Cybersecurity 2024 Comparisons

The Framework Law

In December 2023, the Chilean National Congress approved the Framework Law on Cybersecurity and Critical Information Infrastructure (hereinafter the “Framework Law”), which will begin to be implemented during 2024. The Framework Law is inspired by the Network and Information Security Directives 1 and 2 of the European Union, as well as international regulatory models such as those of Spain, Israel and Estonia.

The Framework Law, once fully implemented, will be the country’s framework regulation on cybersecurity. Both public and private entities (eg, State administration agencies, suppliers of State administration agencies, essential service providers and operators of vital importance) will be regulated.

During 2024, it is expected that the Regulations of the Framework Law will be issued, as well as the first standards, protocols and general and particular instructions for the proper implementation of the Law.

Institutional ecosystem

The Framework Law has created a National Cybersecurity Agency (NCA) and inserted it into a robust institutional ecosystem in which there will be co-ordination between the NCA and the financial or telecommunications sectoral authorities that have regulatory and supervisory powers in the fields of cybersecurity, as well as with the future National Agency for the Protection of Personal Data, which is intended to be created by approval of the bill on the protection of personal data (Bulletin No 11.144-07).

In addition, the Framework Law will create the National Computer Security Incident Response Team (CSIRT), the National Defence CSIRT, as well as the Multisectoral Council on Cybersecurity and the Interministerial Committee on Cybersecurity. In addition, the NCA will be in charge of accrediting the certification centres, which will be the institutions in charge of certifying the cybersecurity standards of institutions subject to the Framework Law.

Essential service providers

The list of essential services outlined in the Framework Law is as follows:

• Those services provided by the agencies of the State Administration and by the National Electricity Co-ordinator.
• Those services provided under a public service concession.
• Those services provided by private institutions that carry out the following activities:
1. electricity generation, transmission or distribution;
2. transportation, storage or distribution of fuels;
3. provision of drinking water or sanitation;
4. telecommunications;
5. digital services;
6. digital infrastructure;
7. information technology services managed by third parties;
8. land, air, rail or maritime transport, as well as the operation of their respective infrastructure;
9. banking, financial services and means of payment;
10. administration of social security benefits;
11. postal and courier services;
12. institutional provision of health by entities such as hospitals, clinics, doctors’ offices, and medical centres; and
13. production and/or research of pharmaceutical products.

The NCA must issue a resolution through which it will identify which specific activities and functions will be considered as essential services (eg, the NCA could eventually identify the provision of domain name systems as a specific activity within the category “digital infrastructure”).

Essential service providers must comply with general cybersecurity obligations and permanently apply the measures to prevent, report and resolve cybersecurity incidents. These measures may be technological, organisational, physical or informational in nature, as the case may be.

Compliance with these obligations will require the proper implementation of the protocols and standards that will be established by the NCA, as well as the particular cybersecurity standards issued in accordance with the respective sectoral regulation. Penalties (fines) for non-compliance with these standards and protocols could reach USD1.47 million.

Operators of vital importance

The NCA must, at least every three years, through an administrative procedure in which sectoral authorities must also participate, identify those essential service providers that will be classified as operators of vital importance. The procedure includes a public consultation that will be regulated by the Regulations of the Framework Law once they are issued, and in addition, the NCA’s decision could be claimed through administrative appeals and a judicial claim, if applicable.

The NCA may classify as operators of vital importance those essential service providers who meet the following requirements:

• that the provision of such service depends on computer networks and systems; and
• that the effecting, interception, interruption or destruction of its services has a significant impact on security and public order, the continuous and regular provision of essential services, the effective performance of the functions of the State, or, in general, of the services that it must provide or guarantee.

In addition, the NCA may classify as operators of vital importance private institutions that, although they do not have the quality of providers of essential services, meet the requirements indicated previously and whose qualification is essential because they have acquired a critical role in the supply of the population, the distribution of goods or the production of a good/service that is indispensable or strategic for the country; or by the degree of exposure of the entity to risks and the likelihood of cybersecurity incidents, including their severity and the associated social and economic consequences.

Operators of vital importance will be required to comply with a number of specific cybersecurity obligations, including implementing an information security management system; possessing the necessary certifications that will be established by the Regulations of the Framework Law; etc. (see 3.3 Legal Requirements and Specific Required Security Practices)

Cybercrime

In addition to the Framework Law No 21,459 establishes regulations on computer crimes and modifies other legal bodies to adapt them to the Budapest Convention. Law No 21,459 entered into force in the country during the second semester of 2022. It provides for specific criminal offences, such as the illegal access, illegal interception and attacks on the integrity of computer data. However, this Law does not establish any obligation to communicate cybersecurity risks or loss of information.

Sectoral Regulation

Chile has a number of sector-specific regulations, such as banking regulations, that will be further explained (see 2.5 Financial or Other Sectoral Regulators).

In the public sector, it is important to note the Supreme Decree No 579/2020 that created the Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity, itself created by Supreme Decree No 533/2015; this Decree has a definition of cybersecurity. Likewise, in the public sector, in 2018 the President issued the Presidential Instructive No 8, giving directions to public bodies related to cybersecurity, including urgent measures that should be implemented.

Furthermore, recently the Decree No 273/2022 of the Undersecretary of the Interior established that the heads of services and other organs of the State administration must report cybersecurity incidents that affect them to the Ministry of the Interior and Public Security, by notification to the Government CSIRT. As for the deadline for notification, it is established that the communication must be made as soon as the occurrence of the incident is verified and may not exceed three hours from the knowledge of the incident.

