Search for:

Argentina: Minimum requirements for management and control of IT and security risks

By , , and 3 Mins Read

In brief

The Argentine Central Bank (ACB) issued Communication ‘A’ 7724 (“Communication“), which updated the technology and information security risk standards to strengthen the cyber resilience of financial institutions. The Communication will become effective on 6 September 2023.

In focus

The Communication approves new rules on “minimum requirements for the management and control of information technology and security”.

Generally, the ACB aims for regulated entities (financial institutions) to develop and implement governance programs that include, among other things, the following: (i) risk identification and management; (ii) design of internal policies and procedures; (iii) continuous evaluation and audit of policies to identify and correct errors; (iv) internal awareness and training; and (v) proper documentation and backup of data and information, as well as of any security incident or event.

To this end, financial institutions must implement effective control and management practices in accordance with the complexity of the financial services offered and the technology used. Among others, they must do the following:

  • Create a department or role that manages risks related to information technology and security, and develop a strategy aligned with the entity’s operations, processes and structure. 
  • Classify data and information considering the following criteria: integrity, availability, confidentiality and value it has for the business. 
  • Document the purpose of using, by themselves or by third parties, a software with artificial intelligence or machine learning algorithms.
  • Implement a process for the management of technological infrastructure updates, as well as online security processes.
  • Make backup copies to ensure the availability and integrity of data and information systems, establishing retention periods for historical backup copies based on legal and regulatory requirements.
  • Implement actions for the detection and deletion of unauthorized profiles in, among others, social networks and e-commerce platforms.
  • Develop cyber incident management policies, including roles and responsibilities of the areas involved in their response, and keep a complete record of the cyber incidents suffered in such a way that allows the identification, traceability and evidence of the actions taken until their closure. In terms of communication and notification, they should establish effective procedures for timely and planned response, as well as designate a point of contact for reporting cyber incidents and mitigate the impact in a timely manner. 

Finally, the Communication also establishes requirements applicable to the outsourcing or delegation to third parties of certain processes, services and/or activities related to information technology and security processes.

Click here to read the Spanish version.

Categories:
Author

Francisco José Fernández Rostello is a partner and member of the Firm’s Banking & Finance Practice Group in Buenos Aires. He has worked for the International Swaps and Derivatives Association and for Société Générale, New York Branch. He is knowledgeable on matters related to issuance of debt, derivatives transactions, local and cross-border financing, and securities transactions.

Author

Gabriel Gomez-Giglio is partner at Baker McKenzie’s Buenos Aires office, chair of the Latin America Banking & Finance Practice of Baker McKenzie and a member of the Global Steering Committee of the Firm’s Financial Institutions Industry Group. He advises clients on a variety of general commercial issues. His practice focuses on the areas of transactional and regulatory matters, including but not limited to multinational financial transactions, commercial agreements and mergers and acquisitions. Gabriel is a member of the Board and Adjunct Professor of Law at Universidad Torcuato Di Tella and a visiting professor with the Centre for Commercial Law Studies, Queen Mary College, University of London.

Author

Guillermo Cervio is a partner in Baker McKenzie’s Buenos Aires office. With more than 30 years of experience, he is recognized as a foremost practitioner in his field. He founded the IT/C team in Argentina and was the coordinator of the LatAm IT/C team from 2008 to 2017. He is currently a member of the Steering Committee of Baker McKenzie LatAm’s IPTC team.
Guillermo has authored books and articles on legal matters. He has won awards for his book “Derecho de las Telecomunicaciones” (National Academy of Law - Mención de honor, 1998, and Austral University - premio tesina,1997) as well as for the paper he filed in the IX National Congress on Corporate Law (Tucumán, 2004). He has been a professor at the University of Buenos Aires, Austral University, Palermo University, Catholic University and CEMA. In 2003, he was awarded the Folsom fellowship grant by the Center for American and International Law in Dallas.

Author

Martín Roth is a partner in the M&A, Real Estate and TMT practice groups in Baker McKenzie's Buenos Aires office. Martín has more than 13 years of extensive transactional domestic and international experience, focusing on the real estate and TMT industries. Prior to joining Baker McKenzie, he worked as a trainee lawyer on the Corporate, Banking/Finance and Litigation areas with a local law firm in Argentina. From 2007 to 2012, he worked in Baker McKenzie's Buenos Aires office. From 2013 to 2016, he worked as an independent attorney at another law firm. Martín rejoined the Buenos Aires office in 2016 and was named partner in July 2019.

Related Posts