After the cybersecurity incidents that affected the financial industry in Chile, the Superintendence of Banks and Financial Institutions ("SBIF") modified Chapters 20-8 and 1-13 of the RAN (SBIF's Updated Regulation Compilation) last August 31, with the purpose of having access to more and better information about incidents, and raising the security standards of the financial system.
Chapters 20-8 and 1-13 already included standards related to the management of cybersecurity by the institutions regulated by SBIF, which were established in January of this year. In this amendment, certain minimum cybersecurity guidelines were included, like the requirement to generate and maintain a base of incidents available to the Superintendence.
Modifications to Chapter 20-8 on Information on operational incidents
The modification to Chapter 20-8 involves a strengthening of the current obligation to report incidents to SBIF; the creation of a new obligation to communicate incidents to customers and to the industry; and the elimination of the current section No. 2 that until now regulated the base of cybersecurity incidents.
This is a brief analysis of these new elements:
Communication of operational incidents to SBIF The regulation specifies the types of operational incidents that must be communicated; and details its opportunity, content and communication mechanisms.
What to report. The institution must report the operational incidents that affect or jeopardize business continuity, the funds or resources of the entity or of its clients, the quality of the services or the image of the institution. The incidents that affect a group of clients that could impact the image and reputation of the entity must also be reported immediately, or after a certain event occurres1.
When to report. The first communication to SBIF, the occurrence of an operational incident, must be made within a maximum period of 30 minutes.
How to report. In relation to reporting the incident, the current single communication by email to SBIF is replaced by a more detailed obligation that includes two communications to the platform enabled by SBIF on its Extranet, one at the beginning of the incident and another at the time of its closure.
What to report. The modification details the matters that this communication must include2, requiring: (i) unique incident identifier number (assigned by SBIF); (ii) name of the reporting entity; (iii) description of the incident; (iv) time and...