The key regulators of cybersecurity in Chile are the courts and the Financial Market Commission (FMC), along with the Undersecretary of Telecommunications of Chile (SUBTEL), the Undersecretary of the Interior and the Ministry of Health. In the public sector, there is the Council for Transparency and the Inter-Ministerial Committee on Cybersecurity (CICS), whose main task is to propose a National Cybersecurity Policy.

However, thanks to the approval of the new Framework Law , the new cybersecurity supervisory authority will be the future NCA. In view of this, the Framework Law establishes co-ordination duties between the NCA and the other sectoral authorities when issuing new cybersecurity standards or protocols that must be complied with by the entities subject to sectoral regulation.

NCA

In order to carry out its supervisory function, the future NCA may carry out inspections and instruct particular audits, either by itself or through authorised third parties, and security analyses based on objective risk assessment criteria, which must be non-discriminatory, fair and transparent. The audited entity shall co-operate at all times with officials of the NCA or third parties authorised by the NCA, as appropriate.

The NCA may also require access to computer systems, data, documents and other information necessary for the performance of its supervisory functions. In particular, to instruct the obliged subjects to carry out tests that demonstrate the implementation of their operational continuity and cybersecurity plans. In addition, it may summon to testify, with respect to facts whose knowledge it deems necessary for the performance of its functions, the partners, directors, administrators, representatives, employees, and any person who, in any capacity, provides or has provided services for the audited persons or entities, as well as any person who has executed or entered into acts or agreements of any nature with them.

In the event that a provider of essential services or an operator of vital importance fails to comply with or violates the regulations, the NCA may initiate an administrative sanctioning procedure through its National Deputy Director.

The NCA shall designate an officer in charge of the investigation and prosecution of the case. In general, the procedure contains a stage for the formulation of charges, a stage for defence, a stage for the presentation of evidence, and a stage for the issuance of the final decision. The final decision may be the subject of an administrative appeal, as well as subsequently of a judicial appeal before the courts.

Sectoral Authorities

It should be noted that, in addition, a sectoral authority would be competent to monitor, take cognisance of and sanction infringements, as well as to execute the sanctions to the cybersecurity regulations that it has issued and whose effects are at least equivalent to those of the regulations issued by the NCA.

In Chile, there are no subnational norms.

The future NCA will be able to require essential service providers and operators of vital importance to have access to information strictly necessary to prevent the occurrence of cybersecurity incidents or to manage one that has already occurred. To this end, it may require the delivery of the record of activities of the computer networks and systems that allow the details of the cybersecurity incidents that may have occurred to be understood.

In addition, the NCA may require, through instruction from its Director, in cases of incidents of significant impact whose management makes it essential, access to computer networks and systems from operators of vital importance and providers of essential services. However, the NCA’s decision, both in this case and in the event that it exercises this power in an audit context, may be appealed by the requested entity through a short judicial procedure.

Operators of vital importance and providers of essential services must comply with the duty to report cybersecurity incidents of significant impact to the future National CSIRT, once it is created. Operators of vital importance must also inform the National CSIRT of their action plan as soon as it has been adopted.

The NCA will dictate the instructions that are necessary for the proper preparation and reception of the requested reports. If there is an obligation to notify more than one authority, the NCA, together with the relevant sectorial authorities (eg, FMC or SUBTEL), will endeavour to make a single window system that allows simultaneous notification to all necessary authorities/regulators available to those obliged.

Finally, SUBTEL’s Resolution No 1318/2020 establishes a mandatory duty to report cyberthreats in the context of telecommunication services for companies that provide such services.

The Framework Law, which will begin to be implemented during 2024, is inspired by the European Union’s Networks and Information Security Directives 1 and 2, as well as international legislation such as that of Spain, Israel and Estonia. In this sense, the Framework Law:

• establishes a procedure for identifying operators of vital importance and essential service providers;
• identifies a list of essential services in critical sectors;
• establishes a duty to report cybersecurity incidents with significant effects;
• sets out a series of specific obligations to be complied with by operators of vital importance;
• creates the NCA as a control body in cybersecurity matters in Chile, with regulatory, supervisory and sanctioning powers;
• grants the NCA the power to require access or restriction of access to the networks and computer systems of entities subject to the Framework Law;
• establishes co-ordination duties between the sectoral authorities with competence in cybersecurity and the future NCA, as in the European Union;
• creates a certification scheme for standards, protocols and operational continuity and cybersecurity plans to be implemented by operators of vital importance, and which will be regulated in the Regulations of the Framework Law (for this reason, certification centres are recognised, which must also be accredited by the NCA);
• creates a Cybersecurity Incident Registry, which must be managed by the NCA;
• creates the State’s secure connectivity network; and
• creates the National CSIRT, the National Defence CSIRT, as well as sectoral CSIRTs.

Law No. 21.521, which “promotes competition and financial inclusion through innovation and technology in the provision of financial services”, or the Fintech Law, has begun its gradual implementation process. The Law regulates new fintech services and creates an open finance system that will require the issuance of a large amount of complementary regulation by the Financial Market Commission, including new cybersecurity and information security standards, and quality standards for the application programming interfacesthat will be used within the future system.

“The technical standard on cybersecurity of Law No 21,180 on Digital Transformation of the State” aims to define the standards and technical guidelines that must be met by the organs of the State administration to safeguard the confidentiality, integrity, and availability of information, as well as protecting computer infrastructure.

