November 25, 2019.- The Financial Market Commission (CMF) reports that it has published today for public consultation the regulation on information security management and cybersecurity. This regulation will apply to banks, banking subsidiaries, companies supporting banking activities, and payment card issuers and operators. The consultation process will end on December 27, 2019.

The new chapter of the Updated Compilation of Rules for Banks (RAN, for its Spanish acronym), which is also applicable to the aforementioned entities, includes a series of measures based on international best practices to be considered for managing information security and cybersecurity.

Said regulation will allow entities to be better prepared to prevent and respond to operational events related to information security and cybersecurity.

The regulation in consultation consists of four sections:

• Section One establishes general guidelines on the matters of information security management and cybersecurity. Among them, it emphasizes the role that the Board of Directors ought to have in the proper management of both information security and cybersecurity, entrusting it with the approval of an institutional strategy in these matters. The Board must also ensure that the entity maintains an information security and cybersecurity management system that addresses a way of dealing with such risks consistent with the best existing international practices.
• Section Two establishes guidelines to be considered by institutions for implementation of a risk management process to support the aforementioned system. It states the basic stages of an information security and cybersecurity risk management process.
• Section Three considers the relevance of cybernetic risks and establishes two relevant aspects in the management of cybersecurity.
  • First, the determination of critical cybersecurity assets, referring to logical information components considered key to business operation. Some of these include hardware and technological systems that store, manage, and support such assets. In the case they are not properly operated, the entity is exposed to risks that might affect the confidentiality, integrity, and availability of its information.
  • Second, it underlines the relevance of the protective functions of said assets, the detection of threats and vulnerabilities, the response to incidents, and the restoration of the entity's normal operation.
• Section Four stresses the importance of entities having policies and procedures for the identification of assets that make up the critical infrastructure of the financial industry and payment system. This also applies to the adequate exchange of incident-related information with other members that are part of said infrastructure.

It is worth mentioning that this new chapter of the RAN complements the requirements of various CMF norms, such as those established in Chapter 1-13 on the assessment of operational risk management; Chapter 20-7 on the risks that entities assume in outsourcing services; Chapter 20-8 on operational incident information; and Chapter 20-9 on business continuity management.

To access the details of the regulatory proposals, you can visit the Draft Rules and Norms section of the CMF website. In addition, the Commission also makes available to interested parties a Frequently Asked Questions document and a Presentation. These documents summarize the core elements of this public consultation.