CHILE Law and Practice Contributed by: Claudio Magliona, Bárbara Reyes and Diego Lisoni, Magliona Abogados
vice, allowing the CMF to supervise the incident response capacity and recovery plans. In the event of non-compliance with the regu - lations, the CMF may require that the services be carried out in the country or that the entity execute them internally, ensuring that the entity maintains a plan that allows it to comply with these requirements. 3.5 International Data Transfers According to Chapters 20-7 and 20-10 of the RAN, entities must have defined specific data processing sites. In the case of processing abroad, the jurisdiction must be defined and known. The city where the data centres operate must be known. Moreover, if an entity outsources data process - ing services outside the country, it must have a contingency data processing centre located in Chile and demonstrate a recovery time compat - ible with the criticality of the outsourced service. There is the possibility of exemption from this requirement if the entity maintains adequate operational risk management and can ensure preventive measures such as a recovery time objective (RTO) approved by the board of direc - tors, sites with adequate availability time, and sites in different locations that mitigate both geographical and political risks. In addition, if the outsourced service includes the transmission of data outside the country that is subject to secrecy or banking secrecy (accord - ing to Article 154 of the General Banking Law), prior authorisation from each client is required. Regarding country risk, services can only be out - sourced in jurisdictions that have an investment grade country risk rating. If the country does not have this rating, the board of directors may make
an exception to this requirement as long as the country has adequate personal data protection and security laws. Finally, it stands out that communication con - nections between the entity and the provider must have a level of encryption that ensures the confidentiality and integrity of data from end to end. The processed information must be stored and transported in encrypted form, with the decryption keys held by the entity. 3.6 Threat-Led Penetration Testing Threat-led penetration testing has not arisen in this jurisdiction. The Cybersecurity Framework Law refers to the concept of resilience, defining it as the ability of networks and computer systems to main - tain their availability and operation, as well as to recover quickly from cybersecurity incidents. For its part, the National Cybersecurity Policy 2023–2028 establishes as one of its five funda - mental objectives the development of a “resil - ient infrastructure” in the country. This implies that the country must have a robust information infrastructure prepared to withstand and recover from cybersecurity incidents and socio-envi - ronmental disasters. To advance this objective, the need to strengthen essential services and improve the response capacity to incidents, both in the public and private sectors, is established. However, neither the National Cybersecurity Policy nor the Cybersecurity Framework Law specifically establish detailed obligations relat - ed to cyber-resilience. It is expected that in the 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation
86
CHAMBERS.COM
Powered by FlippingBook