On November 17, the Colombian Financial Superintendency issued a circular and an attached document containing instructions related to the Single Cybernetic Incidents Taxonomy (TUIC, for its acronym in Spanish), which applies to information security and cyber security reporting on metrics and the Traffic Light Protocol (TLP) labeling guidelines for information exchange. This measure adds minimum requirements to the Basic Legal Circular regarding information security and cybersecurity management and also defines a single taxonomy for reporting incidents. The regulation is already in force.
In order to ensure the correct transmission of information, entities must perform mandatory tests between January 18 and 22, 2021, using the information with a cut-off date of December 31, 2020. Tests must be carried out until the information has been successfully transmitted. Information security and cybersecurity incidents must continue to be reported from [email protected] to [email protected], using the information labeling protocol and taxonomy defined by the entity.
On the other hand, incident reporting to the SFC should be carried out using the single cyber incidents classification. Also, any communications, incident reports, early alerts and newsletters related to information security and cyber security should be classified using the TLP. These communications must be sent from the email accounts configured for this purpose. Entities may also use these to send other types of information