Cyber Risk is a Corporate Risk — Latin America Responds

According to the World Bank, by 2024, Latin America and the Caribbean was the world’s fastest-growing region for disclosed cyber incidents, with a 25 percent average annual growth rate over the past decade.2 The most attacked countries in Latin America across 2024 were Brazil with 47 percent of attacks, followed by Mexico with 23 percent, and Colombia with 8 percent.3

The most attacked countries in Latin America

In response to the heightened risk environment, many businesses across Latin America strengthened their efforts to combat attacks. What was often seen before by businesses as solely an information technology risk is now generally viewed as a whole-enterprise risk, and we are starting to see more alignment and engagement between cyber risk, information security and business leaders.

This focus on cyber risk is evidenced by the consistent, though slight, improvement in risk scores reported by Aon clients. The overall risk score for Latin American businesses across 2024 was reported as 2.59 out of four, sitting between basic and managed preparedness and slightly under the global risk score of 2.71.

Latin American businesses, like many of their global counterparts, continued to struggle with managing third-party risk, application security, training and business resilience. From an industry perspective, financial institutions, transportation and logistics, business and professional services and retail and consumer goods scored the highest in cyber maturity. Interestingly, the technology, media and communications industry fell in its total risk score by seven percent year-over-year. This was likely due to the rapid adoption of new technologies to remain competitive and only serves to illustrate the risk that new digital business models pose.

Securing SMEs

Globally, ransomware claims persisted in 2024, increasing 24 percent year-over-year.4 The Latin America region was no exception. In 2023, it experienced 1,498 ransomware attacks carried out by 33 different ransomware groups.5 Underinvestment in cyber security and the large percentage of small to mid-size enterprises— 99.5 percent of the market — make Latin America an ideal target for ransomware threat groups.6

The risk is significant and strengthening security controls is only one step in achieving and maintaining cyber risk preparedness. Cyber insurance is of growing importance to businesses across the region and is needed to help transfer the risk of data breach, business interruption or other cyber-related risks. As the region matures and strengthens its score across critical controls, Latin American businesses can be better positioned to purchase cyber insurance policies. Globally, cyber insurance premium pricing declined 7 percent in Q1 2025, and in most markets, broader coverage and increased limits are now available for risks with appropriate cyber security controls.

2020–2025 Cyber Premium Changes by Quarter​

Average Year–over–Year Change (Same Clients)​

Amid this softer market and increased competition, some insurers are becoming more willing to pick up the risk with lower limits or on an aggregated basis. For carriers, Latin America presents an opportunity to help secure and support the region’s economic growth. As such, insurers are encouraged to adopt new approaches to packaging policies for SMEs with limited resources.

It can be seen how insurers have adapted their products to the rapid changes taking place in different industries. Improved coverage and lower prices have helped the market continue to grow. We must also highlight the increase in cyberattacks, which has forced CISOs and IT leaders to transfer risk through cyber policies. Finally, Artificial Intelligence (AI) has played a fundamental role in the need to acquire cyber policies, generating a larger market, forcing supply and demand in Latin America to continue to increase, reflected in the price decreases.

Cyber Monthly Pricing All Layers

Average Year–over–Year Change (Same Clients)

Regulation and Disclosure

The movement toward greater cyber incident disclosure also has the potential to strengthen Latin America’s cyber maturity, just as the Global Data Protection Regulation did for Europe. Chile, for example, has enacted the Chilean Law on Cyber Security and Critical Infrastructure in March 20247, which applies to public and private organizations that provide services that impact critical infrastructure. Organizations will have to increase their cyber security to prevent attacks following the establishment of two new regulatory institutions: the National Cybersecurity Agency (Agencia Nacional de Ciberseguridad) and the Multisectoral Council (Consejo Multisectorial). The legislation also introduces a National Computer Security Incident Response Team, which is responsible for the protection and security of networks for organizations and services that handle critical infrastructure critical to the smooth running of the country.8 Data protection and technology regulations are simultaneously being introduced on a country-by-country basis9, but disparities continue to exist across the region, amplifying the threat level.

Recommended Actions

• Cyber risk is a corporate risk. Business leaders therefore need to align across business functions and use data and analytics to forecast loss scenarios, exposure assessment, and total cost of risk. Use this insight to make better decisions around cyber security planning.
• Strengthen application security controls, particularly training and third-party management. Conduct due diligence across your vendor network and determine which are the most business critical.
• Enter the cyber insurance buyer’s market with confidence. Our CyQu data suggests that Latin American businesses compare favorably to the global marketplace.