The following article was written by our partner Gabriela Szlak, and our associates Luciano N. Gutman and Delfina Bianchi, and published in the Latin American Digest of the IAPP (International Association of Privacy Professionals). The original version can be read in Spanish here.
Communication “A” 8280 of the Central Bank of the Argentine Republic (the “BCRA”) updated the Guidelines for Response and Recovery from Cyber incidents (the “Guidelines”).
The Guidelines, first issued in April 2021, set out response and recovery practices for managing cyber incidents. Their purpose was to mitigate risks to financial stability and enhance cyber-resilience of the financial ecosystem.
These Guidelines apply on a mandatory basis to: a) banks, b) payment service providers, such as digital wallets, aggregators, or payment facilitators, and c) financial market infrastructures known as systemically important payment systems.
A key development in the updated Guidelines is the express obligation for covered entities to notify the BCRA of cyber incidents. The update further clarifies that this duty extends to incidents involving the loss or the unauthorized or fraudulent disclosure of customers’ critical or confidential data.
The initial notification must be submitted within one hour since the incident’s occurrence or detection, providing all information available at that time. The affected entity is then required to provide periodic updates on the remediation measures and plans in place, as well as on any additional actions taken until operations are fully normalized. Finally, once the incident has been contained, recovered, and resolved, the entity must prepare and submit a final report within five calendar days, including an analysis of the root cause and the progress made in addressing it.
It is worth noting that the original Guidelines already required cyber incidents to be reported both to the authorities and to the public. The updated version goes further by requiring, where applicable, that affected parties also be notified. Regarding public communications, the Guidelines recommend having a predefined strategy and involving multiple areas of the organization, such as communications, legal, technology, and cybersecurity. However, neither the original nor the updated Guidelines provide additional details or specific deadlines on this obligation.
Unlike more modern data protection frameworks, such as those in the European Union, Brazil, and Chile (the latter still pending entry into force), Argentina’s Personal Data Protection Law does not require notification of security incidents to either authorities or data subjects. Nonetheless, the local data protection authority has issued guidelines recommending that, in the event of incidents compromising personal data, companies take measures to mitigate potential harm, prepare an incident report, and submit it to the authority.
Moreover, Convention 108+, to which Argentina is a party, requires member States to ensure that data breaches likely to seriously affect individuals’ fundamental rights and freedoms are reported to the authorities. With only a few ratifications still pending before the Convention enters into force, it is expected that, in the coming years, the duty to notify incidents will extend beyond entities under BCRA oversight.
Although the Guidelines are formally addressed to the covered entities mentioned above, they can also be adapted and adopted as best practices by other players in the financial ecosystem, such as technology service providers to financial institutions, and even by organizations in other sectors of the digital economy. Adopting these practices offers a practical way for different entities which participate in the digital economy to start preparing for the future obligations that will follow from the entry into force of Convention 108+.
If your company or organization requires advice on privacy and personal data protection matters, do not hesitate to contact our team at info@lermanszlak.com.
Gabriela Szlak T° 79 F° 516 C.P.A.C.F.
Luciano N. Gutman T° 145 F° 535 C.P.A.C.F.
Delfina Bianchi
_______________________________________________________________________________________________________
1- Communication “A” 8280/2025: BOLETIN OFICIAL REPUBLICA ARGENTINA – BANCO CENTRAL DE LA REPÚBLICA ARGENTINA – Comunicación “A” 8280/2025
2- Guidelines for Response and Recovery from Cyber incidents: Microsoft Word – Lineamientos para la respuesta y recuperación ante ciberincidentes (RRCI).doc
3- Resolution 47/2018: Texto completo | Argentina.gob.ar
