FULL REPORT: Brazil – Cybercrime will increase despite regulatory tightening in last three years

Torchlight Predictions

• Cyberattacks on IT systems of locally based companies will rise in 2023 
• Despite regulatory changes, legislation on cybercrime remains patchy, resulting in continuing vulnerabilities 
• Healthcare, IT and telecommunications, manufacturing, and government and defence will continue to be most susceptible industries to cyberattacks

Developments

• Hacking group Dark Angels claims to have extracted three terabytes worth of sensitive data from the servers of Brazil-based international construction company Andrade Gutiérrez. The attack exposes personal details and tax ID numbers of over 10,000 employees as well as compromising blueprints and 3D projections of critical infrastructure projects. (4 March)
• The Brazilian subsidiary of Norwegian offshore oil services company Aker Solutions says it has suffered a cyberattack forcing it to temporarily shut down its IT systems. (14 February)

Insights

Brazil-based companies remain vulnerable to cyberattacks, with high potential for loss and damage. The Andrade Gutiérrez hackers say they accessed technical details of major public infrastructure, including various ports, airports, and health centres. Currently there is a very low risk that this information will be sold to terrorist groups because terrorist activity in the country remains minimal. Far-right extremists have physically attacked electricity towers, but are unlikely to go beyond fairly rudimentary sabotage operations. Most hacking groups will continue to focus on extracting ransoms or political activism. 

The General Data Protection Law (LGPD), which came into force in September 2020, will continue to provide only limited protection to companies and the individuals whose data they hold. The law says companies that suffer data breaches must notify those affected and the National Data Protection Agency within a reasonable time period or risk a fine. The Data Protection Agency says non-compliance is dealt with confidentially. Given this secrecy, there is a medium to high probability that breaches are not being reported, ransom demands are being paid, and technical cybersecurity information is not being shared. This will weaken the LGPD’s efforts to detect and address large-scale cyberattacks on critical industries.    

Given slow and somewhat uneven progress to regulate cybercrime, large companies will find it is necessary to take additional protection measures, beyond federal requirements. The MIT Technology Review Cyber Defense Index ranks Brazil as 18th in the world, behind other emerging economies like Mexico and India. Another estimate by Checkpoint Software is that attacks surged nearly 40% in the third quarter of last year. Without tighter regulations and related investment in security infrastructure, cybercrime will increase further. Still settling into office, the new government has not yet addressed the growing  issue.

Implications for Business

Cyber targeting:  Cybersecurity specialists say Intellectual property (IP) pirates may also use  hacking to steal designs and techniques that can be used in other developing markets such as Africa or Asia. The probability of this happening is relatively low; there is little public information on such incidents. Companies that have been victims of attacks in recent years include large-scale operators like retailer Lojas Americanas, delivery company iFood, car rental group Localiza, meat packer JBS, and a number of government agencies including the health ministry. This has led to a notable growth of the cybersecurity market, largely due to significant investment by the private sector. We forecast that this growth will continue for the next five years. 

Insurance: Another sign that companies are responding more proactively to cyber threats is a boom in specialised insurance. Demand for cyber insurance policies rose by 40% last year, according to the Brazilian National Council of Insurers, which also estimated that cybersecurity spending was for the first time in excess of USD 1 billion. Having corporate cyber insurance cover is not an obligatory government requirement; the probability of it becoming so will remain low.

Request free Torchlight Insights trial here.