/ CMF receives comments up to December 27th, on the standard regarding “Information management and cybersecurity”

December 20, 2019

The Financial Market Commission of Chile (“CMF” by its initials in Spanish) published a poll based on the Ran 20-10 (Updated Compilation of Banking Standards) entitled “Information management and cybersecurity” with the objective of receiving comments up to the 27th of December, 2019.

This standard establishes the minimum guidelines and practical improvements for banks, subsidiaries Auxiliary Financial Companies and issuers and operators of non-banking payment cards, regarding the procedures of information security and cybersecurity in the field of operational risk management. The compliance with this standard will be part of the management evaluation carried out by CMF on operational risk.


Key issues to consider:

  1. Role of the directory

The directory of the entities regulated by Ran 20-10 must be approved by an institutional strategy and the necessary resources to mitigate associated risks. Therefore, it is the directory’s responsibility to ensure that the entity maintains a system of management of information security and cybersecurity which contains at a minimum a specific management of these risks, specialized personnel, crisis management and planification, approval of risk management policies, process maps, tolerance level, and other matters. Furthermore, the directory must ensure that it is systematically and adequately updated on the risks and the enforcement of policies and the occurrence of incidence.


  1. Compliance

From the analysis of the standard, it is possible to recognize the need for entities to have risk management policies based on the volume and complexity of the institution’s operations. That is to say, a minimum standard must be established, thereafter the entity must continually evaluate the risks, requiring the following: Audits destined to verifying policy compliance, incident management and adopting measures aimed at reducing their effects, as well as promoting the continuation of the operations. All of this with the finality of protecting the company assets and avoiding regulation noncompliance, which is none other than a Compliance Model.

  1. Resilience

At least once a year the entity must approve a business continuity plan. (Ran 20-9).

  1. Identification of assets which make up the critical infrastructure of the financial industry and the payment system

Regulatory report on management of information security and cybersecurity


View Document (469 KB) (only in spanish)

Frequently Asked Questions on Cybersecurity

View Document (173 KB) (only in spanish)

Cybersecurity Presentation

View Document (556 KB) (only in spanish)