The National Cybersecurity Policy 2017–2022 was recently replaced by the National Cybersecurity Policy 2023–2028. The National Cybersecurity Policy is of utmost relevance since it determines the approach that the State and its institutions will adopt in terms of cybersecurity until 2028 in terms of public and regulatory policies. Among these matters, it is noteworthy that the specifically published Policy adopts as an approach that of promoting the local industry in terms of cybersecurity.

In December 2023, the National Congress approved the Framework Law on Cybersecurity and Critical Information Infrastructure. (See 1.1. Laws). The Framework Law will begin to be implemented during 2024.

Pending changes on the horizon over the next 12 months are as stated below.

The process of gradual implementation of the Framework Law will begin. Therefore, the following is expected:

• the creation of the NCA and the appointment of its first National Director;
• the identification of the first private entities to be classified as operators of vital importance;
• the elaboration of regulations that will regulate the specific cybersecurity obligations to be adopted by operators of vital importance;
• the regulation of the certification scheme; and
• the issuance of the first cybersecurity standards and protocols for entities considered to be essential service providers.

The bill on personal data protection (Bill No 11.144-07) is in its third constitutional stage and is currently under discussion in the National Congress, very close to the end of the legislative process. The precepts in the bill are consistent with recent international standards such as the EU’s General Data Protection Regulation (GDPR), safeguarding respect for and protection of the rights and fundamental freedoms of people over their personal data. The bill also seeks to create a national control authority on the protection of personal data.

The bill to “create the Ministry of Public Security” (Bulletin No 14,614-07) has entered its second constitutional stage and is currently under discussion in the National Congress, very close to the end of the legislative process. The bill would seek to create, independently and separately from the Ministry of the Interior, a Ministry of Public Security that would have powers regarding cybersecurity and be involved in the protection of the nation’s critical infrastructure, among other things. The bill is closely related to the Cybersecurity Framework Law, as it would seek to link the future NCA with the Ministry of Public Security in the exercise and fulfilment of its powers and duties.

The bill to “modify Law No 19,799 on electronic documents, electronic signature and certification services of said signature and other legal texts indicated” (Bill No 8466-07) entered its third constitutional stage and is under discussion in the National Congress. The bill would update the standards and procedures for the certification of electronic signatures, including their cybersecurity standards.

Resolution No 1318/2020 from SUBTEL regulates the regulatory framework for cybersecurity threats in the provision of telecommunication services and the protection of telecommunications critical infrastructure.

Likewise, the Chapter 20-10 of the Updated Compilation of Standards (RAN) of the Financial Market Commission (FMC) regulates cybersecurity in the context of financial institutions.

Article 32 No 21 of the Political Constitution of the Republic of Chile allows the President to decree that the armed forces take charge of the protection of the country’s critical infrastructure when there is a serious or imminent danger to it. Critical infrastructure is understood as the infrastructure essential for the generation, transmission, transportation, production, storage and distribution of basic services and inputs for the population, such as energy, gas, water or telecommunications; that relating to road, air, land, sea, port or rail connections, and that corresponding to services of public utility, such as health care systems. In addition, the Constitution establishes that a law, which has not yet been processed, will regulate the obligations to which public agencies and private entities in charge of the country’s critical infrastructure will be subject, as well as the specific criteria for their identification.

Finally, the Framework Law will be the common regulatory framework that will co-ordinate sectoral and national regulation on cybersecurity. The Framework Law will have a more general and broad scope, covering services considered essential and their infrastructures (see 1.1. Laws)

See 1.2 Regulators.

In Chile, the NCA will be the over-arching cybersecurity agency. (see 1.1 Laws).

SERNAC

Currently, the National Consumer Service (SERNAC) is the control authority in matters of personal data protection in the context of consumer relations, by virtue of Law No 21,398 (the “Pro-Consumer Law”), and it will continue to be until there is a body specialised in data protection with powers in the matter. SERNAC can exercise its powers in this area (although it does not have sanctioning powers), which usually involves the following:

• presenting class actions before courts;
• supervising;
• carrying out mediations and requesting reports; and
• issuing interpretative circulars that are mandatory only for officials of the National Consumer Service.

Some of these circulars, which also deal with matters related to information security and cybersecurity. are outlined below.

Interpretative Circular on good practices in electronic commerce ‒ security in electronic contracting

SERNAC considers that providers of services and products through electronic means must inform and adopt the necessary technical measures to guarantee the consumer the security, integrity, and confidentiality of transactions, means of payment and personal data of consumers, indicating the levels of protection that will be applied for each of them. In addition, SERNAC considers that companies must take the corresponding safeguards in the case of electronic contracting by minors, vulnerable consumers or those who do not have the capacity to understand the information provided through the website.

Interpretative circular on criteria of equity in the stipulations contained in adhesion contracts referring to the collection and processing of personal data of consumers ‒ abusive clauses that put the consumer responsible for the effects of possible deficiencies, omissions, or errors, such as limiting the liability of the supplier in case of unauthorised access, losses, alterations, or leaks of the consumer’s personal data

SERNAC considers that the duty of professionalism that falls on suppliers considering the obligation of security in the processing of data, entails the need to apply comprehensive security measures, that is, technical, organisational, and human capital formation that allow the safeguarding of the confidentiality, integrity and availability of the personal data of consumers, to avoid alteration, loss, transmission and unauthorised access.

In the field of consumption, SERNAC has interpreted that the providers responsible for the processing of personal data of consumers must compensate for the damage caused by the collection, processing, use, disclosure, or other processing operations, when they have not met the standards of security and professionalism of Law No 19,496 on the protection of consumer rights, and 19,628 on the protection of privacy.

