Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Chile: Bill for cybersecurity and critical information infrastructure - Key takeaways
During the last days of Sebastian Piñera as the President of Chile, the Government introduced a Bill to Establish a Framework Law on Cybersecurity and Critical Information Infrastructure ('the Bill') to the National Congress of Chile for discussion. As part of the National Cybersecurity Policy for 2017 to 2022, the Bill's purpose is to set out the necessary institutional framework to strengthen cybersecurity, expand and reinforce preventive work, create a public culture of digital security, address contingencies in the public and private sectors, and safeguard the security of people in the cyberspace. Jaime Urzúa, Associate at Alessandri Abogados, discusses key provisions of the Bill.
Overview
The Bill is structured in ten titles, which comprehend forty-two articles establishing regulations for state administration bodies, as well as for public and private institutions that possess critical information infrastructure. It also provides a regulatory framework for cybersecurity, liabilities, and associated duties for the above-mentioned bodies, thus establishing minimum requirements for the prevention and resolution of cybersecurity incidents and contingencies.
Principles and definitions
The Bill proposes certain concepts and definitions, such as for cyber attacks, cyberspace, cybersecurity, a Computer Security Incident Response Team ('CSIRT'), minimum cybersecurity standards, cybersecurity incidents (and their management), critical information infrastructure, information network or system, resilience, risks, essential services, IT systems, and vulnerability.
It also introduces a list of principles which set a normative criterion of widespread application, which also have an integrating and interpretative function. The proposed principles are the following:
- Responsibility: the provider or operator, regardless of the public or private nature of the organisation, is responsible of the security of networks, systems, and data.
- Comprehensive protection: potential risks that may affect the networks or information systems must be identified and appropriate organisational, managerial, and technical measures for their protection must be implemented.
- Confidentiality of information systems: data, connectivity, and systems should be accessed exclusively by persons or entities authorised for this purpose, which should be subject to the responsibilities and obligations established by the law.
- Integrity of computer and information systems: data and configuration elements of a system may only be modified by authorised persons in the performance of their duties or by systems that have the respective authorisation.
- Availability of information systems: data, connectivity, and systems must be accessible for on-demand use.
- Damage control: in the event of a cybersecurity incident or cyber attack, public and private institutions that possess infrastructure information classified as critical must always act diligently and take the necessary measures to prevent the escalation of the cybersecurity incident or cyber attack and its eventual spread to other information systems, by notifying the respective CSIRT of the cybersecurity incident.
- Cooperation with the authority: public and private institutions should cooperate with the competent authority to resolve cybersecurity incidents, and, if necessary, cooperate across sectors, considering the interconnectedness and interdependence of systems and services.
- Sectoral specificity: in sanctioning matters, the application of sectoral regulations should be preferred over that established in the Bill.
Identification of critical information infrastructure and related obligations
The Bill establishes that, every two years, the Government should request a report detailing which sectors or institutions have information infrastructure that should be classified as critical. For that purpose, the report should consider certain elements, such as the impact of a possible disruption or malfunction of information infrastructure components, or the potential affectation of life, physical integrity, or health of the people, among others.
Moreover, it establishes obligations of the institutions that have information infrastructure qualified as critical, dividing them in general and specific obligations. General obligations refer to the permanent application of technological, organisational, physical, and information security measures necessary to prevent, report, and resolve cybersecurity incidents and manage risks, as well as to contain and mitigate the impact on the operational continuity, confidentiality, and integrity of the service provided. Specific obligations may vary from the deployment of risk management systems to the development and implementation of business continuity and cybersecurity plans.
Creation of the National Cybersecurity Agency
One of the most notable elements of the Bill is the creation of the National Cybersecurity Agency (‘the Agency’), a functionally decentralised public service of a technical and specialised nature, with its own legal personality and assets, whose purpose will be to:
- advise the President of the Republic on matters related to cybersecurity;
- collaborate in the protection of national interests in the cyberspace;
- coordinate the actions of institutions with competence in cybersecurity; and
- regulate and oversee the actions of public and private bodies that are not subject to the competence of a sectoral regulator and that have information infrastructure classified as critical.
The main powers of the Agency will consist of advising duties, issuance of technical standards, proposition of laws, coordination of CSIRTs, managing the National Registry of Cybersecurity Incidents, fostering research, innovation, training, and education, among others.
Further to the above, the Bill considers the creation of a National CSIRT, which will depend on the Agency, and will oversee incident response, coordination, collaboration, and other duties.
Sectoral CSIRT regulations
Another interesting aspect of the Bill is the acknowledgment of sectoral CSIRTs, which will have similar tasks as the national CSIRT, but each within the scope of its related sector. Amongst its duties, sectoral CSIRTs will play a key role in reporting and managing cybersecurity incidents, existing, known, or detected vulnerabilities, and suggested action plans to address such cybersecurity gaps. Also, they should report to the Agency, no later than one hour after verifying the existence of a cybersecurity incident when it has had a significant impact on the security of the computer system of an institution with information infrastructure classified as critical, or on the continuity of an essential service.
Government and defence CSIRTs
As part of this special CSIRTs, both the Government and the Ministry of Defence should have their own CSIRT teams, with similar duties as mentioned above. The latter should play a vital part in the coordination of the army, navy, air force, and other armed forces of Chile.
Confidentiality of information
This obligation constitutes a central obligation of the Bill, which sets forth that background data, information, and records held by the CSIRTs or by their personnel, should be considered secret and of restricted circulation for all legal purposes. Cybersecurity risk matrices, operational continuity and disaster plans, cybersecurity risk mitigation and action plans, and cybersecurity incident reports should be deemed as information subject to this obligation.
The obligation of secrecy should also apply to those who, without being part of the Agency, become aware of the requests for the execution of special procedures for obtaining information, of the background information that justifies them, and of the judicial decisions issued to that effect.
Violations and sanctions
The Bill establishes the following violations:
- delaying or delivering the information to the authority outside the established term;
- unjustifiably denying information to an authority;
- willfully providing false or manifestly erroneous information; and
- failure to comply with specific obligations.
It also sets fines between 10 and 20,000 monthly tax units (approx. between €700 and €1,300,000), depending on the severity of the violations.
Inter-ministerial Committee on Cybersecurity
Finally, the Bill will establish an Inter-ministerial Committee on Cybersecurity which will advise the Interior Ministry on cybersecurity and related matters relevant to the operation of public entities and essential services.
Jaime Urzúa Associate
[email protected]
Alessandri Abogados, Santiago