Published legislation and draft legislation - Colombia

Cybersecurity Guidelines for regulated entities

Draft External Circular–Colombian Financial Authority

The draft external circular on minimum measures required to deal with cybersecurity risk complements the operating and information security risk management measures, in handling the risk of entities regulated by Colombia’s Financial Authority.

Some of the most important features of the draft regulation are:

  • Definitions have been established for Information Security, Cybersecurity, Cyberspace, Cyberthreat, Cyberattack, Cyber-risk, Cybersecurity event, Security Information and Event Management (SIEM), Security Operation Center (SOC), Vulnerability and others.
  • Institutions’ obligation to have policies and procedures in place, together with the necessary technical and human resources, to effectively manage cybersecurity risk.
  • Adoption, by regulated entities, of minimum cybersecurity measures such as:
    • Policies and procedures
    • Specialized unit for managing risk
    • Management system for cybersecurity risk
    • Use of robust authentication mechanisms
    • Establishing communication strategies for cybersecurity and timely reporting to authorities and customers
    • Regular assessments on cybersecurity management and establishing indicators to measure the efficiency and efficacy of information security and cybersecurity management
  • Essential phases in cybersecurity risk management (Prevention, Protection & Detection, Response & Communication, and Recovery & Learning).