Interpretative Circular on Consumer Protection Against the Use of AI Systems ‒ Consumer Safety

SERNAC has interpreted that, in view of the general obligation incumbent on suppliers to provide security to consumers, AI systems in the context of a consumer relationship must present adequate standards of precision, reliability, and technical effectiveness to obtain well-founded results and to avoid causing harm to consumers of a material or immaterial nature.

Thus, suppliers must act responsibly and with due diligence, which implies the need for a prior and continuous assessment of the risks that may arise for consumers from the use of AI systems. In the context of the protection of personal data, SERNAC considers that in accordance with the regulations on protection of personal data, the data controller responsible for the processing must undertake this processing with “due diligence” (Article 11, Law No 19,628), assuming responsibility for the damages caused. Specifically, SERNAC interprets this duty as translating into the need to apply appropriate technical and organisational security measures, which guarantee the confidentiality, integrity, and availability of the personal data in question, considering especially the risks involved in the processing activities and the nature of the data stored (including, among other elements, their level of sensitivity).

Public Sector

The Council for Transparency is responsible for ensuring compliance with Law No 19,628, on the protection of personal data, by the organs of the State Administration. The Council has issued the “Recommendations on Protection of Personal Data by the Organs of the State Administration”, the “Guide on Protection of Personal Data for Public Institutions” (2021) and the Resolution No 489/2022 that approved the “Procedure for Processing Requests for the Exercise of ARCO Rights made before the Council for Transparency”.

The Council recommends that public bodies apply different levels of security according to the type of data stored. By way of example, for sensitive data, higher levels of security should be adopted than for non-sensitive data. In addition, the Council has ruled that the security obligation regarding the protection of personal data requires the duty to adopt all security measures to safeguard the integrity, confidentiality and availability of the data contained in its records. The purpose of this is to avoid alteration, filtering, loss, transmission, and unauthorised access to the personal data.

Financial Regulation – FMC

In processing bank data, the FMC has issued a ruling regarding incidents/breaches of security or cybersecurity, in which it is mandatory for banks to report all the incidents related to cybersecurity that have occurred in the latest month, including updated information or information supplementary to incidents reported in previous periods. A cybersecurity incident is understood as any event that threatens or adversely affects the information assets of the institution, as well as the infrastructure that supports it; it will consider alerts to those events registered but not as having materialised.

More specifically, on 31 August 2018, the FMC issued amendments to Chapters 1-13 and 20-8 of the RAN. Chapter 1-13 was reformed to include the consideration of cybersecurity issues within the bank’s board of directors’ responsibilities. Chapter 20-8 on incident reporting was amended as follows.

The current obligation to notify the FMC of the occurrence of an operational incident was modified, setting a very short-term 30-minute deadline from the occurrence of the incident. The previous obligation only required that the communication be made “as soon as the incident was identified”. In addition, the content of the communications made to the CMF is detailed with greater precision. An obligation to communicate the occurrence of the incident to users or customers of the affected financial institution was introduced, as well as a new obligation regarding communication between industry members.

Furthermore, the aforementioned regulations were updated by Chapter 20-10 of the Updated Compilation of Standards (RAN). This new chapter contains a more detailed regulation regarding the general elements of cybersecurity management for financial institutions (mainly banks), namely:

• information security risk management process;
• particular elements to be considered for cybersecurity management;
• protection of critical cybersecurity assets and detection of threats and vulnerabilities; and
• response and recovery of activities in the event of incidents.

Telecommunications Regulation – SUBTEL

Regarding telecommunications services, Resolution No 1318/2020 of SUBTEL establishes a detailed regulatory framework that telecommunications service providers in Chile must follow and sets out a series of obligations and measures they must adopt to prevent cyber-attacks. Among the obligations are:

management measures;

• prevention and mitigation measures;
• risk analysis and security by design;
• risk management plans;
• documentation of management plans; and
• report incidents.

Health Regulation

In matters of health services, the Decree No 6/2022 of the Ministry of Health established the “Regulation on actions related to health care carried out remotely”, which is applicable to both public and private health providers. Thus, health providers who provide their services remotely must:

• guarantee the secure transmission of data and clinical information necessary for the granting of the benefit, using reliable mechanisms and reusable formats that integrate rules for the protection of personal data, the reservation of the clinical record, biomedical ethics, and the rights and duties of patients;
• ensure the traceability and registration of actions carried out with the support of ICTs;
• have specific procedures for ensuring confidentiality, according to the action or benefit granted;
• have privacy risk management plans, which allow the provider to minimise the risks associated with security breaches, especially if it is feared that this has resulted in some improper access or disclosure, alteration or modification of personal data relating to patients;
• keep a record of information security incidents; and
• report cyber-incidents to the Information Security Committee (CSI) of the Ministry of Health.

There are no further agencies that are particularly concerned with cybersecurity issues.

