Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
May 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Peru: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

In 2011, Law No. 29.733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Data Protection Law') was enacted and, a couple of years later, by means of Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) ('the Regulation') came into force. With both laws and the functioning of the Peruvian data protection authority ('APDP'), as an entity belonging to the Ministry of Justice and Human Rights, the fundamental human right recognised in Article 2(6) of the Constitution of the Republic of Peru (only available in Spanish here) ('the Constitution') entered into a new era, in which, by means of directorial resolutions, opinions by the competent authorities, and administrative decisions that solved claims initiated by individuals or ex-officio investigations, among other actions, data protection provisions and principles have been further interpreted and given content.

Cybersecurity has not, however, met the same fate. Indeed, based on the President of the Republic of Peru's legal authority to either approve or reject bills of law introduced by the Congress of the Republic of Peru ('the Congress'), on 11 September 2019, the Executive Power sent a communication to the President of the Congress of the Republic of Peru ('the President of the Congress'), rejecting a draft of a Cybersecurity Law ('the Draft'). The Draft had been, in fact, the outcome of two previous independent initiatives:

  • Draft 4237/2018-CR for a Law that Promotes Security and Computing in Peru and the Establishment of a National Cybersecurity Council; and
  • Draft 4352/2018-CR for a Cybersecurity Law.

The reasons explained in the letter sent to the President of the Congress are several, but had one common thread - that the Draft allegedly sought to unnecessarily replicate the efforts, functions, and powers pertaining to cybersecurity already granted and developed since 2017 by the Department of Digital Governance ('SeGDi'). Indeed, as indicated in the document sent by the Executive Power, most of the provisions proposed in the Draft did not contemplate the existence of previous regulations, the competencies of committees, and, in general, the current legal landscape.

Besides the immediate consequences of the disapproval of the Draft, compared, for example, to the Law No. 30999 for a Cyber Defence Law (only available in Spanish here) that was enacted in August 2019 and the accession of Peru to the Budapest Convention on Cybercrime 2001 by the Congress in January 2019, it is important to point out that cybersecurity, while regulated by an overarching law or regulations, does have an important place and has been subject to a positive awakening due to the situation that Peru, as all countries, faced due to the COVID-19 pandemic and the need to encourage the use of computarised technologies.

As is further explained in this Guidance Note, cybersecurity-related definitions, terminology, provisions, and standards have been already developed, among other means, through:

  • data protection regulations and opinions by the APDP;
  • regulations, such as the Framework for Digital Trust and Providing Measures for its Strengthening, the Digital Government laws, and others pertaining to different industries; and
  • the role of the SeGDi and different committees, such as the National Computer Security Incident Response Team ('Pe-CERT').

1.1. Legislation

General legislation

There is no specific law addressing cybersecurity, but there is a legal framework conceived to establish measures to promote digital trust.

In this sense, Emergency Decree No. 007-2020 Approving the Framework for Digital Trust and Providing Measures for its Strengthening (only available in Spanish here) ('the Decree on Digital Trust') is pertinent not only to the public, but also to the private sector, and introduced a definition of 'cybersecurity' as the technological capacity of preserving the proper functioning of networks, assets, and computer systems and to protect them from threats and vulnerabilities in the digital environment. It includes the technical perspective of digital security and is part of the country's digital security framework. The aim of the Decree on Digital Trust is to establish the measures that are necessary to guarantee people's trust in their interactions with digital services provided by public entities and the private sector in the territory of Peru.

Moreover, and as mentioned in section 1 above, data protection legislation, directorial resolutions, and opinions issued by the APDP also address cybersecurity.

In particular, the Data Protection Law has been in force since 2011. Under the Data Protection Law, owners of personal databanks and data processors must establish or generate the necessary and appropriate security measures (technical, organisational, and legal) to protect users' personal data and to avoid the alteration, loss, and mistreatment of, or unauthorised access to, the same.

In addition, in 2013, the APDP issued, by means of Directorial Resolution No. 019 -2013-JUS/DGPDP of 11 October 2013, the Information Security Directive ('the Security Directive'), which provides guidelines regarding security measures required by the Data Protection Law and Data Protection Regulations. The Security Directive is a tool that facilitates compliance with the Data Protection Law and the Data Protection Regulations and includes, among others, guidelines to determine the security measures that are appropriate to the characteristics of the data processing in question. In particular, the Security Directive proposes a classification of personal data processing in categories and states that for databanks considered critical, among others, the following measures are required:

  • every electronic information containing personal data must be stored safely using encrypted access control mechanisms to preserve confidentiality;
  • the equipment used for such processing must have malware protection software to protect the integrity of the personal data and be frequently updated according to the supplier's recommendations and specifications; and
  • the equipment used for the processing must receive preventive and corrective maintenance according to the supplier's recommendations and specifications to ensure their availability and integrity, and that said maintenance be carried out by authorised personnel.

Later, in 2018, the APDP released Report No. 03-2018-JUS/DGTAIPD/DPDP ('the Breach Report') which established that data breaches represent an infringement by the holder of the personal data bank of the security measures required by the Data Protection Law, and cannot be considered force majeure events.

Also in 2018, Legislative Decree No. 1412 approving the Digital Government Law (only available in Spanish here) ('the Digital Government Law') was issued. As stated in Article 1 of the Digital Government Law, its purpose is to establish the framework for a Peruvian digital government, meaning the proper management of digital identity, digital services, digital architecture, interoperability, digital security, and data, as well as the legal regime applicable to the cross-sector use of digital technologies in the digitisation of processes and the provision of digital services by public entities in the three levels of government (national, regional, and local). On 19 February, 2021, by means of Supreme Decree No. 029-2021-PCM (only available in Spanish here), the Regulations of the Digital Government Law were enacted, establishing provisions that rule the governance and management of digital technologies within the Public Administration, as well as the legal framework applicable to the use of technologies in the digitisation of processes and provision of digital services.

Among other relevant provisions, it is important to point out that the Regulations of Emergency Decree No. 006-2020 Establishing the Digital Transformation System (only available in Spanish here) ('Regulations on the Digital Transformation System'), in accordance with the Regulations of the Digital Government Law, indicate that public entities shall appoint a security and digital trust officer, a position responsible for coordinating the implementation and maintenance of the Information Security Management System ('ISMS') in the entity - in addition to a data protection officer ('DPO') who will be in charge of ensuring compliance with the regulations regarding the protection of personal data within the public entity. Furthermore, the Regulations establish the conditions, requirements, and the use of technologies and electronic means in administrative procedures and the use of the single electronic box.

