Insurance companies in Chile will have to report cybersecurity incidents and undertake regular self-assessments of the operational risks they face in cybersecurity under new rules published by the country’s financial markets regulator.
The new rules come into effect on September 30th and also establish principles and concepts for adequate management of cybersecurity risks for the sector which Comisión para el Mercado Financiero, or CMF, will use as the basis for its evaluations. Companies must also assess each year their compliance with cybersecurity principles for the industry and, if there are any breaches, present action plans to remedy them.
Self-assessments must be carried out every two years. Companies will have to present the first by December 31st. The rules also require insurance companies to report to the commission all cybersecurity incidents and set procedures for the companies to share the information with the rest of the industry in order to protect policyholders.
In an email, CMF said the regulations were based on the best practices adopted by insurance regulators in developed countries, including the International Association of Insurance Supervisors, the European Insurance and Occupational Pensions Authority, and Canada’s Office of the Superintendent of Financial Institutions.
“By proposing the use of best international practices like the NIST Cybersecurity Framework for the whole industry, these rules will imply a significant improvement to the management of cybersecurity,” said Facundo Jamardo, Cybersecurity Services Leader at EY Chile.
Juan Pablo Gonzalez, Cyber Legal Senior Manager at Deloitte Chile added: "While these apply only to insurance companies and reinsurers, the rules mirror many of those set by CMF for banks and financial institutions, such as the requirement for board approval for cybersecurity risks, the periodic evaluation of cybersecurity plans, and the requirement to report incidents within 30 minutes."
"The rules represent the latest effort by Chilean regulatory bodies to improve cybersecurity standards in the country following delays approving legislation on data privacy and cybersecurity," said Daniel Alvarez, a privacy and cybersecurity expert at the University of Chile and former government adviser.
Telecommunications regulator Subsecretaría de Telecomunicaciones, pensions regulator Superintendencia de Pensiones, and power market operator Coordinador Eléctrico Nacional are among the entities to put out cybersecurity rules for the sectors and businesses they regulate in recent months. “The advantage is that each sector will have its own specific rules drawn up by a regulator with which the companies maintain frequent contact,” Alvarez said. "But the lack of a general framework for cybersecurity matters leaves Chile with significant legal vacuums. For example, there is still no legal obligation for companies to report cybersecurity breaches to affected individuals. Legislation to modernize Chile’s data protection rules has been held up by disagreements over the nature of the new data protection authority while the government has yet to present a long-promised general law on cybersecurity," he added.