RAN 20-10: Information Security and Cybersecurity Management for Banks

Scope of application

Chapter 20-10 contains provisions, based on good practices, that entities supervised by the CMF must consider as the minimum guidelines for the management of information security and cybersecurity. The rule defines information security as the set of actions for preserving the confidentiality, integrity and availability of the entity\u2019s information, and cybersecurity as the protection of information in cyberspace and of the infrastructure that supports it, aimed at avoiding or mitigating the adverse effects of inherent risks and threats.

Adherence to RAN 20-10 forms part of the CMF\u2019s management assessment of banks within the field of operational risk, considering the volume and complexity of their operations. The chapter complements other CMF rules, including Chapter 1-13 on operational risk management, Chapter 20-7 on outsourcing, Chapter 20-8 on information of operational incidents, and Chapter 20-9 on business continuity management.

General management elements

Section 2 places the Board of Directors at the centre of the information security and cybersecurity management system. The CMF expects the Board to:

• Approve the institutional strategy and authorise sufficient budgetary resources to mitigate the associated risks, in line with the volume and complexity of the entity.
• Define an organisational structure with specialised dedicated personnel, high-level collegiate bodies and a designated information security and cybersecurity officer, with adequate functional segregation.
• Establish an independent risk function for the design and maintenance of the identification, monitoring, control and mitigation system.
• Put in place a high-level crisis management body with delegated authority to handle high-impact incidents, with communication channels for timely reporting to authorities and stakeholders.
• Approve risk policies defining scope, risk tolerance, asset inventory, classification criteria and minimum service availability levels, reviewed at least annually.
• Promote a risk culture through formal awareness and training programmes, including external personnel providing outsourced services.
• Ensure regular internal audits of the information security and cybersecurity management process, covering policy compliance and the effectiveness of procedures and controls.

Information security and cybersecurity risk management process

Section 3 requires a formal risk management process covering identification, analysis, valuation, treatment and acceptance or tolerance of the risks to which information assets are exposed, together with ongoing monitoring and review. At a minimum, the process must address:

• Identification of information assets, including physical location and function.
• Identification of threats and vulnerabilities, drawing on internal and external sources.
• Evaluation of existing controls, including their effectiveness and sufficiency.
• Analysis of the consequences of losses of confidentiality, integrity and availability.
• Valuation against previously defined criteria and tolerance.
• A risk treatment plan establishing controls to reduce, accept, avoid or transfer the prioritised risks.
• Formal communication of the risks to the organisation.
• At least annual review of the risk management process to identify the need for methodological or tool adjustments.

Specific cybersecurity elements

Section 4 requires entities to identify their critical cybersecurity assets and to cover the full protect → detect → respond → recover cycle. In particular, the CMF expects:

Protection and detection (4.1)

• An inventory of critical cybersecurity assets classified by confidentiality, integrity and availability.
• Change, capacity, configuration, obsolescence and patch management processes for the IT infrastructure.
• Network protection and segmentation using complementary tools: firewalls, web application firewalls (WAF), intrusion prevention systems (IPS), data loss prevention (DLP), anti-DDoS systems, email filtering and anti-malware.
• Controls for mobile devices, remote work and IoT; identity and physical and logical access management; and monitoring of user activity on critical assets and privileged accounts.
• Cryptography rules defining the information to be protected, authorised algorithms and controls for transmission and storage.
• A backup management process with at least annual restoration testing.
• A Security Operation Center (SOC), in-house or outsourced, operating 24/7 to prevent, detect, evaluate and respond to cybersecurity threats and incidents.
• Regular security testing including pentesting and ethical hacking, with results reported to the Board at least half-yearly.

Response and recovery (4.2)

• Incident response and crisis plans tested at least annually, with an escalation scheme to senior management based on severity.
• A communications plan for high-impact incidents led by senior management and covering internal and external stakeholders.
• An independent forensic analysis process, including identification, collection, acquisition, examination and analysis of digital evidence, with adequate chain of custody.
• A detailed incident database and a lessons-learned knowledge base, used to refine response and to support decision-making in future events.
• At least annual self-assessments of compliance with internal policies, regulatory requirements and leading cybersecurity practices.

National critical cybersecurity infrastructure

Section 5 treats supervised entities as relevant actors in the country\u2019s critical infrastructure. Drawing on the definition of the National Cybersecurity Policy, banks must identify the assets that make up the critical infrastructure of the financial industry and the payments system, share technical incident information with other industry participants \u2014 always respecting legal secrecy, banking reserve and customer data confidentiality \u2014 and take part in joint testing of risk scenarios that could affect the functioning of the financial system.

Relation with the Cybersecurity Framework Law 21.663

RAN 20-10 predates Law 21.663 but operates in parallel with it. The CMF retains its supervisory mandate over banks, while the National Cybersecurity Agency (ANCI) adds a cross-sector regime of duties and incident notifications under Law 21.663. Banks that qualify as Operators of Vital Importance (OIV) must reconcile their CMF cybersecurity programmes with the additional obligations of Article 8 of Law 21.663, including a formal Information Security Management System (ISMS), certified continuity and cybersecurity plans, and a designated cybersecurity delegate for coordination with ANCI.

Further reading

• CMF cybersecurity & fintech regulation: comparative table
• CMF NCG 454: Operational risk and cybersecurity
• Cybersecurity in the Chilean financial sector
• Cybersecurity Framework Law 21.663
• Operators of Vital Importance (OIV)
• CMF RAN Chapter 20-10 (official text, PDF)