On August 31 the Chilean Banking and Financial Institutions Authority (SBIF) published Circular 3.640 modifying Chapter 1-13 of the Updated Regulatory Recompilation (RAN) on how management and solvency are classified, in order to set the guidelines and good practices for managing cybersecurity, and Chapter 20-8, on Information about operational incidents, specifying which of these need to be reported to the regulatory organ.

Chapter 1-13. Classifying management and solvency

As defined in the new Appendix for the amended text, cybersecurity should be understood as all action taken to protect information in cyberspace*, as well as the supporting infrastructure, that has the aim of avoiding or mitigating the adverse effects of the risks and threats inherent to information security and the future of the institution's business.

The most important features of the Circular are as follows:

• Assessing Banks' management: administering operational risk. The standard stresses the importance of having a definition and of identifying the principal information assets, as well as the physical infrastructure supported, and safeguards the security of the same. For these purposes, there is an express requirement that the safety of information assets exposed to cyberspace risk must be managed.
• Good management. Cybersecurity management needs structures to be provided that cover the issues described in the new Appendix 3 to the Circular which regulates, one, management of critical cybersecurity infrastructure and, two, the database of cybersecurity incidents.
• Management of critical cybersecurity infrastructure. The Board of Directors must put a management framework in place with a specific strategy for handling this risk, the institution's tolerance threshold, the liability of the participants and the methodologies to be used for its management, bearing in mind the best practices and characteristics of its business activity.
• Cybersecurity incident database. This includes the baseline conditions for developing and maintaining an Incident Database, to include a regular review on the part of the Board of Directors of this type of incident and their corresponding conclusion about the incident in question. It also mentions the minimum variables that must be considered when drawing up this database.

Chapter 20-8 Reporting operational incidents

The standard also makes amendments to Chapter 20-8 because of the new operational risks inherent to the development of the financial industry, in particular the use of technology in the way it generates, processes and handles its information assets. The most important features it sets out are:

• Requirements relative to the information that must be sent to the SBIF when operational incidents occur
• Obligation to keep clients properly informed about certain events
• Banks' duty to share information about cybersecurity attacks