New cyber standards for insurance companies in Chile

Insurance companies in Chile will have to report cybersecurity incidents under new rules published by the country’s financial markets regulator.

Insurance companies in Chile will have to report cybersecurity incidents and undertake regular self-assessments of the operational risks they face in cybersecurity under new rules published by the country’s financial markets regulator.

The new rules come into effect on September 30th and also establish principles and concepts for adequate management of cybersecurity risks for the sector which Comisión para el Mercado Financiero, or CMF, will use as the basis for its evaluations. Companies must also assess each year their compliance with cybersecurity principles for the industry and, if there are any breaches, present action plans to remedy them.

Self-assessments must be carried out every two years. Companies will have to present the first by December 31st. The rules also require insurance companies to report to the commission all cybersecurity incidents and set procedures for the companies to share the information with the rest of the industry in order to protect policyholders.

In an email, CMF said the regulations were based on the best practices adopted by insurance regulators in developed countries, including the International Association of Insurance Supervisors, the European Insurance and Occupational Pensions Authority, and Canada’s Office of the Superintendent of Financial Institutions.

“By proposing the use of best international practices like the NIST Cybersecurity Framework for the whole industry, these rules will imply a significant improvement to the management of cybersecurity,” said Facundo Jamardo, Cybersecurity Services Leader at EY Chile.

Juan Pablo Gonzalez, Cyber Legal Senior Manager at Deloitte Chile added: "While these apply only to insurance companies and reinsurers, the rules mirror many of those set by CMF for banks and financial institutions, such as the requirement for board approval for cybersecurity risks, the periodic evaluation of cybersecurity plans, and the requirement to report incidents within 30 minutes."

"The rules represent the latest effort by Chilean regulatory bodies to improve cybersecurity standards in the country following delays approving legislation on data privacy and cybersecurity," said Daniel Alvarez, a privacy and cybersecurity expert at the University of Chile and former government adviser.

Telecommunications regulator Subsecretaría de Telecomunicaciones, pensions regulator Superintendencia de Pensiones, and power market operator Coordinador Eléctrico Nacional are among the entities to put out cybersecurity rules for the sectors and businesses they regulate in recent months. “The advantage is that each sector will have its own specific rules drawn up by a regulator with which the companies maintain frequent contact,” Alvarez said. "But the lack of a general framework for cybersecurity matters leaves Chile with significant legal vacuums. For example, there is still no legal obligation for companies to report cybersecurity breaches to affected individuals. Legislation to modernize Chile’s data protection rules has been held up by disagreements over the nature of the new data protection authority while the government has yet to present a long-promised general law on cybersecurity," he added.


Featured Articles

BlueVoyant's Tom Moore Talks Legal Procedure Following Hack

BlueVoyant's Tom Moore explains how companies should act with legal council following a cyber attack

GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Banking Titan Baird Gives 9 Pointers for Cyber Investors

Investment bank Baird have made nine observations from RSA Conference that investors should consider when investing in today’s cyber market

OpenText's Pillr Buy Show Acquisitions Still in its Strategy

Cyber Security

Zoom Prepares for Quantum World with Post-Quantum Encryption

Cyber Security

Tenable: Security Expertise Gap Threatening Cloud Expansion

Operational Security