Ciberseguridad en el Sector Financiero | Anguita Osorio Abogados
Impacto de la Ley 21.663, concurrencia regulatoria CMF y ANCI, y cumplimiento con normativas como RAN 20-10
Financial Sector Cybersecurity: Managing CMF-ANCI Regulatory Concurrence
Law 21.663 creates a new dual supervision scenario. The challenge for Boards and management is to align compliance programs required by the CMF (RAN 20-10, NCG 454) with the new ANCI obligations, to manage risk coherently and efficiently.
Explore the General Legal FrameworkThe Challenge of Dual Supervision: CMF and ANCI
Financial entities now operate under a dual cybersecurity supervision model. In addition to oversight by the Financial Market Commission (CMF), the National Cybersecurity Agency (ANCI) has been added. This concurrence of competencies requires managing a dual compliance front.
The same incident can and must be reported to both entities, under different deadlines and formats, and can potentially generate investigations and sanctions through parallel channels. Managing this duality requires an integrated compliance framework.
The Principle of Regulatory Equivalence
Article 37 of Law 21.663 conditions the CMF's preferential sanctioning power on it, together with ANCI, issuing a regulation declaring its regulation as "equivalent" to national standards. Without this formal declaration, entities are subject to ANCI's full competence.
Current status: The equivalence regulation remains pending while the implementation of Law 21.663 advances according to the supreme decrees and ANCI resolutions in force.
Operational and Governance Challenges
The Dual Reporting Duty
The coexistence of regimes imposes challenges in incident management:
- Different deadlines and thresholds: A "significant operational incident" for the CMF is not identical to a "cybersecurity incident" for ANCI.
- Parallel reports: The obligation to notify the CMF does not exempt from the duty to report to the National CSIRT in less than 3 hours.
- Internal coordination: Legal, compliance, risk and IT teams must act in coordination to issue consistent communications.
Corporate Governance Adaptation
The Board must expand its oversight to include compliance with Law 21.663. Entities classified as Critical Infrastructure Operators (CIO) must also define the structure and responsibilities of the new role of "Cybersecurity Delegate".
Harmonization with Key CMF Regulations
The new law does not replace, but complements CMF regulations. A successful compliance program must integrate ANCI requirements with:
| CMF Regulation | Main Purpose | Integration Point with Law 21.663 |
|---|---|---|
| RAN 20-10 (Bancos) | Security Management System (ISMS). | The ISMS is the basis for complying with CIO duties. |
| NCG 454 (Seguros) | Three Lines of Defense Model. | The risk model aligns with the management required by ANCI. |
| NCG 538 (Autenticación) | Strong Customer Authentication (SCA). | SCA is a key technical measure for cyberattack prevention. |
| Otras (NCG 502, etc.) | Risk management in Fintech and Intermediaries. | These actors are also Essential Services under the new law. |
Strategic Action Lines for the Financial Sector
To manage this scenario, financial entities should focus on the following analysis areas:
Regulatory Compliance Harmonization
The development of a unified internal control framework that responds to the demands of the CMF and ANCI, mapping existing controls against new obligations to identify gaps and synergies.
Governance Structure Adaptation
The review of Board and senior management responsibilities to reflect oversight of the new legal framework, including the formal definition of the Cybersecurity Delegate role.
Dual Notification Protocol Design
The development of an incident response manual that includes a clear decision tree on what, how and when to report to each authority, ensuring consistency in communications.
In-Depth Report: CMF-ANCI Competence Concurrence
To access our detailed analysis on regulatory concurrence, the principle of regulatory equivalence and integrated compliance strategies, please enter your professional email address.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