On 16 January 2020, the APDP issued Directorial Resolution No. 01-2020-JUS/DGPDP on the Processing of Personal Data by Video Surveillance Systems (only available in Spanish here) ('the Video Surveillance Systems Directive'). The Video Surveillance Directuve contemplates a constructive definition of a security breach, which ' occurs when the data contained in video surveillance systems suffer a security incident that results in the violation of their confidentiality, availability or integrity. Such security incidents may include: the destruction, loss or accidental or unlawful alteration of the personal data transmitted, kept and processed, or the unauthorised communication and/or access to said data'.

Recently, by means of Resolution of the Attorney General's Office No. 843-2021-MP-FN of 9 June 2021 (only available in Spanish here), specialised cybercrime prosecutors have been implemented in Lima, evidencing the challenges and needs to prosecute cyber crimes that continue growing and becoming more sophisticated.

1.2. Regulatory authority

SeGDi

The SeGDi is the agency line belonging to the Presidency of the Council of Ministers with technical and the regulatory authority on a nationwide basis that formulates and proposes national and sector policies, national plans, rules, guidelines, and strategies on IT and electronic governance. As set forth in the Regulations of Organisation and Functions of the Presidency of the Council of Ministers, as approved by Ministerial Resolution No. 156-2021-PCM of 17 July 2021 (only available in Spanish here), the SeGDi has, within the framework of its duties and prepared a Program of Implementation of the Recommendations of the Public Governance Study (only available in Spanish here) with the Organisation for Economic Cooperation and Development ('OECD'), clarifying the role of promoting a legal framework that accompanies the digital transformation processes in the Public Administration.

As set forth in the Regulations of the Digital Government Law, public entities can request a prior technical opinion from the SeGDi, regarding the digital technology project that it wishes to implement for it to evaluate compliance with the regulations and the criteria of accessibility, usability, standardisation, and scalability. As well as this, under this set of regulations, the SeGDi has been granted with powers to issue (ex officio or at the request of an entity):

  • technical opinions when it considers it necessary to clarify, interpret, or clarify rules that regulate digital government; and
  • specialised technical opinions when queries arise on the matter of digital government, which is issued within the framework of a query by the entity.

Further, as mentioned in the Regulations on the Digital Transformation System, the Presidency of the Council of Ministers, through the SeGDi, is the national authority responsible for directing, evaluating, and overseeing the digital transformation of the country, as well as exercising the digital governance of the Digital Transformation System, in order to achieve the country's objectives in terms of digital transformation and sustainable development.

PeCERT

PeCERT was created in 2009, by Ministerial Resolution No, 360-2009-PCM of 19 August 2009 (only available in Spanish here), as a working group dependent on the SeGDi and in charge of leading efforts to resolve, anticipate, and confront cyber challenges and coordinate the defence against cyber attacks, with the aim of providing the country with a secure position in the field of digital security.

In 2020, under the Decree on Digital Trust, the National Digital Security Centre ('the Security Centre') integrated PeCERT, designating it as a group responsible for:

  • managing the response and/or recovery from digital security incidents at the national level; and
  • coordinating and articulating actions with other teams of similar national nature (national or international) that deal with digital security incidents.

APDP

The APDP exercises the administrative, guiding, normative, resolutive, supervisory, and sanctioning functions related to the right to the protection of personal data. It is the responsibility of the APDP to carry out all the necessary actions to fulfil the purpose and other provisions of the Data Protection Law and Data Protection Regulations and, for this purpose, it enjoys sanctioning and coercive powers.

It is important to mention that the Council of Ministers, in its session on 9 June 2021, approved Bill No. 7870/2020-PE of 10 June 2021 (only available in Spanish here), which proposes the establishment of the National Authority for Transparency, Access to Public Information and Protection of Personal Data, and which integrates the current two authorities and the administrative court of transparency into a single National Authority of Transparency, Access to Public Information and Protection of Personal Data.

As mentioned in the press release that can be found on the platform of the Government of Peru ('the Government'), this integration means that, if approved, the new entity will have the status of a specialised technical body with its own legal status, with greater autonomy and budgetary resources.

Regarding the proposed amendments to the Data Protection Law, it is relevant to note the following: the right to the portability of personal data is recognised, the requirement for large companies that process and store personal data to appoint a DOI, as well as the obligation to communicate security incidents that involve personal data (obligations both that already exist for public entities), among others.

1.3. Regulatory authority guidance

APDP guidance

Please refer to section 1.1. above for information concerning the Security Directive, the Video Surveillance Directive, and the Breach Report - which establishes that data breach cases represent an infringement by the holder of the personal data bank of the security measures required by the Data Protection Law and cannot be considered force majeure events. As well, please consider the future developments that the Data Protection Law might have as mentioned in section 1.2.

Furthermore, according to the Decree on Digital Trust, Public Administration entities, digital service providers in the financial sector, basic services (electricity, water, and gas), health and transportation of people, internet service providers, providers of critical activities, and educational services must report and collaborate with the APDP when they verify a digital security incident that involves personal data.

PeCERT

Additionally, PeCERT issues monthly digital security alerts (only available in Spanish here) that correspond to a periodic technical analysis carried out by the Joint Command of the Armed Forces of Peru, the Peruvian Navy, the Peruvian Air Force, the Peruvian Army, the National Intelligence Directorate, the Division of High-Tech Crime Investigation of the National Police, the Association of Banks of Peru, and SegDi, within the framework of the Security Centre. The purpose is to inform those responsible for security of public or private entities about the threats of the digital environment and warn of situations that could affect the continuity of its services in favour of the population.

2. SCOPE OF APPLICATION

Please see section 1.1 under general legislation.

3. DEFINITIONS

The following definitions have been taken mainly from the Digital Government Law, its Regulations, as well as the Decree on Digital Trust and the Regulations on the Digital Transformation System. As mentioned in section 1.1, while the first ones apply to the entities belonging to the Public Administration, the Decree on Digital Trust and the Regulations on the Digital Transformation System apply to entities belonging to the private and public sector.

Digital citizen: Those people who meet with the following requirements:

  • they have inherent identity attributes;
  • they have a single electronic box; and
  • they have authentication credentials issued, delivered, and/or enabled within the framework of the Regulations of the Digital Government Law (Article 12 of the Regulations of the Digital Government Law).

Digital signature: The electronic signature that, using an asymmetric cryptography technique, allows the identification of the signatory and has been created by means, even remotely, that guarantee that it maintains under its control with a high degree of confidence, so that it is linked only to the signatory and the data to which it refers, which allows guaranteeing the integrity of the content and detecting any subsequent modification, has the same validity and legal effectiveness as the use of a handwritten signature, as long as it has been generated by a Service Provider of Duly accredited Digital Certification that is within the Official Electronic Signature Infrastructure ('IOFE'), and that does not mediate any of the vices of the will provided for in Title VIII of Book IV of the Peruvian Civil Code.