In Chile, the following ISO rules, published by the National Institute for Standardisation (INN), apply to cybersecurity matters, according to the government cybersecurity site, CSIRT (2022):

• NCh–ISO IEC 27000:2018 – Information technology – Security techniques – Information security management systems – Overview and vocabulary;
• NCh–ISO IEC 27001:2020 – Information Technology – Security Techniques – Information Security Management Systems – Requirements;
• NCh–ISO 27002:2013 – Information technology – Security techniques – Code of practice for information security controls;
• NCh–ISO IEC 27003:2019 – Information technology – Security techniques – Information security management systems – Guidance;
• NCh–ISO IEC 27005:2020 – Information security – Cybersecurity – Guidance on managing information security risks;
• NCh–ISO IEC 27013:2020 – Information security – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000–1;
• NCh–ISO 27014:2015 – Information security – Cybersecurity – Governance of information security;
• NCh–ISO IEC 27018:2019 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors;
• NCh–ISO 27031:2015 – Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity;
• NCh–ISO 27032:2015 – Information technology – Security techniques – Guidelines for cybersecurity;
• NCh–ISO 27036/1:2015 – Cybersecurity – Supplier relationships – Part 1: Overview and concepts;
• NCh–ISO 27036/2:2015 – Cybersecurity – Supplier relationships – Part 2: Requirements;
• NCh–ISO 27036/3:2015 – Cybersecurity – Supplier relationships – Part 3: Guidelines for hardware, software, and services supply chain security;
• NCh–ISO 27037:2015 – Information technology – Security techniques – Guidelines for identification, collection, acquisition, and preservation of digital evidence; and
• NCh–ISO 27040:2015 – Information technology – Security techniques – Storage security

This issue has not arisen in this jurisdiction.

Under the Framework Law, which will begin to be implemented gradually during 2024 once its Regulations and complementary regulations are issued, a series of new requirements and obligations for providers of essential services and operators of vital importance will be established.

General Cybersecurity Obligations

Both essential service providers and operators of vital importance will need to permanently apply the measures to prevent, report and resolve cybersecurity incidents. These measures may be technological, organisational, physical or informational in nature, as the case may be.

Compliance with these obligations requires the proper implementation of the protocols and standards that will be established by the NCA, as well as the particular cybersecurity standards issued in accordance with the respective sectoral regulation. The purpose of these protocols and standards will be the prevention and management of risks associated with cybersecurity, as well as the containment and mitigation of the impact that incidents may have on the operational continuity of the service provided or the confidentiality and integrity of information or computer networks or systems in accordance with the provisions of the Framework Law.

Specific Cybersecurity Obligations of Operators of Vital Importance

Public or private entities that are classified by the NCA as operators of vital importance, must comply with a series of obligations that will be complemented and detailed in the Regulations of the Framework Law that will be issued to implement it.

• Implement a continuous information security management system in order to determine those risks that may affect the security of networks, computer systems and data, and the operational continuity of the service. This system should make it possible to assess both the likelihood and potential impact of a cybersecurity incident.
• Maintain a record of the actions carried out that make up the information security management system, in accordance with the provisions of the Regulation.
• Prepare and implement operational continuity and cybersecurity plans, which must be certified and must be subject to periodic reviews by the obliged entities, at least every two years.
• Continuously carry out review operations, exercises and analyses of networks, computer systems or computer programs that compromise cybersecurity and communicate the information related to such actions or programs to the National CSIRT, in the manner determined by the Regulation.
• Take the necessary measures in a timely and expeditious manner to reduce the impact and spread of a cybersecurity incident, including restricting the use of or access to computer systems, if necessary.
• Have the certifications provided for in the Regulation.
• Have training, education and continuing education programmes for its workers and collaborators, including cyber-hygiene campaigns.
• Designate a cybersecurity delegate who will act as a counterpart to the NCA and who will report to the authority or head of the body or service of the State administration or to the directors, managers, administrators or principal executives, as defined by private institutions.

Incident Response Plans

In the context of the duty to report incidents with significant effects (see 5.8 Reporting Triggers), operators of vital importance must also inform the National CSIRT of their action plan as soon as it has been adopted.

Mass Mailing

Decree No 93/2006 approved the “technical framework for the organs of the State administration on the adoption of measures aimed at minimising the harmful effects of unsolicited mass electronic messages received in the electronic boxes of said departments and in those assigned to their officials”. Thus, the organs of the State must protect their mail servers to avoid improper use that could cause detriment to their performance or inability to use them by their legitimate users, situations that could affect the fluid communication between the organs of the State, as well as between them and citizens.

Websites

Decree No 1/2015 approving the “technical standard on systems and websites of the organs of the State administration”. According to its Article 6, for the development or secure implementation of web systems and websites, development standards, compatibility and the main guidelines of international and national security standards must be applied. For these purposes, the international standards defined by the W3C, the standards of the ISO27000 family or those that replace them and the good practices of the manufacturers or platform providers or the languages of the systems will be considered.

Electronic Documents and Electronic Signature

Law No 19,799 on electronic documents, electronic signature and electronic signature certification services, and its regulations and complementary technical standards.

Cybersecurity in the Health Sector

The Resolution No 785/2021 of the Undersecretariat of Assistance Networks approved the “Information Security and Cybersecurity Instructions for the Health Sector”, which seeks to deliver guidelines on cybersecurity to the Regional Ministerial Secretariats of Health, Health Services and Related Establishments.

Casinos

The Circular No 119/2021 of the Superintendence of Casinos of Games “Imparts instructions regarding the cybersecurity guidelines that must be observed by operating companies and concessionaires of casinos”.

Benefit Society

The Circular No 3594/2021 of the Superintendence of Social Security modifies and complements circular No 2,821/2012, on operational risk management in cybersecurity matters, adding a new chapter on cybersecurity and obliging benefit societies to adopt an information security management system.

Pension Fund Administrators (AFPs)

Book V, Title XVIII, Chapter II of the Compendium of Pension System Rules establishes the “Information Security and Cybersecurity Management Model” that all AFPs in the country must have.

Cybersecurity Officers

In the public sector, each head of service of the state administration must designate a cybersecurity officer, who will be responsible for the computer security of their service.

According to Resolution No 1318/2020 from SUBTEL, every relevant telecommunications operator shall have a response team for the adequate management of cybersecurity, this team shall have at least one member and one alternate.

