On 26 March 2024, the Chilean President enacted the Chilean Law on Cybersecurity and Critical Infrastructure (Ley Marco de Ciberseguridad e Infraestructura Crítica). It is the first of its kind in Latin America and should be celebrated. This legislation aims to bolster Chile's cybersecurity as organisations in scope will have to increase their cybersecurity to prevent cyber-attacks, but it also brings with it new opportunities for Cyber (re)Insurers. Chile has also approved its National Cybersecurity policy for 2023 - 2028.
The legislation aims to strengthen cybersecurity legislation and regulation in Chile. Its aims are to: i) promote risk management; and ii) implement security standards that improve prevention, containment, resolution and response to incidents or cyber-attacks through cooperation between public and private institutions. It establishes a series of cybersecurity obligations whose non-compliance will result in sanctions that will vary depending on the risk and size of each organisation.
It also establishes a new set of regulatory institutions to assist organisations in scope with implementing preventative as follows:
- A National Cybersecurity Agency - Agencia Nacional de Ciberseguridad (ANCI);
- A Multisectoral Council - Consejo Multisectorial.
The legislation also introduces a National Computer Security Incident Response Team (CSIRT) (Equipo Nacional de Respuesta a Incidentes de Seguridad Informática). It is our understanding that organisations that are impacted by a cyber-attack who fall in scope will need to notify the CSIRT. The CSIRT is responsible for the protection and security of networks for those organisations and services which handle critical infrastructure which are critical to the functioning of the country.
Who is in scope? Both public and private organisations who provide services which impact critical infrastructure. The legislation defines the organisations as either: 'Essential Service Providers' and/or as 'Operators of Vital Importance'. Those definitions are still to be explored further.
Those organisations who do meet the definition will be subject to the following general obligations: i) To permanently implement measures aimed at the prevention, reporting and resolution of cybersecurity incidents; ii) To cyber-attack or cybersecurity incident that may have significant effects to the CSIRT.
The notification requirement will have the greatest impact on the local insurance market and reinsurers, as non-compliance can lead to sanctions, including fines up to USD 1,500,000 approx. There will be aggravating and mitigating factors when it comes to any enforcement action taken by CSIRT which will be set according to whether the organisation adopted the necessary measures to safeguard its IT environment.
Regulation is a positive step as it focusses the mind, especially at board level for organisations to invest in preventative measures, purchase cyber insurance policies and ensure its cybersecurity is robust. It will also assist organisations with reviewing their incident response plan and/or creating one as this is something that the ANCI is promoting to Latin American companies who fall in scope. Although an incident response plan is something which all organisations should aspire to.
Although this legislation does not cover all organisations based in Chile and is specific to those public and private organisations which are linked to critical infrastructure - it is a positive development. It is also a starting point for further legislation to be adopted. Hopefully, the introduction of this legislation will, in turn, increase the adoption of preventative measures and increase the awareness of cybersecurity.
This is especially relevant with the obligation imposed in reporting any cyber incidents and/or cyber-attacks and the financial risk of non-compliance (especially where fines are a sanction). We predict that it will result in a significant increase in the purchase of cyber policies, so (re)Insurers, watch this space. Further, we expect other countries in the Latin American region will be taking note of the advances made by Chile in the cyber space.