The National Digital Signature Platform is the digital platform that allows the creation and validation of digital signatures within the framework of the IOFE, for the provision of digital services provided by Public Administration entities (Article 91 of the Regulations of the Digital Government Law).

Digital trust: The state that emerges as a result of how truthful, predictable, ethical, proactive, transparent, safe, inclusive, and reliable the digital interactions are that are generated between people, companies, public entities, or things in the digital environment, with the purpose of promoting the development of the digital economy and digital transformation. It is a component of digital transformation and includes areas, such as personal data protection, ethics, transparency, digital security, and consumer protection in the digital environment (Article 2 of the Decree on Digital Trust).

Digital environment: The domain enabled by digital technologies and devices, generally interconnected through networks and infrastructures, data, or communication, including the internet, which supports the processes, services, and platforms that serve as a basis for interaction between people, companies, public entities, or devices (Article 2 of the Decree on Digital Trust).

Digital security incident: An event or series of events that can compromise trust, economic prosperity, protection of people and their personal data, and information, among other assets of the organisation, through digital technologies (Article 2 of the Decree on Digital Trust).

Digital Security Incident Response Team: The team responsible for managing digital security incidents that affect the assets of a public entity or a trusted network. Its implementation and conformation is carried out based on the provisions determined by the SeGDi (Article 104 of the Regulations of the Digital Government Law).

Digital security risk: An uncertain effect related to the use, development, and management of digital and data technologies, during any exercise. It results from the combination of threats and vulnerabilities in the digital environment and its dynamic nature, and can undermine the achievement of economic and social goals by altering confidentiality, integrity, and availability of activities or environment, as well as jeopardising the protection of privacy of individuals. It includes aspects related to physical and digital environments, critical activities, people, and organisations involved in the activity, and the organisational processes that support it (Article 2 of the Decree on Digital Trust).

Critical activity: The economic and/or social activity whose interruption has serious consequences in the health and safety of citizens, in the effective operation of essential services that maintain the economy, society, and government or affect general economic and social prosperity (Article 2 of the Decree of Digital Trust). In addition, a digital service provider must ensure that all critical activity is supported by a secure, available, scalable, and interoperable infrastructure (Article 9(9.4) of the Decree of Digital Trust).

Cloud services: A technological proposal capable of offering network services in an agile and flexible way, where said services consist of the provision of software, platforms, or infrastructure from a cloud services provider (‘CSP’), or by the entity itself, accessible by network, regardless of where the information systems are stored and transparent for the end user (Guidelines for Use of Cloud Services for Entities in the Public Administration of the Peruvian State approved by Resolution of the Department of Digital Governance No. 001-2018 of 4 January 2018 (only available in Spanish here) ('the Cloud Services Guidelines')).

Digital Service Providers: A digital service provider is defined as any public entity or private sector organisation, regardless of geographic location, that is responsible for the design, provision, and/or access to digital services in Peru (Article 2 of the Decree on Digital Trust).

Digital society: One that values information and knowledge gained through access, use, and appropriation of digital technologies in all its dimensions and that drives the digital economy, digital connectivity, talent and digital innovation, digital education, government, identity, and digital trust, as well as the use of emerging technology in favour of the social and economic well-being of the citizenship (Article 3 of the Regulations on the Digital Transformation System).

Emerging technologies: Technologies capable of generating innovative solutions, such as robotics, analytics, artificial intelligence ('AI'), cognitive technologies, nanotechnology, and the Internet of Things ('IoT'), among others, that make up the industry 4.0 as the new revolution that combines techniques advanced production and operations technology, generating an impact on the digital ecosystem, organisations, and people (Article 3 of the Regulations on the Digital Transformation System).

Electronic file: The organised set of electronic documents that are part of an administrative procedure or service provided exclusively in a certain entity of the Public Administration. All the actions of the procedure are registered and kept in their entirety and in successive order in the electronic file (Article 39 of the Regulations of the Digital Government Law).

Single electronic box: The digital address that is used to receive communications and/or notifications sent by the Public Administration entities to citizens and people in general. It certifies the certainty, integrity, and certain date and time of a communication and/or notification made by a public entity to a citizen or person in general. The electronic address is the only one that allows to identify an electronic box (Article 53 of the Regulations of the Digital Government Law).

Unique Platform for Documentary Reception of the Peruvian State: The digital registry that is part of the GOB.PE Platform, which allows the reception of electronic documents, requests, and documents sent by citizens and people in general to the entities of the Public Administration complying with the requirements of each procedure, every day of the year during 24 hours (Article 46 of the Regulations of the Digital Government Law).

National Platform for Georeferenced Data – GEOPERÚ: The unique digital platform for the integration of spatial or geo-referenced and statistical data, which harmonises the databases of Public Administration entities, for data analysis and focused decision-making territorial. GEOPERÚ is administered by the Presidency of the Council of Ministers, through the SeGDi (Article 77 of the Regulations of the Digital Government Law).

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

According to Article 109 of the Regulations of the Digital Government Law, the ISMS is the set of policies, procedures, resources, and activities that an entity belonging to the Public Administration manages in order to protect its information assets. These must be implemented in the entities, having as a minimum scope their missionary and relevant processes for the operation.

Related to the ISMS, the Regulations of the Digital Government Law provide in Article 116 that the Framework of the Digital Architecture of the State is directed and evaluated by the SeGDi as the governing body in digital architecture. It comprises investments in IT, IT assets, data, and digital security in order to optimise the use of resources and the provision of digital services.

4.1. Cybersecurity training and awareness

As indicated in section 9 on health services, the Regulations of the Telehealth Law and Telehealth Decree establish that the Regional Health Directorate ('Diresa'), the Regional Health Management ('Geresa'), and the Directorate of Integrated Health Networks ('Diris') must incorporate telehealth training activities in their People Development Plan, to strengthen the skills of the personnel.

4.2. Cybersecurity risk assessments

Article 105 of the Regulations of the Digital Government Law contemplates that public entities have, as a minimum, the following obligations:

  • implement and maintain an ISMS;
  • report digital security incidents to the Security Centre in accordance with the provisions of Article 107 of the Regulations of the Digital Government Law;
  • adopt measures for the management of digital security risks and incidents that affect the entity's assets;
  • disseminate early alerts, notices, and information on digital security risks and incidents in its trusted entity and network;
  • ensure effective, efficient, and safe investigation and cooperation actions with the Security Centre;
  • provide the necessary resources and measures to ensure the effective management of digital security incidents; and
  • require its software development providers to comply with widely recognised standards, technical norms, and best security practices.

In addition, as established in Article 115 of the Regulations of the Digital Government Law, public entities need to plan and carry out tests to assess vulnerabilities to the following assets: computer applications, systems, infrastructure, data, and networks, which support the entity's digital services, missionary, or relevant processes. The execution of these tests is carried out at least once a year.

