A connected environment offers countless benefits, some that we can foresee and imagine, like the possibility of reaching out beyond our physical limitations, and some that are yet to be discovered. Technology presents us with new ways to interact, learn, and work. Nonetheless, the birth of a digital society has also brought many vulnerabilities. Cyber threats are more tangible today than ever, and this risk will continue to increase as the amount of information available in the digital world grows exponentially. Governments are facing the challenge of setting a regulatory framework to minimise risk exposure and offer citizens a high level of cybersecurity and information security.

The last decade has seen the proliferation of cyber incidents and crimes committed through digital media. This new reality has unveiled the need to set up preventive measures and enable mechanisms for reporting, investigation, and prosecution of cyber attacks. The most frequent cyber attacks in Paraguay are unauthorised access to accounts, systems, or data, malware, scanning, brute force attacks, denial of services, system compromise, spam, and scams, among others.

In 2017, the Executive Branch, in collaboration with the private sector, academia, and members of the civil society, drafted a National Plan on Cybersecurity ('the Plan') with the desire to coordinate public policies in this area. Additionally, cybersecurity is regulated by the Criminal Code, E-Commerce Law, Personal Credit Data Protection Law ('the Credit Data Law'), and other specialised legislation applicable to a specific sector (e.g. child protection). Nevertheless, despite the fact that the Plan is in process of being executed, there is no specific cybersecurity law, and Congress has introduced no bills on this subject.

The Ministry of Information and Communication Technologies ('MITIC') is the regulatory agency in charge of revising and updating the Plan, and is responsible for the national computer emergency response team, the Cyber Incident Response Centre ('CERT-PY'). CERT-PY is the coordinating body for cyber incidents affecting the national digital ecosystem. CERT-PY regularly publishes cybersecurity newsletters. In addition, CERT-PY offers several supplementary services, both to the public and private sectors, such as security audits, incident response, and malware analysis services.

Financial entities and their users are frequently exposed to a variety of illicit activities. As recurrent targets of cyber attacks, safeguarding the physical integrity of their customers, employees, and assets is a highly sensitive issue for financial entities. To mitigate these risks, the Central Bank of Paraguay issued a 'Security Manual for Financial Institutions' ('the Manual') in 2021. The Manual requires every financial entity, among other things, to create a monitoring centre, appoint a security department independent of the IT department, implement an emergency plan, and constantly perform risk assessments and elaborate periodic reports.

Until 2021, the private sector had no legal obligation to report any cyber incidents, regardless of their nature. In addition to the Manual, the Credit Data Law, enacted in 2020 and which shall enter into force in October 2022, provides that data controllers shall notify the regulatory agency of any data breach incident. Unfortunately, the Credit Data Law omitted to set a notification process or the minimum requirements for it to be considered valid and sufficient. Therefore, the enforceability of its provisions is tight to the regulation, which is still pending.

Despite the lack of legal obligations, the number incidents reported to CERT-PY by the private sector is increasing yearly. Collaboration between the public and private sectors is key to creating awareness and drawing emphasis on permanent education in new techniques and cyber threats.

Cyber incidents may also be reported in light of criminal claims filed based on the perpetration of activities falling under the category of cybercrime. Both the National Police and the Prosecutor's Office have created specific departments committed to the investigation and prosecution of infringements carried out in the digital sphere. Furthermore, Paraguay has adopted several measures, such as modifying the Criminal Code, to accede to the Budapest Convention on Cybercrime and becoming a party to the same.

In case of an infringement of local regulation, the applicable sanctions would depend on the nature of the infringement. In the absence of broader and more specific regulation, regulatory agencies may order the company/organisation to limit the scope of its activities, pay fines up to $1,785,800 for the infringement of the Central Bank Law and approximately $650,000 for the violation of the Credit Data Law, suspend their activities, or even close down entirely.

Nowadays, companies are beginning to understand that compliance with local regulations is not enough. A company's name, image, and value can be severely affected if the tools to impede or swiftly revert an attack are not timely adopted. Risks associated with cybersecurity flaws translate not only into digital contingencies, but could also cause logistical headaches when they impact the physical world (e.g. service disruption). Assessing cyber risk is key to a company's reputation, particularly now cybersecurity is an environmental, social, and governance issue and stakeholders have their eyes on every company decision that may affect its image and value.

Attacks are inevitable, and minimising their effects depends entirely on the capacity of a company to adopt good practices and adequate policies, besides complying with the legal framework. For this reason, companies of all sizes are aiming to improve their security standards by adopting strategic measures, some of them simple, like minimum password requirements and actually reading privacy policies, and others more sophisticated. It is also in this context that several Paraguayan companies have embarked on the process of obtaining cybersecurity certifications.

Néstor Loizaga Partner
[email protected]
Montserrat Puente Senior Associate
[email protected]
FERRERE, Asunción