In Argentina, cybersecurity issues have increased in recent decades. However, the COVID-19 lockdown generated an exponential surge in cybercrime rates. Many companies adopted telework policies, while the public sector started prioritizing cybersecurity by introducing various regulations, establishing organizations, devising work plans, and suggesting programs. For example, the National Directorate of Cybersecurity developed a document (only available in Spanish here) with cybersecurity recommendations for both employees and employers.

Traditional analog life has undergone a complete transformation with the advent of computer media, which caused the engagement of many users who were previously disconnected from such platforms. Within this new paradigm, cybercriminals took advantage of the situation targeting companies and individuals for malicious purposes.

During the years 2020 and 2021, citizens prioritized healthcare and distancing, and they turned to the use of the internet and information technologies to continue carrying out different activities, including commerce, entertainment, education, and social interaction. Unfortunately, this led to an increase in the number of cybercrimes, such as phishing, malware, and ransomware attacks.

Websites rapidly became inundated with paperwork, registrations, banking transactions, and other services that swiftly transitioned to the virtual realm. However, not all organizations or users were adequately prepared for this migration. The urgency to provide these services, particularly crucial during the prevailing emergency situation, combined with the need to onboard a large portion of the population unaccustomed to digital tools, alongside other contributing factors, set the scene for a significant increase in cyber incidents.

The situation has escalated to the extent that three out of four major companies in Argentina have reported experiencing at least one cyberattack during the pandemic.

After years of downplaying the severity of cyberattacks, banks in Argentina shifted their approach and adopted a more proactive stance on the issue. They started delivering clear and direct messages to customers, emphasizing the risks associated with cyberattacks, offering advice on self-protection measures, and elevating security standards throughout their organizations.

According to a report from the National Computer Incident Response Center (CERT.ar), 55% of the reported incidents were targeted cyberattacks against banks. The most prevalent forms of cyberattacks included phishing attacks, malware attacks, and denial-of-service attacks.

In light of the increase in cyberattacks, banks in Argentina have undertaken various measures to enhance their cybersecurity defenses, which include:

• investing in new security technologies, such as firewalls, intrusion detection systems, and data encryption;
• training employees on cybersecurity best practices;
• implementing security policies and procedures; and
• conducting regular security audits.

These steps have proven effective in mitigating the number of cyberattacks against banks in Argentina. However, they continue to be a prime target for cybercriminals. 

The ongoing challenge of cybersecurity

In Argentina, there is currently no comprehensive legislation in place that universally mandates private companies to adopt cybersecurity policies. Nonetheless, certain companies have faced penalties for failing to inform the National Direction of Personal Data about cyberattacks that have resulted in the compromise of their clients' personal information.

However, following a global trend, Argentina has witnessed the enactment of numerous cybersecurity regulations in recent years, primarily focusing on specific sectors such as personal data protection, financial institutions, internet service providers, and the public sector.

At the federal level, there are regulations in place that mandate the National Public Sector to adhere to a minimum standard of cybersecurity measures. Subsequently, various ministries have issued distinct regulations that outline specific cybersecurity protocols to be implemented.

Regarding data protection, there are specific regulations, such as the Argentine Personal Data Protection Act 25.326, that require data controllers to ensure the security and confidentiality of personal data, preventing its alteration, loss, consultation, or unauthorized access. These regulations also govern the implementation of security measures for the processing and storage of personal data in digital formats.

While not all standards are legally mandated, national authorities have imposed sanctions on companies for failing to comply with computer security measures. These measures include cooperating with incident reporting and notifying authorities in cases where personal data is compromised. Consequently, it is highly advisable and practically mandatory for companies to adhere to the recommendations outlined by the Data Protection Agency and the Access to Public Information Agency. These recommendations focus on implementing security measures to prevent cyberattacks and proving guidance on the necessary steps to take in the event of a cyberattack that impacts the personal data of third parties personal data.

However, legislation, such as Act 26.529, on health records requires those responsible for data to undertake suitable measures to ensure the integrity, authenticity, immutability, and durability of stored data. Nevertheless, it is not specifically stated how stringent the systems should be or what measures should be taken to comply with its provisions.

The Central Bank of Argentina regulates cybersecurity standards for financial institutions and IT service providers associated with the financial sector. These regulations encompass the implementation of a cyber incident response manual and the mandatory reporting of such incidents to the Central Bank. Notably, the Central Bank's regulations hold significant weight and are binding for all companies falling within its jurisdiction.

