/ Risk management systems associated with cybersecurity
October 24, 2022October, the cybersecurity month, motivates to generate awareness and initiatives so that institutions have the necessary and adequate technical and human resources to manage the risks associated with cybersecurity in a preventive manner.
Macarena Gatica
Partner
Alessandri Abogados
There are countless sectoral regulations that seek to implement risk management systems associated with information security. The NCG 461, for example, establishes that the annual reports of publicly traded companies must report how risks related to personal data protection and cybersecurity are managed.
These regulations prescribe an active role of the board of directors, the identification of assets and risks, the measures to mitigate them and the respective controls. However, the most important element for these management systems to be effective is education, which should not only cover the risks and policies associated with cybersecurity, but also identify the company’s assets, including intangible assets, and the disruption damages that can result from an intrusion into the company’s systems. Likewise, the implemented system must contemplate the corresponding sanctions to the employees who violate the established policies and processes. Otherwise, the greatest risk will be the human factor.
The recently published computer crimes are incorporated as new types of criminal liability of legal entities. This is another reason to raise awareness among a company’s employees. Of particular concern is the crime of receiving, which punishes anyone who trades, transfers or stores, in any capacity, computer data, knowing or being able to know its unlawful origin.
Are we able to guarantee the lawful origin of the data we store? Let’s think that a common practice is that a seller transits between employers with customer databases, which occurs because, on the one hand, such data is not considered as an asset of the company and, on the other hand, it is not recognized as a wrong practice.