NCG 454: Operational Risk & Cybersecurity for Financial Entities

What is NCG 454?

NCG 454 (Norma de Carácter General N° 454) is the rule issued by the Comisión para el Mercado Financiero (CMF) that consolidates the operational and technological risk management framework applicable to the financial entities it supervises. The standard translates supervisory expectations around governance, continuity, outsourcing and cybersecurity into a set of concrete duties, with a tiered implementation that takes into account the size and complexity of each entity.

Where earlier CMF circulars addressed operational risk and information security separately, NCG 454 brings them under a single, principles-based framework and extends it to technology-driven incidents and cyber threats. It sits alongside sector-specific rules, such as RAN 20-10 for banks, and must be read together with the obligations introduced by Chile’s 2024 Cybersecurity Framework Law 21.663.

Scope and addressees

The standard reaches the full catalogue of entities supervised by the CMF: banks, cooperatives, securities intermediaries, general fund managers, insurance companies and other regulated financial intermediaries. Application is proportional: entities with greater size, complexity or systemic relevance face more demanding expectations, while smaller entities apply a simplified version of the same core duties.

Main obligations

• Governance. Board and senior management accountability for the operational and technological risk management framework, with a documented risk appetite and regular reporting.
• Risk management. Identification, measurement, control and monitoring of operational, technological and cyber risks, including risks arising from third parties and outsourcing.
• Business continuity. Continuity and recovery plans that cover critical processes, recovery time objectives and periodic testing.
• Cybersecurity. Cybersecurity programme with preventive, detective and responsive controls, a designated responsible function and incident management procedures.
• Incident reporting. Timely communication to the CMF of operational and cyber incidents that could affect the entity’s stability, customers or the integrity of the market.

Relation with the Cybersecurity Framework Law 21.663

NCG 454 and Law 21.663 operate in parallel rather than in substitution. The CMF continues to exercise its supervisory powers over regulated financial entities, while the National Cybersecurity Agency (ANCI) adds a cross-sector regime of duties and incident notifications. Entities that qualify as operators of vital importance (OIV) need to coordinate reporting to both regulators and align their cybersecurity programmes with the requirements of both frameworks.

Further reading

• Cybersecurity in the Chilean financial sector
• Cybersecurity Framework Law 21.663
• Operators of Vital Importance (OIV)
• Cybersecurity overview