The Insurance Supervisory Authority (SSN) has established regulations and approved the utilization of Cyber Risk Insurance. This type of insurance holds great value as it covers a significant portion of the expenses incurred due to cyberattacks, which can result in severe economic consequences. In some cases, its acquisition may even be mandatory as part of contractual agreements. However, its relatively high cost and stringent requirements have limited its popularity, despite its evident benefits. Generally, this insurance coverage encompasses the following areas:

• own damage: including the recovery of digital information, coverage for business interruption, protection against cyber extortion, and related damages;
• damage to third parties: liability coverage for the insured in cases of disclosing confidential information, responsibility for spreading malicious or computer viruses, etc; and
• crisis management: covering defense and forensic expenses, among others.

The Criminal Code

Argentina has had legislation in place since 2008 to address and penalize cybercrimes and illicit activities facilitated by digital means.

The normative change in Argentina, similar to numerous other countries, was primarily influenced by the Budapest Convention. This convention was the first international treaty focused on cybercrime, encompassing the use of emerging information and communication technologies and the gathering of digital evidence. It encompasses criminal law, criminal procedure law, and international cooperation.

As a result of the reform, the Criminal Code (only available in Spanish here) establishes certain crimes committed by technological means. These crimes include:

• child pornography by the internet or other electronic media;
• grooming;
• violation of electronic communication - access, seizure, suppression, or diversion;
• interception or capture of electronic communications or telecommunications;
• access to a system;
• publication of electronic communication;
• revelation of secrets;
• access to a personal data bank;
• disclosure of information recorded in a personal data bank;
• inserting false data into a personal data file;
• computer fraud;
• computer damage or sabotage; and
• interruption of communications of any nature public or private

In addition, the Contravention Code of the Autonomous City of Buenos Aires (only available in Spanish here) includes provisions for offenses committed through computer means, such as digital harassment, unauthorized dissemination of intimate images or recordings, and digital impersonation.

Cybercrime trends and incident analysis

During the pandemic, Horacio Azzolin, Head of the Specialized Cybercrime Prosecutor's Office (UFECI), reported a concerning rise of 50% during the isolation period. However, in 2022, reports of cybercrime decreased.

Between January 1 and December 31, 2021, the CERT.ar recorded a staggering increase of 261.50% in the number of incidents compared to 2020. The full report is only available in Spanish here.

It is important to note that many cybercrimes go unreported, and the UFECI is not the only entity that receives complaints. Within the federal and Buenos Aires city jurisdictions, individuals can file complaints may be made to the following entities, among police departments:

• Specialized Prosecutor Unit for Computer Crimes and Contraventions of the Public Prosecutor's Office of the Autonomous City of Buenos Aires;
• National Direction for Personal Data Protection;
• Technological Crimes Division of the Argentine Federal Police;
• Cybercrime Area - Metropolitan Police; and
• Cybersecurity Center Portal.

According to the report compiled by the agency, incidents are classified based on the sectors involved. The Federal State sector experienced the higher number of reported incidents, accounting to 39.70% of the total recorded. The finance sector ranked second, with 36.15% of reported incidents, while other sectors category occupied the third position, representing 21.11% of the incidents. The health sector followed closely in fourth place with 12 reported incidents, trailed by the Information and Communications Technologies sector.

UFECI categorizes cyber incidents based on their type. The report reveals that the most common type of incident was phishing, accounting for 55.24% of all reported cases. Unauthorized modification of information ranked second with 15.20% of the incidents, followed by spam in third place with 9.23%.

During the period from January 1 to December 31, 2022, CERT.ar registered a notable decrease of 43.3% in reported cases compared to 2021. The full report is only available in Spanish here.

In 2022, the Finance sector experienced the highest number of cyber incidents accounting for 55.2% of the total recorded incidents. The Federal State sector followed in second place with 21.2%, while Noncritical Sectors ranked third with 9.8%. The Health sector occupied the fourth position, followed by Transport, Information and Communications Technologies (ICT), and Food and Energy sector, which ranked seventh and last.

Regarding the type of cyber incident, phishing was the most recorded, with 72.23% of the total reported. Unauthorized modification of information ranked second, with 17.61% of the reported incidents and spam held the third position with 4.18% of the total incidents.

Cybercrime reporting, investigation, and academic initiatives

At present, there are several agencies where cybercrimes can be reported. These agencies operate at the national, provincial, and Autonomous City of Buenos Aires levels, encompassing specialized prosecutors' offices or units dedicated to investigating, prosecuting, and holding accountable those individuals responsible for such crimes.

Despite the growing importance of cybersecurity, a significant number of cyber incidents go unreported due to perceived limitations in the responsiveness of the criminal justice system. In many instances, cases are initiated but can be long and tedious, often resulting in the victim being summoned to testify, only to have the case eventually dismissed due to insufficient evidence.

