Responsabilidad Penal Corporativa en Ciberseguridad | Anguita Osorio Abogados
Análisis legal sobre el riesgo penal empresarial, el modelo de prevención y cumplimiento normativo en delitos informáticos
Cybersecurity and Criminal Liability of Legal Entities
Law 21.595 on computer crimes exposes companies to direct criminal liability. We analyze how a cybercrime can result in sanctions for the company and how a robust Crime Prevention Model (CPM) constitutes the main defense tool for the organization and its Board.
Explore the General Cybersecurity FrameworkCorporate Criminal Risk from Cybercrimes
Law 21.595, which modernizes computer crimes, incorporated cybercrimes into the catalog of Law 20.393 on Criminal Liability of Legal Entities. This means that a company can be criminally sanctioned for crimes such as system attacks, espionage, or computer sabotage.
The imputation to the company is not automatic. It requires the prosecution to prove that the crime was a consequence of an "organizational defect", that is, a breach of the company's own management and supervision duties.
⚠️ Criminal Consequences for Legal Entities
Sanctions can compromise the company's viability and include:
- Dissolution of the legal entity.
- Perpetual prohibition from contracting with the State.
- Loss of tax benefits.
- Fines of up to 300,000 UTM.
The "Organizational Defect" in the Digital Context
In the cybersecurity field, an "organizational defect" manifests through concrete failures in digital risk management. The absence or deficiency of a robust compliance program is the basis for criminal reproach to the corporation.
Indicators of an Organizational Defect:
- Absence of a cybercrime risk matrix: Not identifying and managing specific criminal risks of digital operations.
- Lack of basic technical and organizational controls: Lack of multi-factor authentication (MFA), poor patching policies, or inadequate privileged access management.
- Lack of an incident management plan and breach response.
- Lack of periodic training for personnel on cyber threats and internal policies.
The Crime Prevention Model (CPM) as Corporate Defense
A Crime Prevention Model, designed, implemented and certified, is the company's main defense tool. Its correct application can exempt or mitigate criminal liability. An effective CPM in cybersecurity must be integrated into the company's operations and culture.
Pillars of a CPM in Cybersecurity
Prevention Officer with autonomy and resources.
Cybercrime risk management.
Security protocols and controls.
Continuous supervision and monitoring.
Permanent training and dissemination.
Secure reporting channels.
Components of an Effective Corporate Defense
To mitigate criminal liability, the Board and management must focus on structuring a proactive defense, whose main components are:
Design and Implementation of a Crime Prevention Model
The development of a CPM specific to cybercrime risks, which integrates with security management systems (such as ISO 27001 or Law 21.663 requirements) and is prepared for formal certification.
Strengthening Criminal Risk Governance
The formal incorporation of cybercrimes into the criminal compliance risk matrix. This involves active supervision by the Board, definition of clear policies, and periodic reporting on control effectiveness.
Preparation for Incident Response under Legal Privilege
The creation of a crisis response protocol that, from the first moment, activates attorney-client privilege to protect communications and internal investigation, preserving the defense strategy against a possible investigation by the Public Prosecutor's Office.
Legal Analysis: Criminal Liability and Cybersecurity
To access our report on the connection between Law 21.595 and the role of the CPM as a liability exemption, please enter your professional email address.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
