On November 25, 2019, the Financial Market Commission published, for public consultation purposes, a proposed amendment to its Updated Regulations Compendium (“URC”), by means of enacting a new Chapter 20-10, on “Information Security Management and Cybersecurity” (the “New Regulation”)
The main characteristics of this New Regulation can be summarized as follows:
- Regulatory Perimeter: The New Regulation will be applicable to banks, its affiliates, banking business supporting companies (sociedades de apoyo al giro bancario), and payment cards issuers and operators.
- New Regulation structure: The New Regulation is divided in four sections. The first one sets general rules on information security management and cybersecurity. The second one sets mandatory guidelines to be followed when implementing a risk management process to support the information security system and cybersecurity. The third part sets specific due diligence requirements for cyber risks management, and the last section establishes certain considerations to be observed by the relevant entity, as part of the local critical infrastructure, in accordance with the National Cybersecurity Policy.
- Main provisions: The New Regulation introduces the following main regulatory innovations:
- It sets specific guidelines on information security management and cybersecurity, for the Board of Directors to become responsible of approving and supervising the relevant entity’s strategy in this regard. These guidelines establish that the information security management process must guarantee compliance with the law, including those norms concerning the protection of personal data and intellectual property rights.
- It defines the minimum stages that shall comprise the information security and cybersecurity risks management process.
- It sets specific due diligence requirements for cyber risks management, such as the determination of cybersecurity’s critical assets and its protection mechanisms, and
- It establishes that the entities must have policies and procedures for the identification of assets that comprise the financial industry’s critical infrastructure, and for the exchange of incidents information with entities that are part of such infrastructure.
- Connection with other URC’s norms: The New Regulation will complement the current rules on information security, such as those outlined in Chapter 1-13, on operational risks management evaluation; Chapter 20-7, on risks undertaken by the entities that outsource services; Chapter 20-8, on operational incidents information; and Chapter 20-9, on business continuity management.
- Validity: The New Regulation will take effect on March 1, 2020.
The consultation period will be open until December 27, 2019.