October 18, 2022, in the Senate Chamber, the bill that establishes a Framework Law on Cybersecurity and Critical Information Infrastructure (Bulletin No. 14847-06) was approved in general -and unanimously-. It was also set November 11 as the deadline for presenting indications.
The main objective of the initiative is to establish the necessary institutional framework to strengthen cybersecurity, preventive work, the formation of public culture on digital cybersecurity, and to face contingencies in both the public and private sectors.
Below you will find 3 significant elements of the project:
To whom would the Framework Law on Cybersecurity and Critical Information Infrastructure apply?
- Bodies of the State Administration.
- State bodies, such as municipalities, autonomous fiscal entities; State companies or those in which the Treasury is involved through capital contributions.
- Private institutions that own Critical Information Infrastructure, where we find companies in the energy, banking or telecommunications sectors.
What are the factors to be considered in order to determine whether a sector or institution has critical infrastructure?
The critical information infrastructure is defined as the facilities, networks, systems, platforms, services and physical information technology equipment whose affectation, degradation, denial of service, interception, interruption or destruction may have a significant impact on national security, on the provision of essential services, on the effective fulfillment of the State’s functions, and in general, on the services that the State must provide or guarantee. Based on the above, every two years, the infrastructure of sectors or institutions may be qualified as critical considering the following factors:
- Impact of a possible interruption or malfunction of the components of the information infrastructure. This must be evaluated under certain criteria.
- Capacity of the affected computer system, network or infrastructure to be replaced or repaired in a short period of time.
- Potential financial losses due to failures or absence of service at national or regional level associated with the gross domestic product (GDP).
- Relevant impact on the functioning of the State and its organs.
What are the obligations of institutions with information infrastructure classified as critical?
- Permanently apply technological, organizational, physical and information security measures necessary to prevent, report and resolve cybersecurity incidents, manage risks, as well as contain and mitigate the impact on operational continuity, confidentiality and integrity of the service provided.
- Implement a permanent risk management system.
- Maintain a record of the executed actions that make up the risk management system.
- Develop and implement operational continuity and cybersecurity plans. These must be updated periodically, at least once a year.
- Continuously carry out review operations, exercises, drills and analysis of networks, computer systems, platforms.
- Adopt the necessary measures to reduce the impact and propagation of a cybersecurity incident.
- Have the certifications of the management systems and processes that are determined.
The bill will now begin its discussion in particular, and government representatives have made clear their objective of introducing improvements and streamlining the governance model, which considers the creation of the National Cybersecurity Agency. The main purpose of the Agency would be to advise the President of the Republic in these matters, as well as to actively collaborate in safeguarding national interests in cyberspace.
At az we are always monitoring legislative advances with the aim of informing and raising awareness of the importance of preventing contingencies and mitigating risks associated with this type of threat. We believe that the approval of a Framework Law on Cybersecurity is a great step forward for our country as it would provide legal certainty in the face of threats that are becoming more and more commonplace for everyone.
For more information on these topics, please contact our az Tech team:
Eugenio Gormáz | Partner | egormaz@az.cl
Gonzalo Navarro | Director az Tech | gnavarro@az.cl
Antonia Nudman | Associate IP, Tech and Data | anudman@az.cl
Natalia González | Associate IP, Tech and Data | ngonzalez@az.cl
Constanza Pasarin | Associate IP, Tech and Data | cpasarin@az.cl