Similarly, the Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes the obligation for financial institutions (mainly banks) to define an organisational structure with specialised and dedicated personnel, with the necessary powers and competencies to manage IT security and cybersecurity.

In addition, the Framework Law will require public or private entities classified as operators of vital importance to appoint a Cybersecurity Delegate who will be the counterpart to the future NCA.

Insider Threat Programmes

Pursuant to Resolution No 1318/2020 from SUBTEL, telecommunications service providers are required to adopt a series of cybersecurity measures and plans, such as:

• cybersecurity risk management measures in the networks and systems used to provide telecommunications services;
• measures to prevent the effects of cyber-incidents affecting the security of the networks and systems used to provide services;
• risk analysis and security by design; and
• cybersecurity risk management plans formulated in accordance with principles, standards and guidelines that are consistent with the characteristics of the networks and systems to which they are applied.

Moreover, the Chapter 20-10 of the Updated Compilation of Standards (RAN) contains a series of detailed measures aimed at addressing cybersecurity threats, ranging from dedicating a dedicated organisational structure to address these threats to promoting an information security and cybersecurity risk culture, along with a detailed risk management process.

Use of Cloud, Outsourcing, Offshoring

The amendment of Chapter 20-7 of the Updated Compilation of Standards on Outsourcing Services of the FMC-established minimum guidelines for the outsourcing by financial institutions of services using cloud computing.

In general terms, RAN 20-7 has as its scope the hiring by banking institutions of external service providers to carry out operational activities that could also be carried out internally by the entity with its own resources. After a period of public consultation, the update to RAN 20-7 came into effect on 27 December 2017.

New definitions were added of cloud services, private cloud, public cloud, technology infrastructure and information security infrastructure.

Cloud services (cloud computing) is understood as the “model of service provision that can be configured according to demand, for the provision of services associated with information technologies over networks, based on technical mechanisms such as virtualisation, under different approaches or supply strategies”.

A private cloud is defined as “infrastructure provided for the exclusive use of an entity comprising multiple users (eg, business units). It can be owned, managed and operated by the same entity, a third party or a combination of both; and it can be located both inside and outside the contractor’s facilities”.

The public cloud is defined as: “cloud infrastructure provided for the use of various entities. The infrastructure is owned, managed, and operated by a provider of cloud services. This infrastructure is located on the cloud provider’s premises”.

For its part, ChileCompra (Chile’s public procurement directorate) has adopted a series of Directives on public procurement, including that contained in Resolution No 619-B/2018, which approves the “Public Procurement Directive No 32: Recommendations for the contracting of cloud services, considering aspects of computer security, availability and flexibility”. In it, ChileCompra comments on the Principle of Security in the Cloud Computing Services, which considers some of these aspects:

• robust physical and logical security, access controls, identity, and authentication;
• protection of information and data assets, both in transit and at rest;
• operational, personnel and subcontractor safety;
• audits;
• incident reporting;
• Standards ISO 27000;
• National Institute of Standards and Technology (NIST); and
• SOC.

The Directive is also based on the “Guide of Good Practices for the use of Cloud Computing Services within the State Administration” (2018) of the Digital Government Division.

Responsible Disclosure of Software Vulnerabilities

The heads of service of the State administration agencies shall require information technology service providers to share information on vulnerabilities and incidents that may affect the computer networks and systems of State agencies, and provided that doing so is intended to prevent, detect, respond to, recover from, or reduce incidents; or strengthen the level of cybersecurity, while ensuring that the potentially sensitive nature of the information shared is respected. In order to comply with the above, the contracts for the provision of services may not contain any clause that could restrict or hinder in any way the communication of information about threats by the service provider, as long as this does not compromise the security and protection of data, including confidentiality and protection of intellectual property.

This issue has not arisen in this jurisdiction.

Currently, Law No 19,628 on Privacy Protection only states that the data controller must take care of personal data with “due diligence”, assuming responsibility for the damages caused, see 2.4 Data Protection Authorities or Privacy Regulators.

Resolution No 1318/2020 from SUBTEL expressly provides for the protection of personal and sensitive data in the preparation of cyber-incident reports. According to this rule, where there is a possible violation of personal data, SUBTEL must send the relevant reports to the competent entity in charge of the protection of personal data.

The Framework Law considers cybersecurity incidents with significant effects to be those that are capable of affecting computer systems containing personal data, and which comply with a series of other requirements. For more information, see 5. Data Breach or Cybersecurity Event Reporting and Notification.

On this point, see 3.3. Legal Requirements and Required Security Practices (Responsible Disclosure of Software Vulnerabilities section).

Regarding telecommunications, SUBTEL Resolution No 1318/2020 contains a definition of “critical telecommunications infrastructure” in the following terms: “it is the set of telecommunications networks and systems whose interruption, disturbance, degradation, destruction, cut or failure would generate a serious impact on the security, privacy or availability of service of the affected population, being thus declared by means of a founded resolution of SUBTEL as indicated in the regulation on the interoperation and dissemination of alert messaging, declaration and safeguarding of the critical telecommunications infrastructure and information on significant failures in telecommunications systems”.

The categorisation of “critical telecommunications infrastructure” is relevant when defining a telecommunications operator as a relevant operator for SUBTEL, which has greater obligations than those that are not relevant, since a cyber-attack on this type of provider can seriously compromise many services nationwide.

Moreover, the Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes that entities (banks) must also have policies and procedures for the identification of those assets that make up the critical infrastructure of the financial industry and the payment system, and for the adequate exchange of technical information on incidents that affect or could affect the entity’s cybersecurity.

