Cybersecurity 2022 Comparisons

In Chile, Law No 19,223 of 1993 establishes criminal offences relating to information technology. Within cybercrime, there is a subcategory relating to the involvement of the logical components of cyberspace (computer programs, computer systems, databases), which are known as computer-related offences. This Act provides for specific criminal offences for the unauthorised access, theft and destruction of information systems. However, this Act does not establish any obligation to communicate cybersecurity risks or loss of information.

Chile has sectorial regulations, such as banking regulations that will be further explained; see 2.5 Financial or Other Sectoral Regulators.

In the public sector, it is important to note the Supreme Decree No 579 that creates the Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity, itself created by Supreme Decree No 533; this Decree has a definition of cybersecurity. Likewise, in the public sector, in 2018 the President issued the Presidential Instructive No 8, giving directive to public bodies related to cybersecurity, including urgent measures that should be implemented, such as:

• appointment of a high-level cybersecurity officer in each public service, who must be independent of the institution’s IT head;
• application and updating of technical regulations on cybersecurity;
• internal cybersecurity measures;
• detailed revision of networks, systems and digital platforms of public operation;
• surveillance and analysis of the operation of the technological infrastructure of state administrative bodies – the Coordination Centre of Government Entities (CCEG) will verify compliance with current cybersecurity standards and will carry out cybersecurity exercises;
• compulsory report of incidents to the CCEG, as soon as they become aware of them;
• response to cybersecurity incidents – regardless of the regulations issued in terms of cybersecurity by the head of each service, the Ministry of the Interior through the CCEG will arrange the necessary actions to ensure the continuity and proper functioning of the networks;
• transitional governance of cybersecurity – while the implementation of the new model of national cybersecurity policy is pending, a temporary governance will be defined. This task will be the responsibility of the Ministry of the Interior, who will designate a responsible person who will implement the measures of the national cybersecurity policy in terms of transient governance.

Key regulators are the courts and the Financial Market Commission (FMC), along with the Undersecretary of Telecommunications of Chile (SUBTEL). In the public sector, there is the Inter-Ministerial Committee on Cybersecurity (CICS), whose main task is to propose a National Cybersecurity Policy. It is composed of the following:

• the Undersecretariat of the Interior;
• the Undersecretariat of Defence;
• the Undersecretariat of Foreign Affairs;
• the General Undersecretariat of the Presidency;
• the Undersecretariat of Justice;
• the Undersecretariat of Economy;
• the Undersecretariat of Telecommunications;
• the National Intelligence Agency; and
• the Undersecretariat of Finance.

In Chile, there is no cybersecurity regulator nor data protection authority. Any procedures regarding cybersecurity offences are dealt with in courts and sectorial fields such as banking, followed by the Financial Market Commission.

In Chile, there are no subnational norms, but there are sectorial rules; as mentioned in 1.3 Administration and Enforcement Process, the sectorial rule that exists today is exclusively applicable to banks.

The major governmental organisation is the Inter-ministerial Committee on Cybersecurity, within the Ministry of the Interior and Public Security, CSIRT. In addition, according to the Presidential Instruction No 8 of 2018, state administration bodies should report all cybersecurity incidents to the CSIRT as soon as they become aware of them; this duty is mandatory.

SUBTEL's Resolution No 1318 establishes a mandatory duty to report cyberthreats in the context of telecommunication services, for companies that provide such services.

This issue has not arisen in the firm’s jurisdiction.

Supreme Decree No 579 created the Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity, itself created by Special Decree No 533 (7 January 2020). This Decree modified Special Decree No 533, creating a Technical Advisory Commission of the Inter-Ministerial Committee on Cybersecurity. It also contains the following definition of cybersecurity: "cybersecurity is defined as the condition characterised by a minimum of risks and threats to technological infrastructures, the logical components of information and the interactions that take place in cyberspace, as well as the set of policies and techniques designed to achieve this condition".

Pending changes on the horizon over the next 12 months are as stated below.

