Cybersecurity 2025

CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados

• policies for the management of information security and cybersecurity risks; • promotion of risk-awareness in terms of infor - mation security and cybersecurity; • permanent monitoring of the infrastructure connected with external providers, and analy - sis and implementation of measures to detect and mitigate potential threats to the cyberse - curity of the entity; and • internal behaviour policy. There are a large number of other specific operational risk and cybersecurity regulations applicable to other entities participating in the banking and financial system – eg, mutual fund administrators; entities providing fintech servic - es, including investment advisers or alternative transaction platforms; and even entities that will participate in the Open Finance System, which is being implemented gradually until 2027. Thus, Chapter 20-10 is of general application to certain financial entities (banks, payment card operators and issuers) but shares several pro - visions with the specific regulations mentioned above. 3.2 ICT Service Provider Contractual Requirements The contractual requirements for Information and Communication Technology (ICT) service providers are detailed in Chapters 20-7 and 20-10 of the Updated Compilation of Standards (RAN). The most relevant aspects are described below. Definition of ICT Service Providers According to the regulations, a service provider is any entity, related or not to the contracting institution, that provides services or supplies goods and facilities. This includes ICT service

providers. ICT services can range from data pro - cessing to the provision of cloud infrastructure. General Contractual Requirements • Clear definition of rights and obligations – the contract must clearly specify the responsibili - ties of both parties. • Service level agreements (SLAs) – clear and measurable service levels must be estab - lished. • Early termination clauses – the contract must include conditions for the early termination of the contractual relationship. • Pricing method – the contract must detail an appropriate method for pricing, with a break - down for each service if several are pur - chased for a single price. • Business continuity – the contract must include clauses that guarantee business continuity. • Information security – clauses must be established on the ownership and confidenti - ality of information, restrictions on the use of software and the secure deletion of customer data. • Audits – the CMF and the audited entity must be allowed to examine on-site or remotely all aspects of the contracted service. • Subcontracting – there must be veto clauses for subcontracting to third parties by the main provider. Also, the subcontracted company must comply with the conditions agreed between the entity and the initial service provider. • Personnel – the suitability and responsibil - ity of the provider’s personnel, as well as the applicable legal and labour aspects, must be clearly established. • Language – contracts, subcontracts and annexes must be in Spanish or translated into this language.

83

CHAMBERS.COM

Powered by