CNBV Circular Única de Bancos — Cybersecurity Requirements

Mexico's National Banking and Securities Commission (CNBV) Circular Única de Bancos (CUB) cybersecurity requirements establish IT security and cybersecurity obligations for banks and financial institutions regulated by CNBV. The CUB requires financial institutions to implement information security management systems, conduct risk assessments, implement security controls for online banking and payment systems, and report cybersecurity incidents to CNBV. The 2018 amendments significantly strengthened cybersecurity requirements following high-profile attacks on Mexico's SPEI interbank payment system. Key requirements include: information security governance with board oversight; security operations center; vulnerability management; penetration testing; incident response plan; and business continuity. Financial institutions must report cybersecurity incidents affecting customer data or financial transactions to CNBV within 24 hours. The CUB cybersecurity requirements are complemented by the Bank of Mexico's (Banxico) cybersecurity circulars for payment system participants.