Fernando's assessment identified 14 non-conformities that three previous audits had overlooked. The difference lies in the depth of analysis with real operational evidence, not just documentation.
Financial Sector
Cybersecurity for the Financial Sector
Specialized cybersecurity assessment for financial entities, including sector-specific regulatory compliance.
ISO 27001 Lead AuditorFinancial Sector Specialist
45+Financial entities assessed
80+Stress tests performed
Cybersecurity in the financial sector is not audited the same way as in other industries. LATAM banking regulators (BCRA in Argentina, SBS in Peru, CMF in Chile, SFC in Colombia) have specific requirements beyond ISO 27001: they demand ransomware stress tests, incident response plans with defined notification timelines, and controls over critical technology providers. What most financial entities underestimate is the gap between general regulatory compliance and sector-specific requirements. An entity can have ISO 27001 certified and still present nonconformities before the banking regulator because controls do not cover the specific scenarios the supervisor demands. The assessment includes ransomware scenario simulations calibrated to the regional financial sector's threat profile — because the stress test must be credible to the regulator, not generic.
Field evidence
Images from audits, teams, and validations linked to this line.
Deliverables
01
Regulatory compliance assessment
Gap analysis against financial sector regulations.
02
Ransomware stress test
Attack scenario simulation and response capacity evaluation.
03
Regulator report
Document prepared for presentation to the regulator.
Intervention Flow
01
Regulatory mapping
Identification of applicable sector regulatory requirements.
02
Technical assessment and stress test
Control testing and attack scenario simulation.
03
Report and presentation
Executive report and support in regulator presentation.
Technical Inquiries
The assessment covers regulations from Argentina (BCRA — Com. A 7724 and complementary circulars), Peru (SBS — Resolution 504-2021), Chile (CMF — RAN 20-10), and Colombia (SFC — Circular 007/2018 updated), plus international frameworks like SWIFT Customer Security Programme (CSP) and PCI DSS 4.0. Each regulator has specific requirements that do not fully overlap: for example, BCRA requires ransomware stress test exercises with supervisor reporting, while CMF emphasizes controls over cloud service providers. The assessment maps your jurisdiction's specific regulator requirements against controls in place.
The internal team knows operations better than anyone, but that familiarity can create blind spots. An external assessment contributes three things the internal team structurally cannot: independence (findings are not conditioned by internal relationships), benchmarking (comparison against patterns from 45+ financial entities assessed in the region), and updated regulatory perspective (knowing exactly what the supervisor is looking at in current inspections). Additionally, many banking regulators explicitly require periodic external assessments as a compliance requirement.
800+ organizations assessed
Verifiable results from real organizations
Directors, CISOs, and compliance officers across Latin America share their experience with Fernando Arrieta's independent assessments.