Cybersecurity 2025

CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados

Moreover, Chapter 20-10 contains a robust set of cybersecurity defensive measures. Within the measures, it is important to highlight the follow - ing: • inventory of critical cybersecurity assets; • change management process that allows modifications made to the ICT infrastructure to be carried out in a secure and controlled manner; • capabilities management process; • technological obsolescence management process; • configuration management process that ensures adequate controls to the configurable elements of the ICT infrastructure; • patch management programme to ensure that patches are applied to both software and firmware in a timely manner; • implementation of tools such as firewalls, web application firewalls (WAF), intrusion pre - vention systems (IPS), data loss prevention systems (DLP), anti-denial of service systems, email filtering, anti-virus and anti-malware; • back-up management process to ensure the integrity and availability of information and processing media in the event of an incident or disaster; • mechanisms to cover the costs associated with possible cyber-attacks; and • a Security Operation Centre (SOC), either in- house or through an external service, which operates 24 hours a day, with facilities, tech - nological tools, processes and dedicated and

various entities, including banks, card issuers, insurers and fintechs, with specific regulations for each type of entity. With the entry into force of the Cybersecurity Framework Law, it is expected that there will be co-ordination between the CMF and the ANCI. • Sanctions – failure to comply with these regulations can result in fines of up to 15,000 UF (approximately USD420,000), which can increase fivefold in the case of repeat offenc - es. • Incident reporting – all entities regulated by the CMF are required to report operational incidents, although deadlines vary. For exam - ple, banks and insurers must do so within 30 minutes of the incident, while some fintech service providers have a deadline of two hours. These reports must include detailed information about the incident, such as its description, date and time, causes, impact on customers and services, and measures taken for mitigation. • Communication – in general terms, entities should consider the need to inform their cus - tomers about incidents that affect the qual - ity of services or that are publicly known. In addition, they should share relevant informa- tion about cybersecurity incidents with the rest of the industry, encouraging collaboration and prevention. 3.4 Operational Resilience Enforcement The CMF requires entities to guarantee access to the information and records of suppliers, both on-site and remotely, even if the supplier is abroad. The CMF reviews the audit reports carried out by the suppliers. Entities must report to the CMF any opera - tional incident that affects an outsourced ser -

trained personnel. Incident Reporting

The CMF in Chile has established a regulatory framework for the management of operational and cybersecurity incidents in the financial sec - tor, with the aim of protecting users and the sta - bility of the system. This framework applies to

85

CHAMBERS.COM

Powered by