The Security Centre requests information from the entity on the tests carried out or coordinates with it on the performance of said tests. The results of the tests carried out can be recorded as documented information by the entity. The Presidency of the Council of Ministers, through the SeGDi, requests said results within the framework of its supervisory functions or when it deems it necessary for the management of a digital security incident.

4.3. Vendor management

Article 105 of the Regulations of Digital Government Law provides that public entities have the obligation to require its software development providers to comply with widely recognised standards, technical norms, and best security practices.

4.4. Accountability/record keeping

Article 113 of the Regulations of Digital Government Law Public indicates that a public entity can permanently carry out at least one annual external audit of their ISMS. The results of the audits shall be recorded as documented information by the entity.

The Presidency of the Council of Ministers, through the SeGDi, requests from public entities reports on the audits carried out or on the effective application of the rules on information security or digital security, within the framework of its supervisory functions or when it deems it necessary to prevent or resolve digital security incidents.

5. DATA SECURITY

The Security Directive (see section 1 above) provides organisational, legal, and technical guidelines regarding the security measures required by the Data Protection Law and Data Protection Regulations.

The Security Directive provides guidelines to determine the security measures that are appropriate depending on the characteristics of the processing given to the personal data, which can be basic, simple, intermediate, complex, and critical. The categorisation of the databanks considers the following criteria:

  • the volume of registers;
  • the amount of data;
  • the period of time related to the purpose of the processing of personal data;
  • who holds the data bank;
  • the legal basis for the processing of personal data;
  • multiple locations; and
  • the processing of sensitive personal data.

On the other hand, according to Article 104 of the Regulations of the Digital Government Law, Public Administration entities can compose a digital security incident response team. The teams shall be part of the organisational IT bodies or units of the entity or of the organisation unit specialised in information security or similar provided for in its organic or functional structure. Its conformation shall be communicated to the SeGDi.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

Article 9 of the Decree on Digital Trust contemplates the obligations of digital service providers stating, among other things, that public entities, providers of digital services in the financial sector, basic services (electricity, water, and gas), health and transportation of persons, internet service providers, providers of critical services, and educational services must notify the Security Centre of any digital security incident. Additionally, digital service providers have the duty to report and collaborate with the APDP when a security incident compromises personal data. The Decree on Digital Trust indicates that private entities can take as a reference the standards issued by SeGDi as soon as they apply to them and generate value for them, and compulsorily implement those that prevent the infringement of people's rights.

With respect to the obligation to communicate digital security incidents for public entities, Article 107 of the Regulations of Digital Government Law indicates that this shall be carried out in accordance with the provisions of the Decree on Digital Trust. Further, with respect to digital security incidents related to Article 108 of of the Regulations of Digital Government Law provides that public entities shall communicate and collaborate with the APDP on the identification of digital security incidents that have affected personal data, notifying it within a maximum period of 48 hour, from the knowledge of the breach of safety.

To determine how significant the impact of a digital security incident is, Article 106 of the Regulations of Digital Government Law establishes the following minimum criteria:

  • damage to reputation;
  • loss or financial obligation;
  • interruption of operations, processes, or activities of the entity;
  • unauthorised disclosure of personal data or reserved, secret, or confidential information; and
  • personal damages (physical, psychological, or emotional).

With respect to cloud services contracted by public entities, the Cloud Services Guidelines establish that public entities that contract cloud services, may require from the CSP the existence of mechanisms for timely sharing with such entities any relevant findings about security breaches that they would have related to the data controller or processor.

The Cloud Services Guidelines mention that, according to international data protection standards, it will be optional for public entities that contract cloud services to previously clearly identify the degree of violation of data security to be communicated, to whom to communicate (the customer of the CSP, with the knowledge of the competent authority regarding data protection, and the interested parties), as well as the relevant modalities. An undetermined obligation to report any breach (even minor or insignificant) of personal data security can seriously harm the CSP and generate unnecessary alarm from public entities and citizens in general.

Despite the above, if a cybersecurity incident takes place, it is advisable to evaluate which authorities, besides the Security Centre, could have an interest in being informed about such an incident. For example, please refer to the information on cybersecurity in the financial sector in section 9 below.

7. REGISTRATION WITH AUTHORITY

Registration of digital security incidents reported by digital service providers is required.

Please refer to Article 9 of the Decree on Digital Trust that indicates that Public Administration entities, digital service providers in the financial sector, basic services (electricity, water, and gas), health and transportation of people, internet service providers, providers of critical activities, and educational services must report and collaborate with the ANPD when they verify a digital security incident that involves personal data.

Additionally, Article 8 of the Decree on Digital Trust contemplates the establishment of the National Registry of Digital Security Incidents ('the Registry'), stating that its purpose is to receive, consolidate, and maintain data and information on the digital security incidents reported by digital service providers at the national level that can serve as evidence or input for their analysis, investigation, and solution.

It is important to note that even though the existence of the Registry has been formally recognised and established by the Decree on Digital Trust, the second final complementary provision of the latter mentions that, in no longer than 90 business days following the publication of the Decree on Digital Trust, the Presidency of the Council of Ministers will implement the Registry and issue regulations, guidelines, and directives for its functioning. To date, no regulations of the Decree on Digital Trust have been issued.

8. APPOINTMENT OF A SECURITY OFFICER

The security and digital trust officer is responsible for coordinating the implementation and maintenance of the ISMS in public entities, in compliance with the standards regarding digital security, digital trust, and digital government. The Presidency of the Council of Ministers, through the SeGDi, issues the profile of the security and digital trust officer in the Public Administration (Article 111 of the Regulations of the Digital Government Law and Article 14 of the Regulations on the Digital Transformation System).

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

Over the years, the Superintendence of Banking, Insurance and Pension Fund Administration ('SBS') has taken an increasingly vigilant position regarding overall risk management policies of financial institutions. In this respect, on February 2020, the SBS issued Resolution No. 877-2020 of 26 February 2020 Approving Regulations for Business Continuity Management (only available in Spanish here) ('the Business Continuity Regulations'). The Business Continuity Regulations apply to the companies indicated in Articles 16 and 17 of Law No. 26702 for the General Banking Law (only available in Spanish here), as well as to private pension fund administrators. It is also applicable to the National Bank, the Agricultural Bank ('Agrobanco'), the Financial Development Corporation ('COFIDE'), Fondo Mivivienda SA ('Fondo'), and other financial institutions under the control of the SBS, as long as they do not enter into conflict with specific regulations that rule the actions of said institutions.

