What does the cybersecurity framework law mean for Chilean firms?

Chile's new legal framework for cybersecurity and critical information infrastructure, approved in December last year and enacted in March, could result in high costs for companies operating in the country.

"The regulations establish fines that are so high that stakeholders are demanding greater detail regarding the obligations and other provisions with the aim of complying with the law, that is to say, legal certainty," Macarena Gatica, partner and leader of technology, telecommunications, media and data protection at law firm Alessandri Abogados, told BNamericas.

The new legislation will have a "significant impact" on companies, as it requires them to have a necessary structure to manage cybersecurity risks, she added. "It may imply a change that involves a high-cost investment."

The legislation has not yet gone into full force, partly because issues related to the functioning of the new cybersecurity agency must first be regulated, with the bill approved stating that it will be applied no less than six months after its official publication.

Companies will be required to implement permanent measures to prevent cybersecurity incidents and cyberattacks, report them and resolve them when they occur.

"The new regulations require firms to deploy and strengthen existing cybersecurity measures to meet a minimum standard of protection. This means that companies must have visibility and full control over their attack surfaces to effectively manage digital environments," Carlos Bonavita, systems engineering manager for the southern region at cybersecurity firm Palo Alto, said in an interview with BNamericas.

The framework law establishes three types of offenses: minor, serious and very serious. For operators of vital importance, as determined by the cybersecurity agency, the fines for such infractions could reach up to 40,000 UTM (monthly tax units, approximately US$2.8 million).

Operators considered of vital importance are those whose service provision depends on computer networks and services and that provide services whose interception, interruption or destruction could impact security and public order, the provision of essential services or the effective fulfillment of the State's functions.

In addition to economic fines, the regulation requires companies to inform their users when they have been victims of a cybercrime. 

"It is important to consider the reputational cost that a cybersecurity incident and cyberattack can have on the company, especially regarding the obligation to notify those affected," Gatica underscored.

NEXT STEPS

To comply with the mandates of Chile's cybersecurity law, companies must adapt their computer systems, establish clear security protocols, strengthen data governance, train personnel in cybersecurity and conduct regular risk assessments.

"It is imperative that they have complete visibility of their risk surfaces and the ability to secure their digital ecosystems," said Bonavita.

LAW TO BE REPLICATED ELSEWHERE?

Asked by BNamericas whether other countries in the region will advance similar regulatory initiatives, Bonavita said, "it would be very positive if this type of regulation could be replicated in other Latin American markets." 

"A collaborative environment, like the one currently existing in the European Union, helps all stakeholders to prepare better and respond efficiently to cyberattacks."

Meanwhile, Gatica said that since cybersecurity is a risk that affects all countries equally, "it should be considered state policy. Moreover, joint actions between several countries could be considered."