Chile took a major step toward a more resilient cyber landscape for its citizens and the Latin American region on Tuesday, March 26, 2024, when Chile’s president of the Republic, Gabriel Boric, signed and enacted the new Cybersecurity and Critical Information Infrastructure Framework Law. The new framework and regulations it creates allow Chile to strengthen its digital security.
Leading the way is Chile’s brand new National Cybersecurity Agency (ANCI). Drawing on existing agencies in other countries, like the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC-UK), the law creates a cybersecurity framework, sets new norms, creates new regulations and creates a path for government and private companies to interact to help mitigate cybersecurity threats.
ANCI will have advisory, regulatory, supervisory and sanctioning powers, both for public and private organizations. This latter power, sanctioning of private companies, goes beyond what some other countries’ national cybersecurity agencies can do. For example, CISA can regulate and force U.S. government agencies to comply with its requirements but has no power to enforce requirements on non-government agencies and private organizations. That power belongs solely to the U.S. Congress, which so far has avoided enforcing any such cybersecurity requirements.
The new law establishes “essential services,” which must follow ANCI’s requirements. These essential services include critical infrastructure, banking, transportation, the energy sector, telecommunications, healthcare, the pharmaceutical industry and information technology. Companies in these sectors will be required to have cybersecurity plans, be regularly reviewed and conduct cybersecurity simulation exercises.
The law establishes minimum requirements that covered entities must implement to prevent and mitigate cybersecurity incidents. It also includes incident response requirements to help agencies and companies better respond to cybersecurity incidents and mandates required reporting so the government can both track incidents and help plan and coordinate additional responses if needed.
The new Chilean law also covers data protection, cybersecurity education and personal privacy. Cybersecurity awareness will be promoted on national, company-wide and personal levels. The goal is to make all companies and individuals aware of the threats posed by cybercriminals and their tools and how to mitigate the threat. Each covered entity will be required to develop risk management plans and promote a culture of risk assessment and management.
The law also establishes a new National Computer Security Incident Response Team (CSIRT), like many other nations and regions (like the U.S. and UK) have had for a long time. But it will be the first in the Latin American and Caribbean regions.
The new law will expressly promote the cybersecurity industry within Chile and help generate or develop new protective cybersecurity technologies. Both ANCI and CSIRT will coordinate policies and responses with other like-minded international agencies.
For more information:
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