According to the Business Continuity Regulations, financial institutions must implement the approved business continuity plans. For these purposes, the Business Continuity Regulations indicate that said institutions must develop, among others, IT services recovery plans that contemplate the following aspects:

  • activation and deactivation criteria;
  • formation of the team in charge of the recovery of IT services, which must include the providers that support said IT services;
  • roles and responsibilities;
  • description of the procedures and resources necessary to recover the IT services; and
  • description of the procedures and resources necessary to return to normal operation of IT services.

Concerning the obligation to report significant interruption of operations, Article 15 of the Business Continuity Regulations outlines that companies must inform the SBS of the occurrence of a significant interruption of an operations event, as soon as it becomes aware and within a maximum period of one business day. For this purpose, a 'significant interruption of an operations event' is understood as an event that involves any of the following situations:

  • the suspension in the delivery of the prioritised products and services for a longer time than the respective recovery target time; or
  • the activation of the crisis management plan referred to in the Business Continuity Regulations.

Additionally, and without prejudice to the foregoing, banking companies, financial companies, Municipal Savings and Credit Institutions ('CMACs'), Municipal Popular Credit Institutions ('CMCPs'), Rural Savings and Credit Institutions ('CRACs'), and the National Bank must report to the SBS, as soon as they become aware, and within a maximum period of one business day, the occurrence of the following situations:

  • the suspension in the delivery of the prioritised products and services for a time greater than four hours, even if the associated recovery target time was greater than said time; and
  • the unavailability of 25% or more of a service channel in a given geographic region or national level, for a period greater than four hours or at the recovery target time defined by the company, whichever is less.

The companies with market concentration (companies subject to an effective equity requirement for market concentration risks), must report to the SBS as soon as they become aware, and within a maximum period of four hours, any interruption, degradation, or other type of operational alteration that is maintained for a period greater than one hour in any service channel.

The information to be sent must include a general description of the event that occurred and must be sent by email to [email protected] or, where the company does not have access to email due to the occurrence of the interruption event, it is important to seek alternative means of communication as far as possible.

Within ten business days after the occurrence of the interruption event reported to the SBS, the company must submit a detailed report explaining the reasons for the failure, the duration, the business lines, products, and affected services, as the case may be, the measures taken to overcome the event, and the situation existing as of the reporting date.

It is important to remark that the Decree on Digital Trust is also applicable as it contemplates the obligations of providers of digital services in the financial sector to notify the Security Centre of any digital security incident.

The SBS approved, on 23 February 2021, Regulation No. 504-2021 on the Management of Information Security and Cybersecurity (only available in Spanish here) ('the Information Security Regulation') and established a series of modifications to various SBS regulations, such as to SBS Resolution No. 272-2007 of 18 January 2017 (only available in Spanish here) ('the Corporate Governance and Risk Management Regulations'), SBS Resolution No. 2116-2009 of 2 April 2009 (only available in Spanish here) ('the Regulations for Operational Risk'), SBS Resolution No. 465-2017 of 2 February 2017 (only available to download in Spanish here) ('the Credit and Debit Cards Regulations'), and SBS Resolution No. 465-2017 (only available to download in Spanish here) ('the Electronic Money Operations Regulations').

The purpose of the Information Security Regulation is to establish the necessary criteria for an adequate management of information security applicable to:

  • the companies detailed in Article 16 and 17 of the Peruvian Banking, Insurance and Pension Fund Administrators Act 1996 (Act No. 26702, as amended) (only available in Spanish here); and
  • the insurance brokerage companies in accordance with SBS Resolution No. 809-2019 ('the Supervision and Control of Insurance Brokers and Auxiliaries Resolution'); and
  • the National Bank, Agrobanco, COFIDE, Fondo, and the Benefit Banks under the control of the SBS.

The Information Security Regulation mainly provides a set of rules for the following:

  • the Information Security and Cybersecurity Management System ('ISMS-C');
  • the implementation of an ISMS-C;
  • the rules for authentication;
  • cloud services; and
  • electronic money.

Regarding ISMS-C, financial companies must implement the ISMS-C, defined as the set of policies, processes, procedures, roles, and responsibilities, designed to identify and protect information assets, detect security events, as well as anticipate response and recovery from security incidents. Likewise, the ISMS-C must consider the size and nature of the company, as well as the complexity of its operations. These companies must have minimum information security measures, such as using cryptography to ensure the confidentiality, authenticity, and integrity of the information, as well must periodically report to the SBS information related to information security management and cybersecurity.

With respect to a Cybersecurity Program ('CP'), the Information Security Regulation provides that companies that have a presence in cyber space must permanently have a CP. A CP must have a diagnosis and an improvement plan regarding its cybersecurity operations, for which it must select an international reference framework on cybersecurity that allows:

  • the identification of information assets;
  • protection against threats;
  • detection of incidents;
  • response with measures that reduce the impact of incidents; and
  • recovery of affected technological services.

It is of particular interest that companies must report to the SBS as soon as they notice the occurrence of a cybersecurity incident that has a significant impact on:

  • loss or theft of company or customer information;
  • internal or external fraud;
  • negative impact on the image and reputation of the company; and
  • interruption of operations.

In this sense, the company must make a report that determines the causes of the incident and the actions taken for its management.

Companies must implement authentication processes to control access to the services it provides to its users through digital channels. As well as this, they must have tools and procedures to implement transaction monitoring in order to avoid fraudulent operations.

The enrollment of a user to a digital channel requires at least that:

  • the identity of the user is verified, as well as taking the necessary measures to reduce identity theft; and
  • generating credentials with the purpose of assigning them to the user.

In case the company uses APIs for the provision of online services, cybersecurity measures must be implemented, such as data encryption and fault tolerance mechanisms.

Regarding cloud services, according to the Information Security Regulation, companies must comply with:

  • an assessment of information security threats and vulnerabilities;
  • ensure that the contract with the Cloud Service Provider allows them to comply with their obligations detailed in the Information Security Regulation; and
  • establish roles and responsibilities that the CSP will contractually assume in matters of information security.

If a company wishes to implement cloud services, then it must adopt information security policies and procedures that take into account international good practices and ensure that it takes into account certain aspects, such as that the CSP has a registry of events (log) available or other additional records for information security monitoring.

Even, the Information Security Regulation provides that companies must have a permit from the SBS to contract cloud services provided by a CSP from abroad. The request must include the legal support for the limitations identified and a proposed plan for the implementation of the compensatory measures. In case the object of the service or the country/city from where the cloud service is received changes, then a new request must be made.

The provisions related to electronic money note that the media through which electronic money can be used are:

  • mobile phones;
  • prepaid cards; and
  • any other electronic equipment or device.

Devices that allow the use of electronic money must include at least the following information in a visible and easily accessible way for the user:

  • the company name of the company that issues the medium in which electronic money is used;
  • the commercial name that the company assigns to the product; and
  • the identification of the card system (brand).

