Explosive growth in fintech and AI adoption has made Latin America a prime target for cybercriminals. In response, governments are imposing stricter cybersecurity rules to boost compliance, resilience, and consumer protection.
Key takeaways
- Cyber-attacks are surging across Latin America, hitting banks, healthcare, and critical infrastructure.
- Governments are fighting back with fast-tracked cybersecurity laws.
- Companies should strengthen technical defences and train staff on cybersecurity to stay safe.
Shutterstock.com/Burdun Iliya
Governments across Latin America are tightening regulatory oversight of key sectors amid a surge in cyber-attacks.
In Brazil, the Central Bank (BCB) introduced stricter controls over Pix transactions – the country’s instant payment system in September 2025. FIs must now register with the BCB between 1 January and 1 May 2026, moving up the previous deadline of 31 December 2026. The change is designed to tighten oversight of who operates within the Pix network following a rise in data breaches linked to instant payments.
Elsewhere, Chile’s new cybersecurity law imposes stricter requirements on fintechs and other FIs starting in July 2026.
Recent high-profile incidents underscore the urgency. In July 2025, cybercriminals targeted Pix infrastructure to steal over US$100 million from a Brazilian bank. In the first half of the 2025, Mexico recorded 40.6 billion cyberattack attempts, while organisations across Latin America face an average of 2,175 cyber-attacks per week.
The region’s escalating cyber risk reflects its unique vulnerabilities: rapid AI adoption combined with limited cybersecurity awareness has made the region more susceptible to attacks. A booming fintech sector also opens the door to more cyber-attacks, attracting criminals seeking to exploit convenient and accessible digital platforms.
Lexology PRO explores Latin America’s regulatory clamp down on cybercrime and highlights best practices for companies to stay cyber safe.
Governments step up
While Latin America’s cybersecurity infrastructure remains underdeveloped, regulators are taking steps to curb digital threats through stricter obligations on companies. Common trends include mandatory risk assessments and registration requirements for FIs.
In November 2024, the BCB capped Pix transactions from unregistered devices to 200 reais (US$38) per transaction or 1,000 reais (US$190) per day and limited the first payment made to a new recipient or from a new device to 200 reais (US$38). The BCB took it further in September 2025, revising the rules for FIs to mandate registration between 1 January and 1 May 2026 to operate within the Pix system.
Chile’s new Fintech Law, effective July 2026, mandates registration with the Comisión para el Mercado Financiero – Chile’s financial regulator – and cybersecurity protocols for all FIs, including incident response plans and annual risk management plans.
It builds on the Cybersecurity Framework Act 2025 which requires companies to carry out regular risk assessments and train staff on cybersecurity. The regulation also carries strict reporting requirements: businesses must report cyber incidents to the National Computer Security Incident Response Team within 3 hours of detecting the incident, with a second report to be filed within 72 hours or within 24 hours if the breach affects critical services. Non-compliance may lead to fines of up to USD$1.5 million.
Chile’s new Fintech Law further requires companies to impose stricter customer authentication requirements for financial transactions which may include multi-step verification processes, similar to Peru’s mandatory two-factor authentication rule (Spanish language only) for all credit card transactions, which was introduced in March 2024 for added protection against digital fraud.
Why is Latin America exposed to cyber risk?
The uptick in regulatory activity across Latin America reflects the region’s exposure to cybercrime.
Latin America is home to a thriving fintech market. As of March 2025, 3,000 fintechs operate across 26 countries in the region – up from just 703 in 2017.
While these platforms may foster financial inclusion amid a slump in the dominance of traditional banking, “they have also introduced systemic vulnerabilities. Some fintechs, prioritising speed-to-market, operate on mobile-first platforms with security frameworks that lag behind those of incumbent institutions, making them prime targets for cybercriminals,” says Fabio Braga, Brazil-based partner at Demarest.
“In Brazil, the Federal Police’s Carbono Oculto operation revealed how groups such as the Primeiro Comando da Capital (PCC) systematically used fintechs to disguise criminal proceeds. Cases like these illustrate how the region’s financial infrastructure can be misused when compliance and oversight do not keep pace with innovation,” Fabyola En Rodrigues, Brazil-based partner at Demarest, tells Lexology PRO.
Companies across Latin America are also increasingly embracing AI to streamline operations, but this carries inherent risks. Cybercriminals can themselves use AI to breach internal systems through deepfakes and AI-generated malware – presenting a challenge for companies who must balance the risks and rewards of using AI.
Low awareness and investment adds to Latin America’s cybersecurity challenges. “High mobile penetration, combined with uneven levels of cybersecurity maturity, has significantly increased susceptibility to fraudulent transactions,” Demarest’s Braga tells Lexology PRO.
Best practices for Latin American businesses to protect themselves
The risks cybercrime poses to businesses are far-reaching, from financial loss to reputational damage – proving that cybersecurity is no longer optional.
“Ultimately, resilience in this environment demands more than compliance: it requires a proactive stance where cybersecurity, legal governance, and strategic risk management converge. Companies that treat digital security as a core business function — rather than a technical afterthought — will be best positioned to withstand emerging threats and preserve trust in the financial system,” according to Demarest’s En Rodrigues.
Businesses may consider the following best practices to safeguard against cybercrime.
Carry out a cybersecurity risk assessment
Companies should carry out regular risk assessments to test their existing systems and identify any cybersecurity vulnerabilities or compliance gaps. These are mandatory in some jurisdictions, including Chile and Colombia.
Risk assessments may include conducting table-top exercises with real-world crisis scenarios to determine the likelihood and impact of potential dangers.
Build robust technical defences
Latin America’s cybersecurity infrastructure is underdeveloped in some countries, putting critical sectors – such as banking and healthcare – at risk.
To develop technical defences, businesses may use firewalls and implement multi-factor authentication, among other measures.
AI tools can also be deployed to identify cyber threats in real-time by detecting anomalies, such as unusual login attempts or file access patterns.
“The trend for the coming years in Latin America is the intensification of artificial intelligence use for both attacks and defense, requiring companies to remain at the forefront of security innovation,” says Carol Conway, director at Brazilian financial organisation ABBC.
Deliver targeted staff cybersecurity training
Low levels of cybersecurity awareness among companies and consumers is a challenge in many Latin American jurisdictions. A July 2025 cyber-attack against a bank in Brazil, in which an employee gave their access credentials to the hackers, underscores the importance of training staff to identify and prevent breaches.
Businesses should provide regular, mandatory cybersecurity training on phishing, digital extortion, and safe online conduct.
Develop an incident response plan
In the event of a cyberattack, companies should have a predetermined incident response plan in place to ensure business continuity and minimise disruption.
This should include protocols surrounding reporting timelines, as these may vary by jurisdiction. For example, the window to report cyber incidents in Chile is tight – giving companies just 3 hours to report after detecting an attack. It is therefore critical for companies to understand their obligations to stay compliant.