The Argentine Central Bank (ACB) issued Communication ‘A’ 7724 (“Communication“), which updated the technology and information security risk standards to strengthen the cyber resilience of financial institutions. The Communication will become effective on 6 September 2023.
The Communication approves new rules on “minimum requirements for the management and control of information technology and security”.
Generally, the ACB aims for regulated entities (financial institutions) to develop and implement governance programs that include, among other things, the following: (i) risk identification and management; (ii) design of internal policies and procedures; (iii) continuous evaluation and audit of policies to identify and correct errors; (iv) internal awareness and training; and (v) proper documentation and backup of data and information, as well as of any security incident or event.
To this end, financial institutions must implement effective control and management practices in accordance with the complexity of the financial services offered and the technology used. Among others, they must do the following:
- Create a department or role that manages risks related to information technology and security, and develop a strategy aligned with the entity’s operations, processes and structure.
- Classify data and information considering the following criteria: integrity, availability, confidentiality and value it has for the business.
- Document the purpose of using, by themselves or by third parties, a software with artificial intelligence or machine learning algorithms.
- Implement a process for the management of technological infrastructure updates, as well as online security processes.
- Make backup copies to ensure the availability and integrity of data and information systems, establishing retention periods for historical backup copies based on legal and regulatory requirements.
- Implement actions for the detection and deletion of unauthorized profiles in, among others, social networks and e-commerce platforms.
- Develop cyber incident management policies, including roles and responsibilities of the areas involved in their response, and keep a complete record of the cyber incidents suffered in such a way that allows the identification, traceability and evidence of the actions taken until their closure. In terms of communication and notification, they should establish effective procedures for timely and planned response, as well as designate a point of contact for reporting cyber incidents and mitigate the impact in a timely manner.
Finally, the Communication also establishes requirements applicable to the outsourcing or delegation to third parties of certain processes, services and/or activities related to information technology and security processes.
Click here to read the Spanish version.