We invite you to read the column written by our az Tech director, Ivonne Bueno, where she addressed the three key challenges for Chilean boards of directors regarding cybersecurity in 2025.
According to the study “Radiografía de la Ciberseguridad en Directorios en Chile”, 55% of the directors in the country are not aware of the regulatory risks in cybersecurity. The current context, however, forces them to increase their knowledge about cyber threats.
At the beginning of this year, the Cybersecurity Framework Law (21.663) came into force and with it the National Cybersecurity Agency (ANCI), marking a turning point in the regulation and protection of information security in critical infrastructures in Chile. Although this regulation applies to certain bodies defined in the law, its impact will be much broader. As has happened in other areas, it is likely that regulated entities will require their suppliers to comply with the same standards, indirectly extending the requirements to the entire value chain.
In 2026, Law 21.719 will also come into force, which introduces important modifications to the current Personal Data Protection Law (Law 19.628), raising standards, obligations and penalties. The new regulation will require all organizations that handle personal data to guarantee adequate security standards, protecting them against unauthorized access, leaks or damage.
In a context where Chile is one of the most attacked countries in Latin America, according to recent reports, cybersecurity should be a strategic priority for companies. However, ignorance remains high: more than 55% of directors in Chile are not aware of regulatory risks, according to the study “Radiografía de la Ciberseguridad en Directorios de Chile” (Radiography of Cybersecurity in Chilean Boards of Directors).
Looking ahead to 2025, boards of directors will have to face three major challenges. Firstly, adapting to the new regulations. The new Cybersecurity Framework Law establishes strict requirements for essential and vital services organizations. These will not only be subject to new obligations and audits, but will also have to strengthen their strategy to avoid penalties that can reach up to 40,000 UTM in certain cases.
In addition to the above, there are all the new regulations on the protection of personal information that will be in force this year, which also contain heavy fines (up to 20 thousand UTM) in the event of infringement of certain obligations, including the security of personal data.
Therefore, companies must invest in legal and technological resources, implement security policies and monitor regulatory compliance. Prevention will be key to avoiding financial and reputational impacts.
The second challenge will be to incorporate cybersecurity as a strategic pillar. Historically, cybersecurity has been seen as a technical IT issue. However, recent attacks have shown that it is a critical business risk. A cyberattack can cripple operations, affect business continuity and severely damage corporate reputation.
To mitigate these risks, boards will need to actively engage in cybersecurity governance, designate senior-level accountabilities, establish clear security performance metrics, and review and update incident response plans.
The third challenge will be to ensure adequate investment in cybersecurity. According to the aforementioned “Radiografía de la Ciberseguridad en Directorios de Chile”, 50% of boards allocate a minimal budget to this area, which puts their ability to respond to incidents at risk. In an environment where cyber-attacks are increasingly frequent and sophisticated, cybersecurity cannot be seen as a discretionary expense, but as a strategic investment.
Boards must therefore ensure that resources are commensurate with the risks, which means implementing advanced detection and response technologies, ongoing training for teams and employees, and cyber-attack simulations to assess incident preparedness, among other things.
Cybersecurity in 2025 is more than a technical challenge: it is a key pillar of business sustainability and resilience. Senior leadership must evolve to protect their organizations in an increasingly hostile digital environment. Those companies that take a proactive and strategic approach to cybersecurity will not only reduce the impact of cyberattacks, but will ensure their operational continuity, sustainability and reputation in the long term.
Column written by:
Ivonne Bueno | az Tech Director | ibueno@az.cl