The Bill that establishes rules on computer crimes entered into its third constitutional stage, repealing Law No 19,223 and modifying other legal bodies in order to adapt them to the Budapest Convention, and is currently under discussion in Congress (Bill No 12.192-25). The discrepancies between the Senate and the Chamber of Deputies in relation to this bill are related to the following two points.

• The power granted to the Public Prosecutor's Office to request subscriber data and IP addresses from a service provider and within the framework of a criminal investigation, without judicial authorisation.
• Approval of academic research or ethical hacking. Although there is a general consensus in its inclusion, the article approved is contradictory, because although it establishes that the authorisation of the owner of the system is required for its practice, it then establishes that it may be established as an exemption from criminal liability (eg, maintaining civil liability), in cases where hackers illegally access a system (without permission) but give immediate notice to the corresponding authority and to the owner. 

The Bill on data protection (Bill No 11.144-07): the precepts in the bill are consistent with recent international standards such as the EU's General Data Protection Regulation (GDPR), safeguarding respect for and protection of the rights and fundamental freedoms of people over their personal data.

Moreover, the Undersecretary of Telecommunications of Chile (SUBTEL) issued Resolution No 1318, entitled Technical Standard on general cybersecurity fundamentals for the design, installation and operation of networks and systems used for the provision of telecommunications services. The purpose of the technical standard is to establish a regulatory framework that includes the general cybersecurity fundamentals on the basis of which networks and systems used for the provision of telecommunications services must be designed, installed and operated in a secure manner.

Likewise, the Financial Market Commission (FMC) issued the new Chapter 20-10 of the Updated Compilation of Standards (RAN), which contains a series of provisions, based on international best practices, that should be considered for information security and cybersecurity management.

All of the above include cybersecurity incident-breach communications.

Resolution No 1318 from SUBTEL regulates the regulatory framework for cybersecurity threats in the provision of telecommunication services. Likewise, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) of the FMC in the context of financial institutions.

See 1.2 Regulators.

In Chile, the CICS is the over-arching cybersecurity agent.

Currently, there is no data protection authority in Chile.

In processing bank data, the FMC has issued a ruling regarding incidents/breaches of security or cybersecurity, in which it is mandatory for banks to report all the incidents related to cybersecurity that have occurred in the current month, including updated information or information supplementary to incidents reported in previous periods. A cybersecurity incident is understood as any event that threatens or adversely affect the information assets of the institution, as well as the infrastructure that supports it; it will consider alerts to those events registered but not materialised.

More specifically, on 31 August 2018, the then FMC issued amendments to Chapters 1-13 and 20-8 of the RAN. Chapter 1-13 was reformed to include the consideration of cybersecurity issues within the bank’s board of directors’ responsibilities. Chapter 20-8 on incident reporting was amended as follows.

The current obligation to notify the FMC of the occurrence of an operational incident was modified, setting a very short-term, 30-minute deadline from the occurrence of the incident. The previous obligation only required that the communication be made “as soon as the incident was identified”. In addition, the content of the communications made to the CMF is detailed with greater precision. An obligation to communicate the occurrence of the incident to users or customers of the affected financial institution was introduced, as well as a new obligation regarding communication between industry members.

Furthermore, the aforementioned regulations were updated with the new Chapter 20-10 of the Updated Compilation of Standards (RAN). This new chapter contains a more detailed regulation regarding the general elements of cybersecurity management for financial institutions (mainly banks), namely:

• information security risk management process;
• particular elements to be considered for cybersecurity management;
• protection of critical cybersecurity assets and detection of threats and vulnerabilities;
• response and recovery of activities in the event of incidents.

Regarding telecommunications services, Resolution No 1318 from SUBTEL establishes a detailed regulatory framework that telecommunications service providers in Chile must follow, and sets out a series of obligations and measures they must adopt to prevent cyber-attacks. Among the obligations are:

• management measures;
• prevention and mitigation measures;
• risk analysis and security by design;
• risk management plans; and
• documentation of management plans.

It also establishes the obligation to report incidents through a process detailed in Resolution No 1318. 

