We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 January 2019
On 27 November 2018 the Ministry of Finance and Public Credit published a resolution modifying the general regulations that apply to banks in the Official Gazette. The resolution responds to the need to strengthen the regulatory framework applicable to banks, particularly with regard to cybersecurity and technological infrastructure. The changes aim to ensure that banks possess the tools necessary to respond to cyberattacks and other risks that could affect their operations. The resolution also aims to guarantee the confidentiality, integrity and availability of customer information.
Under the original regulations, a 'cybersecurity incident' was broadly defined as an event in which:
The resolution has amended the definition of 'users' sensitive information'. This is now defined as any information that identifies an individual, including their name, address, phone number and email address. In addition, it includes:
The resolution has strengthened the regulations with regard to banks' technological infrastructure. For example, the amended regulations establish that any mechanism that allows for the creation of a fingerprint or other biometric database must first be approved by the bank's board of directors.
Further, new requirements regarding banks' technological infrastructure have been established. As regards non-discretionary quantifiable risks, a bank's risk committee must approve a system that classifies the bank's vulnerability to cybersecurity risks in terms of:
Likewise, risk committees must establish and implement policies and procedures for classifying and treating information based on the implied risk of the information's security being breached for each of the bank's specific business units and other operational areas.
The CEO of a bank is now responsible for protecting its integrity and maintaining its technological infrastructure. CEOs must also oversee automated data protection systems and notify the National Banking and Securities Commission of any operational incidents which last more than one hour and:
The notification must be made within one hour of discovering the incident.
A new section entitled "Information Security" has been added to the regulations. It establishes that CEOs are responsible for the implementation of an internal cybersecurity control system and provides a set of obligations in this regard.
CEOs must designate a chief information security officer (CISO) who will directly report to them. CISOs will be responsible for cybersecurity and responding to any requirements set out by the legal authorities or the bank.
Where a cybersecurity incident specified in the resolution occurs and the notification requirements are triggered, the CEO must immediately inform the National Banking and Securities Commission of the incident and undertake an investigation into the cause. The CEO must also implement a plan regarding the actions to be taken to eliminate or mitigate the risks and vulnerabilities that led to the incident. Even if there is no requirement for the bank to notify the commission, it must maintain all of the records relating to the incident which are at its disposal.
In the case of a cybersecurity incident involving sensitive information in the possession of a bank or a third party that renders services thereto, the CEO or the person designated thereby must notify the bank's clients of the possible loss, extraction, alteration or unauthorised access of their information. The notification must be made within 48 hours of the incident's occurrence or the bank becoming aware of it.
Banks must maintain a database registry of incidents, failures or detected vulnerabilities in their technological infrastructure. This information must be backed up and kept for at least 10 years.
Although the resolution came into effect on 28 November 2018, different entry into force dates were established for the various obligations established therein.
For further information on this topic please contact Federico De Noriega, Ana Rumualdo or David Amado at Hogan Lovells BSTL by telephone (+52 55 5091 0000) or email (email@example.com, firstname.lastname@example.org or email@example.com). The Hogan Lovells website can be accessed at www.hoganlovells.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.
Federico De Noriega