CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
Infringements for operators of vital importance
reviews by the obliged entities, at least every two years. • Continuously carry out review operations, exercises and analyses of networks, com - puter systems or computer programs that compromise cybersecurity and communicate the information related to such actions or pro - grams to the National CSIRT, in the manner determined by the Regulation. • Take the necessary measures in a timely and expeditious manner to reduce the impact and spread of a cybersecurity incident, including restricting the use of or access to computer systems, if necessary. • Have the certifications provided for in the Regulation. • Have training, education and continuing education programmes for its workers and collaborators, including cyber-hygiene cam - paigns. • Designate a cybersecurity delegate which will act as a counterpart to the ANCI and who will report to the authority or head of the body or service of the state administration or to the directors, managers, administrators or principal executives, as defined by private institutions. Infringements General infringements • Minor – minor breaches such as submitting information after the deadline or not following ANCI’s general instructions. • Serious – failure to implement security pro - tocols, submitting false information to ANCI, failure to report incidents to the National CSIRT, among others. • Very serious – submitting false information in incidents with significant effects, failing to fol - low ANCI instructions in serious incidents or recidivating serious infringements.
These operators have additional responsibili - ties, and the infringements are also classified as minor, serious and very serious depending on the breach of their specific obligations. • Minor – failure to maintain records, failure to report security drills to the CSIRT, failure to train workers, etc. • Serious – failure to implement security man - agement systems, failure to draw up busi - ness continuity plans, failure to inform those affected by incidents, etc. • Very serious – failure to take measures to reduce the impact of incidents with significant effects or recidivism of serious infringements. Sanctions Penalties vary according to the seriousness of the infringements. • Minor infringements – warning or fine of up to 1,000 Monthly Tax Units (UTM). • Serious infringements – fine of up to 10,000 UTM (approximately USD725,000). • Very serious infringements: (a) fine of up to 20,000 UTM (approximately USD1,450,000); or (b) if the offender is a vital operator, the fine can be up to 40,000 UTM (approximately USD2.9 million). 2.3 Incident Response and Notification Obligations Cybersecurity Incident The Framework Law defines a cybersecurity inci - dent as any event that impairs or compromises the confidentiality or integrity of information, the availability or resilience of computer networks and systems, or the authentication of processes
80
CHAMBERS.COM
Powered by FlippingBook