Agencies previously mentioned are the only ones referred to cybersecurity issues.

In Chile, the following ISO rules apply to cybersecurity matters, according to the government cybersecurity site, CSIRT (English version):

• NCh-ISO27000:2014 – information security management system, overview and vocabulary;
• NCh-ISO27001:2013 – information security management system, requirements;
• NCh-ISO27002:2013 – codes of practice for information security controls;
• NCh-ISO27003:2014 – information security management system implementation guide;
• NCh-ISO27005:2014 – information security risk management;
• NCh-ISO27013:2013 – guidance on integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1;
• NCh-ISO27014:2015 – information security governance;
• NCh-ISO27018:2015 – code of practice for the protection of personally identifiable information (PII) in public clouds performing the role of PII processors;
• NCh-ISO27031:2015 – guidelines for preparing information and communication technologies for business continuity;
• NCh-ISO27032:2015 – guidelines for e-protection;
• NCh-ISO27036/1:2015 – information security in supplier relations, part 1, overview and concepts;
• NCh-ISO27036/2:2015 – information security for supplier relations, part 2, requirements;
• NCh-ISO27036/3:2015 – information security for supplier relations, part 3, guidelines for information and communication technology supply chain security;
• NCh-ISO27040:2015 – storage security;
• NCh-ISO27003:2014 – information security management system implementation guide;
• NCh-ISO27005:2014 – information security risk management;
• NCh-ISO27031:2015 – guidelines for preparing information and communication technologies for business continuity;
• NCh-ISO27037:2015 – guidelines for the identification, collection, acquisition and preservation of digital evidence.

This issue has not arisen in the firm’s jurisdiction.

There is no Cybersecurity Framework Act yet, but one of the documents that contains information about cybersecurity measures is the Presidential Instruction No 8 of 2018. Therefore, the measures are addressed to the public sector.

In addition, as mentioned above, there are sectoral regulations in the financial and telecommunications sectors that address cybersecurity issues.

In addition, as mentioned above, there are sectoral regulations in the financial and telecommunications sectors that address cybersecurity issues.

Incident Response Plans

See 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.

Cybersecurity Officers

In the public sector, each head of service of the state administration must designate a cybersecurity officer, who will be responsible for the computer security of their service.

According to Resolution No 1318 from SUBTEL, every relevant telecommunications operator shall have a response team for the adequate management of cybersecurity, this team shall have at least one member and one alternate.

Similarly, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes the obligation for financial institutions (mainly banks) to define an organisational structure with specialised and dedicated personnel, with the necessary powers and competencies to manage IT security and cybersecurity.

Insider Threat Programmes

In the public sector, each head of service of the state administration will be responsible for taking measures conducive to compliance with the advanced level of security under the terms of Supreme Decree No 83 of 2005.

Pursuant to Resolution No 1318 from SUBTEL, telecommunications service providers are required to adopt a series of cybersecurity measures and plans, such as:

• cybersecurity risk management measures in the networks and systems used to provide telecommunications services;
• measures to prevent the effects of cyber incidents affecting the security of the networks and systems used to provide services;
• risk analysis and security by design;
• cybersecurity risk management plans formulated in accordance with principles, standards and guidelines that are consistent with the characteristics of the networks and systems to which they are applied.

Moreover, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) contains a series of detailed measures aimed at addressing cybersecurity threats, ranging from dedicating a dedicated organisational structure to address these threats to promoting an information security and cybersecurity risk culture, along with a detailed risk management process.

Use of Cloud, Outsourcing, Offshoring

The amendment of Chapter 20-7 of the Updated Compilation of Standards on Outsourcing Services of the FMC-established minimum guidelines for the outsourcing by financial institutions of services using cloud computing.

In general terms, RAN 20-7 has as its scope the hiring by banking institutions of external service providers to carry out operational activities that could also be carried out internally by the entity with its own resources. After a period of public consultation, the update to RAN 20-7 came into effect on 27 December 2017.

New definitions were added of cloud services, private cloud, public cloud, technology infrastructure and information security infrastructure.

