May 18, 2021 - After a public consultation process, the Financial Market Commission (CMF) issued a regulation providing instructions on operational risk management and cybersecurity, as well as periodic self-assessments in both areas for insurance and reinsurance companies.
This new regulation intends to strengthen the supervision currently carried out by the CMF in this area. It establishes a framework for the evaluation of risk management associated with operational risk and cybersecurity. Its main elements are as follows:
- Principles of an adequate operational risk management and cyber security system, which will serve as a basis for the Commission's evaluation of companies in this matter. This is done in the context of assessing the companies' solvency level pursuant to General Rule No. 325.
- An annual self-assessment on cybersecurity and a biannual self-assessment on operational risk regarding the compliance level of these principles. Both must include action plans by insurers to detect and close any breaches.
Exceptionally for this year, both self-assessments must be reported to the Commission by December 31, 2021.
- Mandatory reporting to the CMF, starting on September 30, 2021, of any cybersecurity-related incidents faced by insurance companies. This includes defining procedures for entities to share this information with the rest of the industry to protect both the system and its users.
Interested parties can access the Rules and Norms section of the CMF website to check the details of the new regulation.