Some provisions in Articles 4 and 24 of the Information Security Regulation have been modified by SBS Resolution No. 1515-2021 of 21 May 2021 (only available in Spanish here).

The Information Security Regulation entered into force on 1 July 2021, except for certain articles detailed in SBS Resolution No. 1515-2021, and will repeal Circular No. G-140-2009 of 2 April 2009 (only available in Spanish here) with its entry into force.

Finally, with respect to new forms of financial services, it is important to note that recently, on 6 April 2022, the first legislative initiative referred to as open banking was presented through Bill No. 1584/2021-CR (only available in Spanish here) ('the Open Banking Bill'). This Open Banking Bill declares of national interest and public necessity the implementation of a public policy that promotes the massification of open banking. Additionally, it commissions the Executive Power and the SBS to design the implementation strategies of the aforementioned public policy. Open banking can be defined as a model that, using APIs, and allows the exchange of data and information between all types of financial and technological institutions, provided that the owner of the data consents to its transfer.

The open banking models that are implemented worldwide seek to improve service options for the final consumer, facilitating the connection between financial institutions and third-party providers. Despite the fact that for many the Open Banking Bill is a 'declarative' initiative, it is considered an important step for open banking and the regulation of FinTech in Peru since it recognises that, in the financial services, the vision regarding the relationship with the customer has changed.

Health

In Peru, cybersecurity matters in the health sector have mainly been elaborated in relation to the processing of electronic medical records and the implementation of telehealth.

In 2013, the Congress issued Law No. 30024 Establishing the National Registry of Electronic Medical Records (only available in Spanish here) ('the Law Establishing the Medical Records Registry') with the purpose of organising, standardising, and systematising medical records.

The Law Establishing the Medical Records Registry was later developed in 2017 through Supreme Decree No. 009-2017-SA (only available in Spanish here) ('the RENHICE Decree') and whereby the National Registry of Electronic Clinical Histories ('RENHICE') was created. The RENHICE Decree introduced into the Peruvian legal system the need to regulate electronic clinical histories, setting forth that their processing, which comprises their recording, storage, updating, access, and use, must be made under security, integration, authenticity, confidentiality, accuracy, intelligibility, conservation, and availability conditions. It was established that the RENHICE must be governed by the principle of security, according to which said registry and the information systems of electronic clinical histories are within the framework of an information security management system that guarantees confidentiality and the right to privacy of the owners of the clinical information contained in the electronic clinical histories. Thus, this rule states that although each patient continues being the owner of the clinical information contained in their clinical history, its secrecy, privacy, and confidentiality, which are key elements of cybersecurity, must be secured by the State, health establishments, and support medical services.

In 2016, the use of ICT to access healthcare services remotely was introduced by Law No. 30421 for the Telehealth Framework Law (only available in Spanish here) ('the Telehealth Law'). The purpose of the Telehealth Law is to establish general guidelines for the implementation and development of telehealth as a strategy of provision of health services in order to improve their efficiency and quality and increase its coverage by use of ICT in the national health system. The scope of the Telehealth Law includes all health facilities and medical support services, public, private, and mixed in the health sector.

In 2020, the COVID-19 pandemic demonstrated to the Government the importance of using telehealth to provide care, especially as a means of reducing the risk of contamination caused by close contact. In this regard, Legislative Decree No. 1490 (only available in Spanish here) ('the Telehealth Decree') was issued in May 2020 with the aim of optimising processes linked to telehealth. For example, the Telehealth Decree distinguishes the following telehealth services:

  • tele-consultation;
  • tele-interconsultation;
  • tele-orientation;
  • tele-monitoring; and
  • others established by the Ministry of Health through ministerial resolutions.

Additionally, the Telehealth Decree established, among other stipulations, that the provision of telehealth services must be carried out within the framework of personal data protection, information security, and the terms of confidentiality required by current legislation.

In this sense, on 3 September 2020, Directive No. 294-MINSA/2020/OGTI was approved (only available in Spanish here), establishing the administrative criteria for the proper processing of personal data related to health or personal data in health. This directive is part of the telehealth regulatory framework.

In January 2021, Supreme Decree No. 005-2021-SA (only available in Spanish here) ('Regulations of the Telehealth Law and Telehealth Decree') was issued. The purpose of these regulations is to continue with the implementation and development of the health services offered through the use of ICT and strengthen their reach at the national level.

The Regulations of the Telehealth Law and Telehealth Decree indicate that health establishments that develop this service must register before the National Registry of Health Service Provider Institutions. They are responsible for the organisation and sustainability of the services the health establishments will provide, in addition to incorporating the portfolio of services they offer. They also specify that the competent health personnel may prescribe medications, if necessary, to patients of the tele-consultation, tele-interconsultation, and tele-monitoring services by means of a physical or electronic prescription with a handwritten or digital signature using ICT , the indications of which will be sent to the patient.

With respect to information security measures, Article 20 of the Regulations of Telehealth Law and Telehealth Decree establishes that the means of communication, as well as the information and information storage system chosen for the provision of telehealth services,must guarantee confidentiality, regarding the privacy and protection of the personal data of telehealth users and patients, according to the regulations of the Ministry of Health in force, and in accordance with the Data Protection Law.

Moreover, Article 23 of the Regulations of Telehealth Law and Telehealth Decree indicate that institutions providing health services ('IPRESS') that implement and develop telehealth services shall adopt information security measures, with technical, organisational, and legal measures, as established in the legal framework of information security and protection of personal data. In this sense, the IPRESSs that provide telehealth services must apply such information security criteria before the identification of technical, organisational, and legal incidents occurr during the provision of telehealth services, as part of adopting the corresponding corrective measures.

Therefore, the IPRESSs shall guarantee the authenticity, integrity, availability, and reliability of the data; anduse the necessary measures and tools to avoid the risks of impersonation, alteration, or loss of confidentiality and/or any improper, fraudulent, or unauthorised access to the data that is collected.

Regarding training activities, the regulations provide that the Diresa, the Geresa, and the Diris must incorporate telehealth training activities in their People Development Plan, to strengthen the skills of the personnel. Equally, the Ministry of Health will coordinate the training of the corresponding competences in the application of remote health services with the entities.

Concerning the occurrence of digital security incidents, it is important to mention that the Decree on Digital Trust, in force since January 2020, has established that digital service providers, a term that includes providers of health services, must notify the Security Centre of any digital security incident.

Finally, through Supreme Decree No. 003-2022-SA (only available in Spanish here), the Government ordered the extension of the declaration of a health emergency due to the presence of COVID-19 for a period of 180 calendar days starting 2 March 2022. The purpose of the measure is to continue with the prevention, control, and healthcare actions for the protection of the population throughout the country. This is the sixth extension of the state of emergency, initially decreed in March 2020, days after the first cases of COVID-19 were detected in Peru.

