Banking Regulation 2025

COSTA RICA Law and Practice Contributed by: Douglas Soto, Miguel Elizondo-Soto and Osvaldo Madrigal Méndez, Zurcher, Odio & Raven

International standards, best practices or refer - ence frameworks related to information security and cybersecurity developed by the technology industry may be used to implement the informa - tion security management system. Based on risks identified, the superintendencies may require the inclusion in the information secu - rity management system of information security and cybersecurity practices and controls. Supervised entities and companies must man - age cybersecurity to meet business require - ments and ensure operational resilience of all digital functions, establishing indicators to reg - ularly measure the effectiveness and efficiency of cybersecurity. They must also design and implement a process for managing information security and cybersecurity incidents that incor - porates the phases of incident management as established in the general guidelines of the Regulation. When an information security or cybersecu - rity breach is identified, supervised entities and companies must determine its potential impact in accordance with the classification model pre - sented in the Regulation’s general guidelines. The incident-management process must include a response plan for information security and cybersecurity incidents, as well as controls to allow the collection of evidence for forensic analysis.

An information security and cybersecurity incident response function must be set up in accordance with the structure, size, service channels, transaction volume, number of cli - ents, risk assessment and services provided by each supervised entity and company. If the confidentiality or integrity of client information is compromised due to an information security or cybersecurity breach, the entities and com - panies must notify the clients affected. It will be the responsibility of the supervised entities and companies to define the type, scope, and mini - mum content of the communication, which must be timely, clear, and appropriately tailored to the nature of the incident. SUGEF and CONASSIF requested a legal opin - ion from the General Attorney of the Republic regarding the legality and operation of the fintech industry where it has obtained financial resourc - es from the public. According to the legal opinion recently issued by this entity, fintech platforms must keep functioning as an aggregated service to the banking and financial supervised industry. Fintech operators are not permitted to accept deposits from the public or open individual accounts, as they are not authorised to engage in financial intermediation under the current legal framework. 11. Horizon Scanning 11.1 Regulatory Developments

128 CHAMBERS.COM

Powered by