATEGIC TACTICAL ORGANIZATIONAL

67

MAIN KNOWN CYBERSECURITY ATTACKS IN THE WORLD

In 2017, ¼ of business opportunities and 30% of companies’ revenues were lost due to cyber attacks.

Global financial impact estimate (in USD bn) 2000-2017, est. until 2021

Note: (1) Malware (malicious software) includes spyware, keyloggers, true viruses, worms, Trojan horse, Browser hijacker, Rootkit, Malvertising.Source: KPMG analysis with information from Symantec volume 22, Cisco annual report 2017, 2014 McAfee and CSIS economic impact cybercrime report and several articles.

1998: X SolarSunrise, a systematic

cyber attack waslaunched in the USAwhich seized control

of over 500government and

private computersystems

1999: Virus, Melissavirus, infected Microsoft

Word documents andautomatically sent itself

as an attachment viaemail to users

2000: DDosMafiaBoy, hacked

companies with highlevels

of security,which included the

computer giant Dell,Yahoo, Amazon, Ebay,

Fifa.com and CNN

2002: Sniffer, wardriving,ShadowCrew,

was able to obtain 45million credit and debit

cards information, around4000 members

2004: Worms, Titan Rain,hackers were able to

infiltrate several computersnetworks including those atNASA; it opened the way for

other hackers to infiltratetheir systems as they left

backdoors on thesemachines

2006: Trojan, Operation Shady Rat, hit at least 72organizations worldwide

including the InternationalOlympic Committee

(IOC), the United Nations, various global defense

contractors

2011: Fishing, Epsilon,hackers targets were the marketing giant´s email addresses (staff and clients) that were later used for a range of criminal activities

2017: Ransomware, Back-door, Spearphishing,

malware (1), WannaCry, locked down all the files on an infected computer and

asked the computer’sadministrator to pay in order to regain control

of them

2016: X, Tsar team andFrancy bear, hacked FBI, CIA and DHS to

influence the USA presidential election;

they stole theworld anti-doping

agency´s athletes drug testing information

2017: Ransomware, Petya, hit Ukrainian infrastruc-

ture particularly hard, dis-rupting power companies,airports, public transit, and

the central bank, just the latest in a series of cyber

assaults against thecountry

2,000

6,000

1,000

0

2000

$1.2

2001

$40.0

2002

$0.3

2003

$226.0

2004

$56.0

2005

$7.0

2006

$11.1

2007

$24.7

2008

$0.1

2009

$40.6

2010

$2.5

2011

$6.0

2012

$111.3

2013

$2.7

2014

$445.0

2015

$0.7

2016

$815.0

2017

$1,129.8

2018

$1,673.2

2019

$2,100.0

Forecast

2020

$3,669.8

2021

$6,000.0

68

CYBERSECURITY INHIBITORS IN MEXICO

In 2017, older less secure software is still part of the Mexican landscape, leading to an unsecure environment for the companies and government technology adoption.

Desktop Windows Versions Market Shares in 2017Percent

Probability perception which digital data could be stolen in 2017Frequency distribution

Source: KPMG analysis with information from CANIETI, BMI and CISCO

Consumers and SMEs will continue to suffer a lack of cyber threats sophistication awareness, most of them have in 2017 the perception, digitaldata could have a low and medium probability to be stolen.

Recent WannaCry attack exploited weaknesses in older Windows XP, devices and the relatively high penetration rate of XP-powered devices.

Enterprise, had insufficient investment in anti-virus software for devices such as desktop and laptop computers as well as more portable devicessuch as smartphones and tablets could amplify the effect of a determined cyberattack.

The lack of qualified professional was an inhibitor for the full company and government technology adoption (it is estimated 60% gap for themissing cybersecurity professional in 2017 and 64% in 2019 from the 37% IT demand shortage).

Win7 43.5%

Win10 38.0%

10%

Win8x 15.2%

28%

WinXP 2.9%47%

Others Low probability

Medium probability

High probability

Very high probability

0.4% 15%

69

C Y B E R S E C U R I T YM A R K E T A N A LY S I S

BUSINESSINTELLIGENCE UNITUIN

cybersecurity...- universities are adding to their portfolio of cybersecurity careers but not at a...

Documents