Cloud services (cloud computing) is understood as the "model of service provision that can be configured according to demand, for the provision of services associated with information technologies over networks, based on technical mechanisms such as virtualisation, under different approaches or supply strategies".

A private cloud is defined as "infrastructure provided for the exclusive use of an entity comprising multiple users (e.g., business units). It can be owned, managed and operated by the same entity, a third party or a combination of both; and it can be located both inside and outside the contractor's facilities".

The public cloud is defined as: "cloud infrastructure provided for the use of various entities. The infrastructure is owned, managed, and operated by a provider of cloud services. This infrastructure is located on the cloud provider's premises".

This issue has not arisen in the firm’s jurisdiction.

Currently, Law No 19,628 on Privacy Protection does not contain any security requirement regarding cybersecurity matters. Likewise, Law No 19,223 does not contain any provision in this regard.

Resolution No 1318 from SUBTEL expressly provides for the protection of personal and sensitive data in the preparation of cyber-incident reports. According to this rule, in case of a possible violation of personal data, SUBTEL must send the relevant reports to the competent entity in charge of the protection of personal data.

This issue has not arisen in the firm’s jurisdiction.

Regarding telecommunications, SUBTEL Resolution No 1318 contains a definition of "critical telecommunications infrastructure" in the following terms: “It is the set of telecommunications networks and systems whose interruption, disturbance, degradation, destruction, cut or failure would generate a serious impact on the security, privacy or availability of service of the affected population, being thus declared by means of a founded resolution of SUBTEL as indicated in the regulation on the interoperation and dissemination of alert messaging, declaration and safeguarding of the critical telecommunications infrastructure and information on significant failures in telecommunications systems”. 

The categorisation of "critical telecommunications infrastructure" is relevant when defining a telecommunications operator as a relevant operator for SUBTEL, which has greater obligations than those that are not relevant, since a cyber-attack on this type of provider can seriously compromise many services nationwide.

Moreover, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) establishes that entities (banks) must also have policies and procedures for the identification of those assets that make up the critical infrastructure of the financial industry and the payment system, and for the adequate exchange of technical information on incidents that affect or could affect the entity's cybersecurity.

The new Chapter 20-10 of the Updated Compilation of Standards (RAN) contains some provisions regarding denial of service attacks. It is a requirement that the banks' computer networks are adequately protected from attacks from the internet or other external networks, through the implementation of complementary tools such as:

• firewalls;
• web application firewalls (WAF);
• intrusion prevention systems (IPS);
• data loss prevention systems (DLP); and
• anti-denial of service systems (ADS).

Similarly, it directs that the financial institution (bank) regularly identifies and evaluates the attack vectors to which its technological infrastructure could be exposed, such as, for example:

• manipulation or manipulation or interception of communications;
• phishing;
• malware;
• elevation of privileges;
• code injection;
• denial of service; and
• social engineering.

It advises making a clear distinction between intrusions that may affect the physical infrastructure, logical infrastructure or end-user equipment (endpoint). Finally, it contains a definition of "denial of service" (DoS) as an attack that aims to degrade the quality of service of a system or network, leaving it in a non-operational or inaccessible state.

This issue has not arisen in the firm’s jurisdiction.

As previously mentioned, it is currently only in the banking sector that there is an obligation to report cybersecurity threats. See 2.5 Financial or Other Sectoral Regulators.

It depends on the sector as to which data elements are covered – if a data breach comes from a financial threat, then financial data must be covered. As previously stated, there is no Cybersecurity Framework Act as yet.

In the telecommunication field, personal data and sensitive data are specially protected. According to the Law No 19,628, personal data in Chile is defined as “those relating to any information concerning natural, identified or identifiable persons”. Likewise, sensitive data is defined as “those personal data that refer to the physical or moral characteristics of persons or to facts or circumstances of their private life or intimacy, such as personal habits, racial origin, ideologies and political opinions, religious beliefs or convictions, physical or psychological health conditions and sexual life”. See 2.5 Financial or Other Sectoral Regulators.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

In 2020, the Undersecretariat of Telecommunications issued a technical standard on cybersecurity in telecommunications. This establishes mandatory reporting of all cyber incidents detected by operators in their networks and systems that reach the levels of danger and impact indicated in the technical standard.

