Written by León Lanis V., Paralegal
Cybersecurity has become one of the greatest concerns of the last decade for companies, mainly due to the fact that the demands of a modern and hyperconnected market require better and more efficient logical and design security features to protect a company, its assets and its customers.
Chile is not foreign to these concerns. Cybercrime has boomed in the region, especially ransomware and phishing attacks, which pose a gigantic threat for companies and customers. In 1993, Chile enacted the Cybercrime law, which created a small catalogue of four crimes that can be enabled or accomplished through computers and other digital vehicles. Said law was quickly undermined and outdated by cybercriminals, who found it easy to be untouched by these small amounts of criminal classifications with other activities. Then, in 2001 many countries, led by the United States, formed the Budapest Convention, which created a wide and varied catalogue of cyber related crimes, creating new standards for signatory countries to enact. Chile fell short in this matter due to its outdated law. This created a big problem for the modernization of the Chilean economy politicians were pushing towards, mainly because the outdated laws did not guarantee a deterrent for cyber criminals nor it guaranteed protection for companies. A few years ago Chile enacted amendments that changed this, varying the catalogue of crimes related to cyber capabilities of criminals, putting Chile at the forefront of the Budapest Convention Standards. But many understood this was not enough.
After pushing through laws that punished certain activities, many professionals felt it was necessary to have frameworks, standards and a public institution that could ensure that best practices were in place and that companies were really putting an effort into protecting critical infrastructure and their customers. So, two bills were set into discussion: the critical infrastructure protection bill and the cybersecurity framework bill. In this blog, we will dive into the objectives and standards the framework bill will create and how their implementation into your company may be beneficial.
The purpose of this bill is to establish the institutional framework, the principles and the general rules that structure, regulate and coordinate the actions of the State with the individuals and companies in matters of protecting cyber and digital infrastructure of the nation but as well to establish the minimum requirements for the prevention, containment, resolution and response to cybersecurity incidents, creating mechanisms of control, supervision and liability in the case of infringement of such standards in order to ensure the cyber-resiliency of institutions, companies and individuals.
This bill creates a set of eight guiding principles in order to assure the effective implementation of the aforementioned objectives. These principles are:
- Liability: the offering of services related to the use, application and/or exploitation of systems and networks are directly liable for the malpractices and risks that they may pose;
- Comprehensive protection: every action taken to protect a network or system must be proportional to the risks available;
- Privacy: network and systems operators must ensure the privacy and data protection of the end customer at all times;
- Availability: networks and systems are to be ensured operational at all times;
- Integrity: also, networks and systems can only be modified and updated by those people or companies with the authority and consent to do so;
- Scalability control: certain companies that are qualified as “critical infrastructure” and public institutions must always ensure the control of scalability of cybersecurity incidents and always notify the pertinent authorities;
- Cooperation: companies must always cooperate with the authorities in order to mitigate and control cyber related incidents;
- Sectoral sanctions: in case of special sanctions related to the aforementioned principles in a specific market regulation, those will have a preference over the sanctions enacted in this bill
NATIONAL CYBERSECURITY AGENCY
Following international standards, this bill seeks to create a new autonomous public institution which has the role of safekeeping, supervising and sanctioning breaches of the aforementioned objectives and standards.
The main capabilities of the Agency is to coordinate the actions of the State with the private sector, advise the President on cybersecurity related matters, administrate the national cyber incident registry, enact general rules of application, amongst other attributions.
Regarding the cyber incident registry, every company, apart from those regarded as critical infrastructure, must disclose to the Agency any cyber related incident within a certain time frame (depending on the depth and extension of the incident). Said disclosures will be registered and will serve as a case study in order to better solve future incidents. The failure to disclose such events may result in sanctions from the Agency.
Those companies regarded as critical infrastructure, either within this bill or special decrees, must disclose said information through safe and private channels that are operated by the national Computer Security Incident Response Team or CSIRT of the security ministry. As well, those companies must count with special response teams and Chief Information Security Officers (CISOs) in the board of directors.
BENEFITS OF THIS BILL
Apart from not being punished for not complying with said regulation, these standards are an opportunity for companies to better manage their assets and keep good control of the possible risks that may affect their day-to-day operations. Also, keeping such high standards are a good way to retain customers, mainly because a company with good cybersecurity capabilities that ensures a good level of protection to their clients will always be preferred over those which do not have such capabilities.
In conclusion, understanding and observing the principles of this bill can ensure your company can withstand any cyber related incident and can manage the continuity of their operations in the event of an incident.