Finally, the BCRA has published the replacement of Com. A 4609 "Minimum requirements for management, implementation and control of risks related to information technology and information systems", which has been inforced since December 2006.
As technology has advanced, new regulatory needs have arisen to safeguard information, both from entities and users, to deal with cybercrime and prevent fraud. Thus, the Central Bank has published Communication A 7724, which as of September 6, 2023, will be enforceable, replacing Com. A 4609 and will be mandatory for all Financial Entities.
“The importance of this standard is that it updates the mandatory requirements that financial institutions in Argentina must implement for the management of information systems (IS) and information technologies (IT). It incorporates new controls and issues to consider with a fairly short implementation period, since it proposes 180 days from its publication, on March 10 of this year," explains Fabián Bogado, IT Advisory Director at Grant Thornton Argentina.
This Communication seeks to solidify the management of technologies, systems, information security, risks and cybersecurity.
To ensure the implementation of "effective practices for internal control and risk management of its IT/IS operating environment", the Central Bank established a set of minimum requirements applicable to processes, structures and information assets.
All entities operating in the country must define the roles and responsibilities of each actor at a hierarchical level, establish policies and procedures for information management, and implement an IT/IS risk management framework integrated with operational processes that consider:
✓ The establishment of strategic objectives and goals
✓ The definition of action plans to achieve the objectives
✓ The revision of the action plans
✓ The monitoring and measurement of results.
This communication seeks alignment with operational resilience and establishes processes for continuous improvement, promoting the adoption of standards, a scheme of 3 lines of defence and a risk management culture.
Information technology and security risk management should especially consider those scenarios that affect technological resilience, obsolescence, artificial intelligence, the adoption of new or emerging technologies, personal data protection aspects and cyber-incident scenarios, among others.
The BCRA places special emphasis on the management of artificial intelligence (AI) and machine learning (ML) due to the risk that these technologies entail. Their management will involve strong controls and evaluations.
Entities will have the obligation to "ensure the performance of impact assessments and definition of risk appetites for the use of AI" and identify and document the reason for the use (by themselves or third parties) of these technologies in projects or processes.
The analysis of risks associated with AI and ML must weigh at least the privacy and the impact on users as consumers, the data used for their training, the level of maturity of the software testing standards and the possible discrepancies of the models with the reality of the context. Additionally, "processes that promote reliability in the use of this type of algorithms must be implemented."
The new communication also establishes measures related to the user. Through it, it establishes that entities must provide training and awareness programs on information security, which reach the entire organization, third parties, customers and users of financial services. It also urges that AI management processes include measures to avoid the existence of bias or discrimination against groups or segments of customers or users of financial products and/or services.
“The importance of this new BCRA regulation for users of financial services lies in the fact that it significantly raises the bar in relation to technology and information security measures that financial institutions must implement. Therefore, users can expect greater protection of their information and more protection and reliability in the services they receive”, concludes Bogado.
If you want to know more about this new regulation or about how our IT Advisory and BRS - Financial Services teams may support you in complying with the Com. A7724, contact us.