CMF published a regulation that establishes a series of guidelines and best practices that certain regulated entities must comply with in their process of managing information security and cybersecurity. CMF also published a presentation and a set of frequently asked questions with respect to this regulation. The regulation will become effective on December 01, 2020 and is applicable for banks, bank affiliates, bank draft support companies, and issuers and payment card operators. CMF expects this regulation to be a frame of reference for future changes in this area for other institutions, such as credit unions and entities in the securities and insurance industry.
The adoption of this new regulation will allow entities to be better prepared to prevent and act against operational events related to information security and cybersecurity. CMF has published the new Chapter 20-10 of the Updated Compilation of Standards (RAN); this new chapter contains a series of provisions, based on international best practices, that must be considered for the management of information security and cybersecurity. This new RAN Chapter complements the provisions of different regulations of CMF, such as those established in Chapter 1-13 on the evaluation of operational risk management; Chapter 20-7 regarding the risks that entities assume in the outsourcing of services; Chapter 20-8 on information on operational incidents; and Chapter 20-9 on business continuity management. Until December 01, 2020, when this regulation becomes effective, banks must continue to comply with the provisions of current Chapter 1-13 in the field of operational risk—particularly in relation to information security and cybersecurity. The new guidelines address the following key elements:
- Guidelines on the role of the Board of Directors for proper management of information security and cybersecurity, granting it responsibility for approval of the institutional strategy in this matter. In addition, a Board of Directors must ensure that an entity maintains an information security and cybersecurity management system that contemplates the specific administration of these risks.
- Banks and financial institutions shall define the minimum stages of an information security and cybersecurity risk management process, considering at least the identification, analysis, assessment, treatment, and acceptance of the risks. to which the information assets are exposed, as well as their permanent monitoring and review.
- Entities need to define their critical assets and their protection functions, ensure detection of threats and vulnerabilities, and focus on the response to incidents and the recovery of the normal operations.
- Entities must also have policies and procedures for the identification of assets that make up the critical infrastructure of the financial industry and the payment system and for the adequate exchange of technical information on incidents that affect, or could affect, the cybersecurity.
Related Links (in Spanish)
Keywords: Americas, Chile, Banking, Cyber Risk, Operational Risk, Information Security, Cyber Incident, CMF
Previous ArticleCBUAE Assesses Stability of Financial System in UAE
The European Commission (EC) published the Delegated Regulation 2021/1527 with regard to the regulatory technical standards for the contractual recognition of write down and conversion powers.
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to provide guidance to authorized deposit-taking institutions on the interpretation of APS 120, the prudential standard on securitization.
The Single Resolution Board (SRB) published a Communication on the application of regulatory technical standard provisions on prior permission for reducing eligible liabilities instruments as of January 01, 2022.
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to clarify the regulatory capital treatment of investments in the overseas deposit-taking and insurance subsidiaries.
The European Banking Authority (EBA) published the final report on the guidelines specifying the criteria to assess the exceptional cases when institutions exceed the large exposure limits and the time and measures needed for institutions to return to compliance.
The Prudential Regulation Authority (PRA) issued the policy statement PS20/21, which contains final rules for the application of existing consolidated prudential requirements to financial holding companies and mixed financial holding companies.
The European Banking Authority (EBA) revised the guidelines on stress tests to be conducted by the national deposit guarantee schemes under the Deposit Guarantee Schemes Directive (DGSD).
The European Commission (EC) announced that Nordea Bank has signed a guarantee agreement with the European Investment Bank (EIB) Group to support the sustainable transformation of businesses in the Nordics.
The Hong Kong Monetary Authority (HKMA) issued a circular, for all authorized institutions, to confirm its support of an information note that sets out various options available in the loan market for replacing USD LIBOR with the Secured Overnight Financing Rate (SOFR).
The Office of the Comptroller of the Currency (OCC) issued a new "Problem Bank Supervision" booklet of the Comptroller's Handbook. The booklet covers information on timely identification and rehabilitation of problem banks and their advanced supervision, enforcement, and resolution when conditions warrant.