CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
ing the magnitude, territorial coverage (local, communal, provincial, regional or national) and nature of the market. • Redundancy of the service: Availability of alternative providers, their technical and operational capacity, response time and costs associated with the change. • Mono-provision of the service: Existence of a single provider, barriers to entry for new providers, existence of viable substitutes and impact of the absence of the single provider. • Service dependency: Interdependency between services, effect on the supply chain, criticality of the dependent service and resil - ience to the lack of the service on which it depends. • Relevance of the affected institution: its direct or indirect impact on the protection of legal assets identified by law (e.g. security; public order; etc). In addition, the ANCI may classify as opera - tors of vital importance private institutions that, although they do not have the quality of provid - ers of essential services, meet the requirements indicated previously and whose qualification is essential because they have acquired a critical role in the supply of the population, the distribu - tion of goods or the production of a good/service that is indispensable or strategic for the country; or by the degree of exposure of the entity to risks and the likelihood of cybersecurity incidents, including their severity and the associated social and economic consequences. 2.2 Critical Infrastructure Cybersecurity Requirements General Cybersecurity Obligations Both essential service providers and operators of vital importance will need to permanently apply the measures to prevent, report and resolve cybersecurity incidents. These measures
may be technological, organisational, physical or informational in nature, as the case may be. Compliance with these obligations requires the proper implementation of the protocols and standards that will be established by the ANCI, as well as the particular cybersecurity standards issued in accordance with the respective secto - ral regulation. The purpose of these protocols and standards will be the prevention and man - agement of risks associated with cybersecurity, as well as the containment and mitigation of the impact that incidents may have on the opera - tional continuity of the service provided or the confidentiality and integrity of information or computer networks or systems in accordance with the provisions of the Framework Law. Specific Cybersecurity Obligations of Operators of Vital Importance Public or private entities that are classified by the ANCI as operators of vital importance, must comply with a series of obligations that will be complemented and detailed in the Regulations of the Framework Law. • Implement a continuous information security management system in order to determine those risks that may affect the security of networks, computer systems and data, and the operational continuity of the service. This system should make it possible to assess both the likelihood and potential impact of a cybersecurity incident. • Maintain a record of the actions carried out that make up the information security man - agement system, in accordance with the provisions of the Regulation. • Prepare and implement operational continu - ity and cybersecurity plans, which must be certified and must be subject to periodic
79
CHAMBERS.COM
Powered by FlippingBook