Thiago Cavalcante

Cyber security has become a critical priority for businesses of all sizes today as the world becomes increasingly digitalized. In Chile, the Cyber Security Framework Law 21663, enacted in 2023 homologated on April 8, 2024, marks a milestone in the protection of critical infrastructure and sensitive information from cyber threats. This law, implemented by Chile's Cyber Security Agency, establishes a series of guidelines and measures that companies must follow to secure their systems and data. Some of the main sectors that must comply with the Cyber Security Framework Law 21663 include the state's public network, electricity, energy and supply, telecommunications, transport, financial, health.... This regulation applies to key sectors such as the state network, energy, telecommunications, transportation, finance, and health. All sectors that are considered essential for the functioning of the country and the protection of the rights and welfare of citizens must generally implement adequate Cyber Security measures to prevent, detect, and respond to incidents that may affect their continuity and reliability. Here begins the journey of a company towards compliance and protection under this new regulation. 1. Risk assessment The adventure begins with a thorough risk assessment. Imagine a company embarking on a journey of self-awareness, assessing every nook and cranny of its digital infrastructure. At this stage, security managers examine critical assets, those that are vital to day-to-day operations. They identify potential threats, from malware to phishing attacks, and analyze the impact each could have. 2. Security policies and procedures Once you have a risk map in hand, the next step is to establish security policies and procedures. It's like mapping out a detailed guide for navigating rough waters. The company should create a Cyber Security policy that lays out the rules of the game. These documents are not just to comply with the law, but to ensure that everyone in the organization knows how to act in the face of a threat. 3. Infrastructure protection The heart of Law 21663 lies in effective infrastructure protection. Here, the company strengthens its digital defenses. It implements robust firewalls, intrusion detection systems, the latest generation antivirus and implements an Information Security Management System. Imagine a medieval castle that reinforces its walls and guards its gates with zeal. Every piece of data in transit and at rest is encrypted, creating an impenetrable shield against intruders. 4. Incident management Is it possible that despite all the precautions, an incident occurs? This is where incident management comes into play. The company must be prepared to respond quickly and effectively with as little as 3 hours after any incident the company must inform the National CSIRT about the event that occurred and subsequently submit the action plan on the documentation that was generated with your ISMS. This requires establishing an incident response team and designating a delegate, ready to act at any time. Also develop response and recovery plans, and conduct drills to ensure that everyone knows what to do when the alarms go off. 5. Training and awareness Cyber security is not just about technology; it is also about human awareness and preparedness. The company invests in training its staff, organizing workshops and seminars that teach best practices in cyber security. It's like training a crew so that each member knows his or her role in protecting the ship from digital hackers. Regular assessments ensure that knowledge is kept fresh and applicable and you should have an annual training plan for your employees. 6. Cooperation and reporting At last, the company understands that cyber security is a collaborative effort. It maintains open communication with the Chilean Cyber Security Agency, reporting significant incidents and sharing information on emerging threats. Participates in cooperation networks, understanding that strength in defense comes from unity and collaboration. ⚠️ Sectors subject to enforcement can face fines ranging from UTM 5000 to UTM 40000, which is between €260,000 and €330,000. The agency also has the power to impose special penalties, which are not yet specified in the current document. 7. Compliance and deadlines Compliance with the Cyber Security Framework Act 21663 is more than a legal obligation; it is a journey towards protection and resilience. The adoption of these measures for a company is like building a secure fortress in the vast and dangerous digital ocean. Following these guidelines not only protects your assets and data, but also earns the trust of your customers and strengthens your cybersecurity posture against any threats. ⚠️ The transition period for the applicability of the law is 12 months with a final date of April 8, 2025 and the agency will be available together with its team of professionals to start the audits on the sectors that are affected. Telefónica Tech's value proposition for Law 21663 It is an institutional duty to implement the necessary protection measures, requiring the joint collaboration of all institutions and sectors to manage risks. In this context, the legal area is positioned as our fundamental ally, since the obligation established by law reinforces this work. At Telefónica Tech we have all the necessary capabilities to support institutions during the implementation and adoption of the law. We have a specialized area in GRC consulting (Governance, Risk, and Compliance) with certified consultants who can operate both nationally and internationally. This will allow your company not only to comply with these regulations, but also to effectively integrate into the international market. Conclusion Every step in this journey requires commitment, investment and a clear understanding of the importance of cyber security. After all, a company that adopts Law 21663 not only complies with a regulation, but also positions itself as a leader in defending against the growing threats of the digital world. Cyber Security Where is your company on the cybersecurity journey? April 20, 2022 Imagen de Freepik.