For its part, the new Framework Law establishes a list of essential services. For more information on this topic, see 1.1. Laws.

Chapter 20-10 of the Updated Compilation of Standards (RAN) contains some provisions regarding denial of service attacks. It is a requirement that banks’ computer networks are adequately protected from attacks from the internet or other external networks, through the implementation of complementary tools such as:

• firewalls;
• web application firewalls (WAF);
• intrusion prevention systems (IPS);
• data loss prevention systems (DLP); and
• anti-denial of service systems (ADS).

Similarly, it directs that the financial institution (bank) regularly identifies and evaluates the attack vectors to which its technological infrastructure could be exposed, such as:

• manipulation or manipulation or interception of communications;
• phishing;
• malware;
• elevation of privileges;
• code injection;
• denial of service; and
• social engineering.

It advises making a clear distinction between intrusions that may affect the physical infrastructure, logical infrastructure or end-user equipment (endpoint). Finally, it contains a definition of “denial of service” (DoS) as an attack that aims to degrade the quality of service of a system or network, leaving it in a non-operational or inaccessible state.

Computer Programs

Article 71°Ñ of Law No 17,336, or the Copyright Law, allows activities to be carried out on a legally obtained copy of a computer program, with the sole purpose of testing, investigating, or correcting its operation or the security of the same or other programs, networks or computers on which it is applied.

Internet of Things

Decree No 6/2022 of the Ministry of Health, which establishes the “Regulation on actions related to health care carried out remotely”, recognises that health providers may perform health actions or benefits through technological tools such as applications, robotics, artificial intelligence, and the internet of things (IoT), to the extent that the nature of the actions or benefits admit it and guarantee the quality of care, the autonomy of the patient’s will, and the security and confidentiality of people’s data.

Public Procurement

ChileCompra has adopted a series of directives on public procurement, including the directive contained in Resolution No 652-B/2021, which approves the “Public Procurement Directive No 38: Recommendations for the Procurement of Information Technology-Related Goods and Services”. In it, ChileCompra recommends that a standard clause on information security and cybersecurity always be added to public procurement contracts for ICT-related goods and services, which refers to the security standards of Decree No 83/2005 on electronic documents. In addition, the Directive also contains a standard clause for public procurement contracts on reports of security incidents.

Payment for ransomware is not prohibited by the new Framework Law.

There are a variety of sectors with sectoral regulations or regulations applicable to certain institutions or data with incident reporting obligations. Thus, reportable incidents and their nature vary according to the sector, institution, data, or assets affected.

The new Framework Law defines a cybersecurity incident as any event that impairs or compromises the confidentiality or integrity of information, the availability or resilience of computer networks and systems, or the authentication of processes executed or implemented in computer networks and systems.

The Framework Law establishes the duty for providers of essential services and operators of vital importance to report cybersecurity incidents with significant effects to the National CSIRT.

A cybersecurity incident will be considered to have a significant effect if it is capable of interrupting the continuity of an essential service or affecting the physical integrity or health of people, as well as if it affects computer systems containing personal data. In determining the significance of the effects of an incident, the following criteria shall be taken into account:

• the number of persons affected;
• the duration of the incident; and
• the geographical extent of the area affected by the incident.

The specific procedure for reporting a cybersecurity incident, the form, as well as the conditions of anonymity, the taxonomy of the report and the periodicity, will be established in the Regulations of the Framework Law.

The data elements covered depend on the sector – if a data breach comes from a financial threat, then financial data must be covered.

In the telecommunication field, personal data and sensitive data are specially protected. According to the Law No 19,628, personal data in Chile is defined as “data relating to any information concerning natural, identified or identifiable persons”. Likewise, sensitive data is defined as “personal data that refers to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, religious beliefs or convictions, physical or psychological health conditions and sexual life”, see 2.5 Financial or Other Sectoral Regulators.

This issue has not arisen in this jurisdiction.

The Ministry of Health established the “Regulation on actions related to healthcare carried out remotely”, which is applicable to both public and private health providers. The Regulation stipulates that approval or certification is required for medical devices used for remote health actions or benefits, under the terms of Article 111 of the Health Code, see 2.5 Financial or Other Sectoral Regulators.

This issue has not arisen in this jurisdiction.

See 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems.

ChileCompra has adopted a series of standard bases on public procurement, including that contained in Resolution No 13/2020, which approves the “Standard Format of Administrative Bases for the acquisition of Projects for the Development and Maintenance of Computer Systems, Computer Programs or Software”. The bases can be used by the organs of the State administration that wish to acquire software development projects of this type. The bases contain standard clauses for public procurement contracts related to security, software audits, confidentiality and intellectual property, among others.

In 2020, the Undersecretariat of Telecommunications issued a technical standard on cybersecurity in telecommunications. This established the mandatory reporting of all cyber-incidents detected by operators in their networks and systems that reach the levels of danger and impact indicated in the technical standard.

For more information, see 5.1. Definition of Data Security Incident, Breach or Cybersecurity Event.

The Framework Law includes a specific cybersecurity obligation for entities that are classified as operators of vital importance, in which they must report to potential affected parties, to the extent that they can be identified and when required by the NCA, on the occurrence of incidents or cyber-attacks that could seriously compromise their information or computer networks and systems, especially when they involve personal data and there is no other legal provision that requires their notification; or when it is necessary to prevent the occurrence of new incidents or to manage one that has already occurred.

