Responsabilidad Penal Corporativa en Ciberseguridad | Anguita Osorio Abogados
Análisis legal sobre el riesgo penal empresarial, el modelo de prevención y cumplimiento normativo en delitos informáticos
Cybersecurity and Criminal Liability of Legal Entities
Law 21.595 on computer crimes exposes companies to direct criminal liability. We analyze how a cybercrime can result in sanctions for the company and how a robust Crime Prevention Model (CPM) constitutes the main defense tool for the organization and its Board.
Explore the General Cybersecurity FrameworkCorporate Criminal Risk from Cybercrimes
Law 21.595, which modernizes computer crimes, incorporated cybercrimes into the catalog of Law 20.393 on Criminal Liability of Legal Entities. This means that a company can be criminally sanctioned for crimes such as system attacks, espionage, or computer sabotage.
The imputation to the company is not automatic. It requires the prosecution to prove that the crime was a consequence of an "organizational defect", that is, a breach of the company's own management and supervision duties.
⚠️ Criminal Consequences for Legal Entities
Sanctions can compromise the company's viability and include:
- Dissolution of the legal entity.
- Perpetual prohibition from contracting with the State.
- Loss of tax benefits.
- Fines of up to 300,000 UTM.
The "Organizational Defect" in the Digital Context
In the cybersecurity field, an "organizational defect" manifests through concrete failures in digital risk management. The absence or deficiency of a robust compliance program is the basis for criminal reproach to the corporation.
Indicators of an Organizational Defect:
- Absence of a cybercrime risk matrix: Not identifying and managing specific criminal risks of digital operations.
- Lack of basic technical and organizational controls: Lack of multi-factor authentication (MFA), poor patching policies, or inadequate privileged access management.
- Lack of an incident management plan and breach response.
- Lack of periodic training for personnel on cyber threats and internal policies.
The Crime Prevention Model (CPM) as Corporate Defense
A Crime Prevention Model, designed, implemented and certified, is the company's main defense tool. Its correct application can exempt or mitigate criminal liability. An effective CPM in cybersecurity must be integrated into the company's operations and culture.
Pillars of a CPM in Cybersecurity
Prevention Officer with autonomy and resources.
Cybercrime risk management.
Security protocols and controls.
Continuous supervision and monitoring.
Permanent training and dissemination.
Secure reporting channels.
Components of an Effective Corporate Defense
To mitigate criminal liability, the Board and management must focus on structuring a proactive defense, whose main components are:
Design and Implementation of a Crime Prevention Model
The development of a CPM specific to cybercrime risks, which integrates with security management systems (such as ISO 27001 or Law 21.663 requirements) and is prepared for formal certification.
Strengthening Criminal Risk Governance
The formal incorporation of cybercrimes into the criminal compliance risk matrix. This involves active supervision by the Board, definition of clear policies, and periodic reporting on control effectiveness.
Preparation for Incident Response under Legal Privilege
The creation of a crisis response protocol that, from the first moment, activates attorney-client privilege to protect communications and internal investigation, preserving the defense strategy against a possible investigation by the Public Prosecutor's Office.
Download the Corporate Cybersecurity Report
Complete the form and subscribe to our newsletter to access the detailed report
Frequently asked questions
What cybersecurity risks does a company face under Law 21.595?
Law 21.595 (Economic Crimes) expanded the list of cyber-offences attributable to legal entities. A company can be criminally liable when directors or employees, acting in its interest and due to failures of the prevention model, commit attacks or intrusions covered by Law 21.459 (Computer Crimes).
What obligations does Law 21.663 impose on the corporate sector?
Companies qualified by ANCI as Essential Services or Operators of Vital Importance must implement a security-management system, report incidents within short deadlines, appoint a Cybersecurity Delegate and allow audits. The rest of the corporate sector, even uncategorised, remains exposed to the general duty of care and the criminal standard of Law 21.459.
How is cybersecurity integrated into the crime-prevention model?
The model under Article 4 of Law 20.393 must incorporate IT risk matrices, technical and organisational controls, training, whistleblower channels and incident-response procedures. Certification of the model under the updated Law 21.595 regime is a relevant defence against charges.
What happens if the company suffers a cyber-attack?
There are reporting duties to ANCI (Law 21.663) and, if personal data is affected, to the Data Protection Agency (Law 21.719). Criminally, the incident can trigger charges under Law 21.459 against individuals and, against the legal entity, under Law 21.595. Coordinated legal response protects evidence and reduces sanction exposure.
How is compliance demonstrated to enforcement authorities?
Documented model, training evidence, incident logs, independent audits and active certification. The diligence standard is judged by facts: written policies are insufficient if operations cannot show effective execution. Documentary traceability is the line of defence.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
