$10 Million Bank Heist Heightens Chile Concerns Over Cybersecurity

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Tom Azzopardi

Cybersecurity tops the agenda for Chile’s financial authorities and business leaders after hackers stole $10 million from the country’s second largest bank.

Finance Minister Felipe Larrain is scheduled to meet June 12 with financial regulators and the Central Bank to identify ongoing risks to the financial sector.

Hackers infected around 9,000 computers and hundreds of servers belonging to Banco de Chile, in which Citigroup Inc. owns a 29 percent stake, forcing the bank to halt almost all operations May 24 at its nearly 400 branches throughout the country. It took almost two weeks for the bank to resume normal services.

The heist focused authorities and business leaders on the number of cyberattacks on Chilean entities, which have grown exponentially in recent months. The case has highlighted the need for Chile, which has one of the highest levels of internet penetration in South America, to bolster its readiness for such attacks.

The company has reiterated that despite the breach of its protection measures, clients have not been affected.

“While (the shutdown) affected the quality of our services, they allowed us to ensure at all times the integrity of the information and data so that the security of our clients’ accounts, funds and transactions was not affected,” Banco de Chile said in a May 28 statement.

Banking regulator Superintendencia de Bancos e Institutos Financieros said that it has so far received 54 complaints from customers following the event, of which 24 have yet to be resolved.

The hackers extracted $10 million from the bank’s own accounts, Banco de Chile CEO Eduardo Ebensperger has said in recent interviews.

The bank has filed criminal charges in Hong Kong, to which the extracted funds were diverted.

Data Protection Proposal Pending

Speaking before the Senate’s Finance Committee on June 6, SBIF head Mario Farron said he hadn’t considered the importance of cybersecurity when he was appointed last March. Farron said he would now make it his “number-one priority.”

Lawmakers have criticized the authority’s reaction to the breach at Banco de Chile.

“The bank did not report the information when it should have, and the SBIF has been acting as the bank’s spokesperson, which is extraordinary,” Senator Felipe Harboe, with thetold Farron during the meeting, according to a Senate press release.

Chile in 2017 adopted its first national cybersecurity policy which, among other measures, requires the state to identify critical infrastructure and promotes the development of incident-response teams. The country’s new government, which took office in March, has committed to put it in place.

“This is very good news, given how far we are behind in this field,” Paulina Silva, a lawyer at Carey & Cia, told Bloomberg BNA.

Chile’s banking industry has taken a lead in improving cybersecurity. In January, SBIF issued its first regulations on cybersecurity, requiring banks to maintain a database of security breaches, carry out penetration tests to evaluate the resilience of their security systems, and educate staff and clients on cybersecurity.

However, broader obligations on cybersecurity could come with a new data protection proposal, currently in Congress, which would give companies greater responsibility for protecting their clients’ data.

The Senate bill—awaiting amendments from the new administration—"will be the first that obliges the companies to implement specific security measures with regards to their systems and to notify the authorities when breaches occur,” Silva said.

Request Bloomberg Law: Privacy & Data Security