The Framework Law

The Framework Law establishes a series of obligations for essential service providers and operators of vital importance. For more information on this topic, see 3.3 Legal Requirements and Specific Required Security Practices.

Sectoral Regulation

In the telecommunication field, Resolution No 1318/2020 requires the telecommunications provider to provide prevention and mitigation measures to minimise the effects of cyber-incidents that affect the security of networks and systems used to provide services, in order to ensure their operational continuity.

Moreover, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) contains a robust set of cybersecurity defensive measures. Within the measures, it is important to highlight the following:

• inventory of critical cybersecurity assets;
• change management process that allows modifications made to the ICT infrastructure to be carried out in a secure and controlled manner;
• capabilities management process;
• technological obsolescence management process;
• configuration management process that ensures adequate controls to the configurable elements of the ICT infrastructure;
• patch management programme to ensure that patches are applied to both software and firmware in a timely manner;
• implementation of tools such as firewalls, web application firewalls (WAF), intrusion prevention systems (IPS), data loss prevention systems (DLP), anti-denial of service systems, email filtering, anti-virus and anti-malware;
• back-up management process to ensure the integrity and availability of information and processing media in the event of an incident or disaster;
• mechanisms to cover the costs associated with possible cyber-attacks; and
• a Security Operation Centre (SOC), either in-house or through an external service, which operates 24 hours a day, with facilities, technological tools, processes and dedicated and trained personnel.

Cybersecurity, privacy, and data protection are areas that are intimately linked. Cybersecurity endeavours to shield data subjects from cyberthreats, see 2.4 Data Protection Authorities or Privacy Regulators.

As previously stated in 2.5 Financial or Other Sectoral Regulators, banks have the duty to report incidents of cybersecurity. The same duty applies for telecommunications operators in Chile.

For more information, see 3.3 Legal Requirements and Specific Required Security Practices.

This issue has not arisen in this jurisdiction.

As for infringements and sanctions in general, it will depend on the sector, institution, data, or regulated assets. So, for example, telecommunications operators that fail to comply with Resolution No 1318/2020 are subject to the sanctions contemplated in the General Telecommunications Act, which may range from a reprimand to fines, and even to the suspension and revocation of the telecommunications concession in serious cases.

However, the Framework Law establishes a procedure for reporting cybersecurity incidents with significant effects (see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event), inspired by the Network and Information Security Directive 2 of the European Union.

Thus, essential service providers and operators of vital importance will have the obligation to report to the National CSIRT cyber-attacks and cybersecurity incidents that may have significant effects, as soon as possible and in accordance with a scheme which considers a series of different stages:

• an early warning within three hours of becoming aware of the cyber-attack or cybersecurity incident;
• a report of the incident within 72 hours, including an initial assessment of its severity and impact, including indicators of compromise;
• a final report within 15 days of the early warning containing a detailed description of the incident, the type of cause or threat likely to have caused the incident, mitigation measures to be implemented and in progress, and the cross-border impact (if any) of the incident;
• in the event that the incident is still ongoing after the final report, a status update must be made; and
• again, after a period of 15 days from that update, a new final report must be made.

Notwithstanding the foregoing, both the National CSIRT and the competent sectoral authority may request relevant updates on the situation.

A regulation issued by the Ministry in charge of Public Security will regulate the content of the various types of reports.

This issue has not arisen in this jurisdiction.

For more information on the topic, please see 5. Data Breach or Cybersecurity Event Reporting and Notification.

This issue has not arisen in this jurisdiction.

Law No 21,398 (the Pro-Consumer Law) granted the National Consumer Service the status of transitory control body in matters of protection of personal data in the context of consumer relations, as long as there is no control body specialised in the protection of personal data. Thanks to these new powers, the Service can file a class action for the collective interest of consumers before the courts in the event that the duty of security and professionalism in consumption and protection of personal data is violated by a provider, see 2.4 Data Protection Authorities or Privacy Regulators.

In banking and financial matters, Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes the obligation for financial institutions (mainly banks) to define an organisational structure with specialised and dedicated personnel, with the necessary powers and competencies to manage IT security and cybersecurity. In addition, the function of an information security and cybersecurity officer in charge of these matters must be part of this organisational structure.

The Board of Directors of banking and financial institutions subject to Chapter 20-10 of the Updated Compilation of Standards (RAN) shall establish the above and other matters in relation to their information security and cybersecurity management systems, such as:

• policies for the management of information security and cybersecurity risks;
• promotion of risk-awareness in terms of information security and cybersecurity;
• permanent monitoring of the infrastructure connected with external providers, and analysis and implementation of measures to detect and mitigate potential threats to the cybersecurity of the entity; and
• internal behaviour policy.

The implementation of an appropriate risk management process should include at a minimum:

• a risk analysis process, which considers elements such as the evaluation of the probability of occurrence of incidents and their consequence or impact on information assets, based on the degree of damage or costs caused by an information security and cybersecurity event, thus determining its level of risk;
• a risk assessment process;
• a risk treatment plan; and
• a review at least annually of the information security and cybersecurity risk management process.

There are no provisions in Chilean law regarding due diligence in cybersecurity matters, nor are there any guidelines that establish requirements for such procedure.

This issue has not arisen in this jurisdiction.

Cybersecurity has been on the agenda, given the cases of cyber-attacks on large institutions in Chile, such as the Judiciary, the Joint Chiefs of Staff (EMCO), the National Consumer Service and the National Accreditation Commission (CNA). Therefore, important changes in the regulatory system are coming in the short term to better prevent and control incidents and their impacts, see 1.8 Significant Pending Changes, Hot Topics and Issues.