Employment

Due to the COVID-19 pandemic there has been a lot of attention in two legal areas that involve work from home: teleworking and remote work. As is further explained in this section, the rules of teleworking were issued in 2015 and, even though this modality was not broadly used, it was not until the quarantine ordered by the Government took place and opened the possibility to work from home, that most of the cybersecurity concerns have been publicly discussed.

In 2015, Law No. 30036 Regulating Teleworking (only available in Spanish here) ('the Teleworking Law') was issued, and then its regulations through Supreme Decree No. 009-2015-TR (only available in Spanish here) ('the Teleworking Regulations'). According to the Teleworking Law and Regulations, teleworking was defined as a special type of work for which information and telecommunication technology is used and, therefore, requires implementation of cybersecurity measures.

The Teleworking Regulations set forth that the teleworking agreement between the employer and the teleworker must include the information management and security measures that will be adopted in relation to the means to be used for teleworking. As regards the rights of a teleworker, the Teleworking Regulations state that a teleworker must receive training in IT, telecommunication, and similar means that they will use to perform the specific job assigned to them, as well as in the restrictions on the use of those means, and the legislation in force on the protection of personal data, intellectual property, and information security. Consequently, it was established that the teleworker has the duty to comply with the legislation in force on information security, data protection and confidentiality, and occupational safety and health. The Teleworking Regulations also set forth that the employer must provide and guarantee appropriate working conditions required for this type of work, such as equipment, access to internet, network connections, IT programs, and information security measures.

In March 2020, the Government issued Emergency Decree No. 026-2020 Establishing Various Exceptional and Temporary measures for Preventing the Spread of Coronavirus in the National Territory (only available in Spanish here) ('the Coronavirus Decree'). One of those measures was related to remote work applicable for the public and private sector. Remote work has been defined in the Coronavirus Decree as the provision of subordinated services with the physical presence of the worker in their home or place of isolation, using any means or mechanisms that make it possible to carry out work outside the workplace, whenever the nature of the work allows it.

Regarding equipment and means to develop remote work, unlike teleworking, the Coronavirus Decree mentions that computers and any other means required for telecommunication (such as internet or telephone), as well as any others necessary for the provision of the services, can be provided by the employer or worker. Also, unlike the rules of teleworking, the Coronavirus Decree imposes on the worker working remotely (not the employer) the obligation to comply with current regulations on information security, protection, and confidentiality of data, as well as keeping confidential the information provided by the employer for the provision of services.

It is important to take into account two further issues. Firstly, the Government approved, by means of Ministerial Resolution No. 072-2020-TR of 25 March 2020 (only available in Spanish here), the Guidelines for the Application of Remote Work (only available in Spanish here). Secondly, Supreme Decree No. 010-2020-TR (only available in Spanish here), also issued in March 2020, modified firstly by Supreme Decree No. 004-2021-TR (only available in Spanish here) and then by Emergency Decree No. 127-2020 (only available in Spanish here), introduced the right of digital disconnection by further regulating it as the right that workers have to disconnect from the computer, telecommunications, and similar means (internet, mobile phones, and computers, among others) used for the provision of services. During such period of disconnection, employers may not require their workers to perform any type of task, respond to communications, or establish coordination that may be considered labour, unless it has been agreed that work performed will be considered overtime.

By means of Emergency Decree No. 115-2021 (only available in Spanish here) that extended the validity of Title II of the Coronavirus Decree and modified other regulations, the Executive Branch established that remote work will be in force until 31 December 2022, in order to prevent the effects of a potential third wave of the pandemic generated by COVID-19 and continue to protect the health of workers in the public and private sectors until after the termination of the health emergency. This means that companies will be able to keep their staff working remotely if they so decide.

Contrary to the Teleworking Regulations, remote work does not require the agreement of the parties, but can be decided unilaterally by the employer. In addition, companies are not required to pay staff any compensation for expenses they may incur on remote work.

On 21 May 2021, the Congress approved Draft 5408/2020-CR (only available in Spanish here) ('the New Teleworking Law'), which will modify the current Teleworking Law with the aim of granting priority to the use of this work modality. The draft New Teleworking Law was sent to the Science, Innovation and Technology Commission of the Congress for opinion. According to the provisions of the New Teleworking Law, remote work can be temporary or permanent, total or partial, within the national territory or abroad, and in the place where the parties agree, provided that the teleworker has the technological, computer, and communication tools necessary. The employer has the obligation to provide technological equipment and internet access service to its collaborators, unless previously agreed between both parties. It must also guarantee all the necessary facilities for the teleworker to have access to the systems, platforms, and other tools that they require.

The New Teleworking Law also establishes that remote employees must have the same rights and obligations as face-to-face workers and according to the employment regime in which they operate. The New Teleworking Law also indicates that employers are obliged to respect the normal working hours of their workers and digital disconnection.

The development of new rules on teleworking and, more recently, remote work, emphasises the need to deliberate more on the importance of protecting the information structure, as well as data and cybersecurity practices for employees. This is an important task that goes beyond the different modalities or labour contracts that imply working in places distinct from the workplace.

Last March 2022, the Science, Innovation and Technology Commission of the Congress unanimously approved the terms of the New Teleworking Law, which would apply to public servants and workers in the private sector, who will have the same rights as those who work in person. The terms of the New Teleworking Law still need to be discussed in the Labour and Social Security Commission of the Congress. If approved, the new Teleworking Law would repeal the Teleworking Law that dates back to 2015.

Telecommunications

The Data Protection Law contains a specific reference to the telecommunications sector, establishing that communication and telecommunication services operators have the responsibility to ensure that the personal data provided by their subscribers are kept and managed in a secure, confidential, and adequate manner. In addition, the Data Protection Law requires that operators take all necessary technical, legal, and organisational measures to protect users' personal data. The data provided should only be used for the purposes authorised by its owner.

In this sense, in 2021, the APDP released Report No. 040-2021-JUS/DGTAIPD/DPDP of 20 September 2021 on the delivery of subscriber information to the Public Ministry (only available in Spanish here) ('the Subscriber Information Report'), indicating that concessionary companies of public telecommunications services only may process subscriber information (identity of holders of telephone numbers and IP owners), provided that the subscriber, as owner of their own personal data, has given their consent, unless the Public Prosecutor's Office requests it with a court order or there is an express legal mandate. It is also stated that the Convention on Cybercrime of the Council of Europe ('the Budapest Convention') does not legally empower the Public Prosecutor's Office to obtain subscriber information, immediately and without judicial authorisation. Additionally, to have effective tools to combat cybercrime, within the framework of the international cooperation actions of the Budapest Convention, the Subscriber Information Report indicates that the Public Prosecutor's Office shall promote the adequacy of the legislation in the criminal field that enables said entity to access subscriber information.