Apart from the entities and other specialized agencies operating across the country that actively assist in the prevention, detection, prosecution, and sentencing of those responsible, criminal justice faces significant challenges in effectively resolving cybercrime cases. These difficulties arise due to a lack of specialized knowledge, inadequate training, insufficient access to forensic tools, or a lack of effective criminal procedures.

Investigation guides have been developed at the national and provincial levels in order to prepare public officials for the investigation of cybercrimes and to take account of the specific nature of offenses. These guides cover a range of topics from more general themes regarding digital evidence to more specific crimes related to the cyberenvironment.

At the national level, the Protocol for the Identification, Collection, Preservation, Processing, and Presentation of Digital Evidence (only available in Spanish here) has recently been approved. Additionally, the Public Prosecutor's Office of the Province of Buenos Aires has provided its investigators with web access to the interactive guides of Digital Investigation (only available in Spanish here). Furthermore, the Province of Rio Negro has developed a General Protocol for the Action of the Public Prosecutor's Office in Cases of Cybercrimes (only available in Spanish here).

On the other hand, at the federal level, various documents have been prepared with recommendations for different situations such as telework, avoiding spam, developing policies to support information and specific guidelines for hospitals and health entities. These documents are only available in Spanish here.

The academic community in Argentine has also been working on cybersecurity challenges. Universities offer courses, programs, and specializations in cybersecurity. In recent years, new research projects and initiatives have emerged. One notable example is the Observatory on Cybercrime and Digital Evidence in Criminal Investigations (OCEDIC) developed by experts at Austral University. OCEDIC serves as a meeting place for the academic community. Additionally, the Innovation and Artificial Intelligence Laboratory, located at the University of Buenos Aires Law School, is a multidisciplinary research and training center that focuses on the development and application of artificial intelligence (AI) in a variety of fields, including law, health, education, and government.

Reduced cybercrime cases and increased awareness

After the pandemic, life slowly returned to a semblance of normalcy, although it will probably never be the same. Slowly, people started venturing out of their homes, stopped wearing masks, and some returned to their usual workplaces. Amid all these changes, a noteworthy development relevant to the purpose of this article emerged, a decline in reported cases of cybercrime.

Certainly, there could not be a single reason why these incidents were reduced during 2022. However, based on the findings of the reports we examined, it is worth noting that in recent years both individuals and companies have become genuinely aware of the damage caused by cyber incidents.

This awareness is accompanied by campaigns, recommendations, and training initiatives implemented by both the public and private sectors. These efforts are not only targeted at staff, but are also disseminated to customers, users, and the general public.

During these years, there has been an emergence of stricter regulations in the measures of security of the information to be adopted by companies that provide public services, banks, and companies that handle personal data, among others. The Public Information Access Agency has issued Order No. 47/2018  regarding the computerized processing of data, which outlines security measures for handling personal data and sensitive information.

At the same time, it is becoming more prevalent to include certain security measures in contracts as a preventative measure against cyber incidents. Parties involved in the contract are required to adhere to these measures, with the understanding that failure to comply may result in the termination of the agreement. This situation encourages companies to be more careful, incentivizing them to maintain constant control and regularly update their information security systems to minimize vulnerabilities and avoid potential contractual issues.

Finally, it is important to consider that several companies operating in Argentina also operate abroad. As cybersecurity regulations are becoming more robust and demanding, many Argentine companies or those with a presence in the country are encouraged to comply with foreign regulations. In fact, they may receive directives from their headquarters to adhere to higher standards.

Conclusion

Argentina has made efforts to address cybersecurity through regulatory, academic, and institutional levels. While private actors, including banks, have played a crucial role in preventing cyberattacks, there is still a need for further action as government regulations are fragmented and insufficient, and many private businesses have yet to fully prioritize cybersecurity measures.

Enforcement of cybersecurity regulations due to limited government resources leads to ineffective enforcement. Additionally, insufficient investment in cybersecurity measures, driven by factors such as costs and inadequate risk awareness, leaves many companies inadequately protected against cyberattacks.

To enhance cybersecurity in Argentina, key steps include strengthening cybersecurity laws, allocating additional resources for enforcement, increasing investment in cybersecurity by private businesses, raising awareness about associated risks, and encouraging individuals to adopt protective measures like using strong passwords and being cautious while online, and sharing personal information.

Through collaborative efforts between the government, private sector, and individuals, Argentina can be transformed into a more secure and resilient environment.

Gustavo Bethular Partner
[email protected]
Sofia Grassi Senior Associate
[email protected]
RCTZZ, Buenos Aires