This issue has not arisen in the firm’s jurisdiction.

In the public sector, the task of monitoring networks for cybersecurity rests with the CSIRT. Each head of service of the state administration must provide information about any incident to the CSIRT.

In the telecommunication field, Resolution No 1318 requires the telecommunications provider to provide prevention and mitigation measures to minimise the effects of cyber incidents that affect the security of networks and systems used to provide services, in order to ensure their operational continuity.

Moreover, the new Chapter 20-10 of the Updated Compilation of Standards (RAN) contains a robust set of cybersecurity defensive measures. Within the measures, it is important to highlight the following:

• inventory of critical cybersecurity assets;
• change management process that allows modifications made to the ICT infrastructure to be carried out in a secure and controlled manner;
• capabilities management process;
• technological obsolescence management process;
• configuration management process that ensures adequate controls to the configurable elements of the ICT infrastructure;
• patch management program to ensure that patches are applied to both software and firmware in a timely manner;
• implementation of tools such as firewalls, web application firewalls (WAF), intrusion prevention systems (IPS), data loss prevention systems (DLP), anti-denial of service systems, email filtering, anti-virus and anti-malware;
• back-up management process to ensure the integrity and availability of information and processing media in the event of an incident or disaster; 
• mechanisms to cover the costs associated with possible cyber-attacks;
• a Security Operation Centre (SOC), either in-house or through an external service, which operates 24 hours a day, with facilities, technological tools, processes and dedicated and trained personnel. 

Cybersecurity, privacy and data protection are areas that are intimately linked. Cybersecurity endeavours to shield data subjects from cyberthreats. 

However, such intersection is weak in Chile regarding the laws that covers data protection and cybersecurity. The main reason is that both laws are outdated, and they are currently being reviewed by the Congress.

Since 1999, Chile has had a Data Privacy Act, but this does not adequately address new technologies. Therefore, legal amendments to that body of law are currently being made in Congress. The same is true of cybersecurity: the bill that establishes rules on computer crimes entered the Senate, repealing Law No 19,223 and modifying other legal bodies in order to adapt them to the Budapest Convention is currently under discussion in Congress (Bill No 12.192-25).

As previously stated in 2.5 Financial or Other Sectoral Regulators, banks have the duty to report incidents of cybersecurity. The same duty applies for telecommunications operators in Chile.

This issue has not arisen in the firm’s jurisdiction.

Act No 19,223 on cybercrimes, regulates unauthorised access to databases or information, unauthorised disclosure of such information, among other criminal actions. This obsolete law is not enough to address the size and significance of contemporary events in respect of breach of security or cybercrimes. The punishment for those actions ranges from 541 days to five years' imprisonment.

Telecommunications operators that fail to comply with Resolution No 1318 are subject to the sanctions contemplated in the General Telecommunications Act, which may range from a reprimand to fines, and even to the suspension and revocation of the telecommunications concession in serious cases.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

This issue has not arisen in the firm’s jurisdiction.

Class actions in this regard are not regulated in Chile.

There are no provisions in Chilean law regarding due diligence in cybersecurity matters, nor any guidelines that establish requirements for such procedure.

This issue has not arisen in the firm’s jurisdiction.

During 2020, and in accordance with what has already been mentioned, two relevant cybersecurity regulations were issued, Resolution No 1318 of SUBTEL and the new Chapter 20-10 of the Updated Compilation of Standards (RAN).

Additionally, cybersecurity has been on the agenda, given the cases of cyber-attacks on large institutions in Chile, such as the Banco del Estado – an attack which paralysed the bank and left it unable to open its offices for an entire working day.

According to data from FortiGuard Labs, Fortinet's threat intelligence and analysis department, Chile suffered more than 2.1 billion attempted cyber-attacks in the first half of 2021.