In addition, in 2009, the Ministry of Transport and Communications ('MTC') issued Resolution No.111-2009-MTC/03 of 6 February 2009 (only available in Spanish here) which establishes measures that public telecommunications operators must adopt to ensure the inviolability and secrecy of telecommunications, as well as the protection of personal data of subscribers.

The Decree on Digital Trust has established the obligation to notify the Security Centre of any incident of digital security. Additionally, the national authority in charge of supervising and regulating telecommunication operators is the Supervisory Agency for Private Investment in Telecommunication ('OSIPTEL'). In the event of a data breach, telecommunications operators must notify the OSIPTEL, the MTC, and any other authority that could be affected by the breach.

Finally, it is important to mention that the Government has also granted priority to connectivity in rural areas and, for this reason, recently issued Emergency Decree No. 014-2021 (only available in Spanish here) ('the Emergency Decree'), whose purpose was to establish extraordinary and urgent measures in economic and financial matters to enable the MTC, through the National Telecommunications Program ('PRONATEL'), to apply a special procedure for contracting the provision of connectivity in rural areas and places of preferential social interest, within the framework of the national state of emergency and the health emergency produced by the COVID-19 outbreak, in order to mitigate its negative effects on health, education, and development of economic activities.

Education

Cybersecurity in the educational sector has been a rather forgotten matter in Peru and the main reason lies in the limited internet access and connectivity of a vast majority of households in the country. Nevertheless, the COVID-19 pandemic raised awareness on this matter due to the fact that one of the measures adopted by the Government implied the indefinite suspension of face-to-face classes in schools, technical institutions, and universities, and the launch of programs for distance learning, such as 'Learning at home' (only available in Spanish here).

As mentioned in the previous section on cybersecurity practices for employees, in March 2020, the Government issued the Coronavirus Decree. Article 21 of the Coronavirus Decree authorised the Ministry of Education, during the extension of the emergency health period, to establish, as appropriate, legal provisions or guidelines relevant for public and private educational institutions that allow them to provide educational services using remote mechanisms.

Later, since December 2021 the Government has been approving a series of provisions for the return to face-to-face and/or combined attendance, as well as for the provision of educational services for the 2022 school year in educational institutions and programs of basic education, located in urban and rural areas, in the framework of the health emergency caused by COVID-19.

Finally, it is important to refer to Supreme Decree No. 093-2019-PCM Approving the Regulations of Law No. 30254 for the Promotion of Responsible Use of Information Technologies and Communications by Children and Teenagers (only available in Spanish here) ('the Regulations on IT Use by Minors'). The Regulations on IT Use by Minors regulate the possibility that public and private educational institutions must request their internet service providers to install internet filters in order to prevent children and teenagers from accessing inappropriate or unsuitable content, and to secure and ensure the responsible use of ICT.

Securities market

The Operational Risk Management Regulations (only available in Spanish here) apply to the organisations authorised by the Superintendence of the Securities Market ('SMV') to operate were approved in 2016 through Superintendence Resolution No. 00027-2016 of 15 September 2016 (only available in Spanish here) and later modified in 2019 by Resolution No. 014-2019-SMV/01 of 26 March 2019 (only available in Spanish here).

The purpose of the Operational Risk Management Regulations is to establish general minimal guidelines, standards, and parameters to be complied with by the organisations supervised by the SMV for the design, development, and application of their occupational risk management, according to the nature and size of the business.

As mentioned above, it should be pointed out that the Operational Risk Management Regulations expressly provide that the implementation of both an information security management system and a business continuity management system forms part of an appropriate operational risk management system of the organisations. As regards the implementation of the information security management system, the Operational Risk Management Regulations provide that said system will allow securing the confidentiality, integrity, and availability ('CIA') triad and managing risks, including cybersecurity risks, through a proper combination of policies, procedures, controls, organisational structure, and specialised IT tools. On the other hand, as regards the business continuity management system, the Operational Risk Management Regulations state that, in case any event causes the interruption or instability of the operations of the organisation, the purpose of this system will be to give effective responses for the business to continue operating reasonably.

Although the Operational Risk Management Regulations broadly develop several notions in cybersecurity, it is remarkable that the regular reports of key indicators of operational risk to be submitted by the organisations before the SMV include, among others, the quarterly report on information security, which comprises the identified vulnerabilities, but also the investment in cybersecurity. This last aspect is certainly relevant because the management of risks of cyber attacks in every organisation requires, in addition to a commitment from the management and the directors, the approval of the necessary budgets and investments.

Insurance

Please refer to the Information Security Regulations explained above in the section on the financial sector. Those regulations are applicable to the insurance brokerage companies in accordance with the Supervision and Control of Insurance Brokers and Auxiliaries Resolution.

10. PENALTIES

A data breach can be considered a contravention of the Data Protection Law, particularly, the principle of security, which may lead to the imposition of administrative fines against the holder of the databank or data processor, which may vary between five and 50 tax units, equivalent to PEN 23,00 (approx. €5,757) and PEN 230,000 (approx. €57,575) respectively (based on the calculation that the tax unit for 2022 is PEN 4,600 (approx. €1,151).

For purposes of calculating the fines established by the Data Protection Law and its Regulations, please refer to the methodology for calculating the fines to be imposed on those who do not make good use of personal data approved by Ministerial Resolution No. 0326-2020-JUS of 23 December 2020 (only available in Spanish here).

11. OTHER AREAS OF INTEREST

Cloud computing

Public entities that enter into agreements with CSPs are required to:

  • have in place an information security policy, information security controls, and risk management process as indicated in Ministerial Resolution No. 004-2016-PCM of 8 January 2016 (only available in Spanish here) and its amendments;
  • observe the guidelines of good practices indicated in the Security Directive issued by the APDP;
  • enter into a Service Level Agreement ('SLA') with the CSP which clearly defines the responsibilities of the public entity and the CSP;
  • require from the CSP an information security certificate widely recognised and based on international standards (ISO/IEC 27001, ISO/IEC 27017, or ISO/IEC 27018), and issued by an independent audit organisation, such as the Federal Risk and Authorisation Management Program ('FedRAMP');
  • require the CSP to manage, at least, the following encryption protocols, which are based on standards and algorithms accepted and tested by the industry: AES, TDES, RSA, and ECC; and
  • in the case of handling payment cards, require the CSP to comply, at least, with the Payment Card Industry Data Security Standard ('PCI DSS').

Viviana García Founder
[email protected]
VGpe, Lima

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback