v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Banco de Chile considers the technology, information security and cybersecurity risk management a fundamental strategic line to identify and assess the risks associated with the Bank’s information assets. For this reason, the Bank has a Technology Risk Management Area responsible for defining, executing and updating its strategy in line with the objectives and priorities defined in the Information Security and Cybersecurity Policy and the Strategic Cybersecurity Plan.

The Technology Risk Management Area has guidelines integrated into the overall Bank’s risk management process to ensure the execution of risk assessment processes as described below:

Project Assessment: This process refers to the identification and assessment of risk scenarios arising from new technological changes to be implemented in response to specific business needs (e.g., regulatory changes, system upgrades or implementation of functionalities associated with the Bank’s new products).
Suppliers Assessment: This process seeks to ensure cybersecurity in the Bank’s supply chain, through risk analysis and controls prior to and during the implementation of outsourced services. The scope of this process considers all current suppliers and those in the process of providing services to the Bank.
Asset Assessment: This process consists of assessing the risk level based on threats, vulnerabilities and sensitivity associated with each technology and information asset owned by the Bank. In turn, the asset assessment process allows us to integrate specific information into the evaluation of the processes, projects, and suppliers.
Process Assessment: This process enables a comprehensive identification of technology, information security and cybersecurity risks associated with the Bank’s business processes.
Red Team Testing: This process consists of an independent technical security test with the objective of identifying and evaluating vulnerabilities, testing hypotheses, techniques, tactics, and procedures (TTP) of a cyber-attack to improve security processes and configurations within the Bank.
Phishing Simulation Testing: This process refers to the performance of testing exercises across the Bank in order to evaluate the Bank´s awareness plan, in order to continue learning about malicious emails that may expose the Bank to cybersecurity threats.

In 2024, we added the following two:

Vulnerability management: This process assesses and determines the technical vulnerabilities that could affect the Bank, prioritizing them according to their potential impact, as well as ongoing monitoring and verifying the effectiveness of its mitigation.
Cyber Intelligence: This process consists of identifying the threat landscape in which the Bank could be exposed. It is supported by the automation of internal and external threat sources and intelligence feeds.

Furthermore, since 2021 we have engaged an independent third-party provider, which conducts an annual assessment of the Bank’s cybersecurity capabilities and their alignment with the best practices used by banks worldwide.

The Bank considers all information resulting from technology risk management, essential for the risk management process and the control of losses that could occur from operational and cybersecurity incidents. Part of this integration is carried out through executive sessions and aspects mentioned in the governance area.

Although our business strategy, results of operations or financial condition have not been materially affected by cybersecurity incidents during the last five years. We understand that the cybersecurity risks have been increasing, especially as infiltrating technology continues to become increasingly sophisticated, and while we have implemented several procedures, as described above, we must remain vigilant and alert to such risks and keep our systems and procedures updated to the most recent trends.

For further information about the potential cybersecurity risks of the Bank and how they could affect the Company, see “Item 3. Key Information—Risk Factors—Risks Related to Our Business and Industry—Cybersecurity events could negatively affect our reputation or results of operations and may result in litigation.”
Cybersecurity Risk Role of Management [Text Block]

Governance

The Bank’s governance procedures for technology, information security and cybersecurity risks involve a set of practices and strategies designed to identify, assess, manage and monitor such risks.

To achieve this goal, the Technology Risk Management Area has established a governance framework through the development of a set of regulations, guidelines and methodologies for its management in different scopes of the business including processes, projects, supply chain, and technology changes, among others. This basis provides the Bank with a standardized and clear view of the way in which risks are identified, assessed and monitored and, in turn, allows external parties to gain an initial insight into the Bank’s general governance framework and to associate it with Area’s lines of work.

The results of technology risk management are firstly presented to the Bank’s senior management through the Higher Operational Risk Committee. This committee is composed by the chairman of the board, directors and alternate directors. According to its bylaws, this committee also includes the Chief Executive Officer and the managers of the Corporate Risk; the Marketing, Technology, and Digital; the Cybersecurity; and the Commercial divisions; and Global Control Area. This committee shares and promotes improvements in risk management with a multidisciplinary view and through collaborative work. See “Item 6. Directors, Senior Management and Employees—A. Directors and Senior Management” for further information on the background of the managers from those divisions.

In parallel, the Bank’s Board of Directors engages in cybersecurity decision-making through the higher operational risk committee, in which the technology risk management area consolidates and presents the information and results of the risk assessments, monitoring and management for a specific and accumulated timeframe. This committee meets monthly or in extraordinary sessions that may be convened on short notice.
Cybersecurity Risk Management Processes Integrated [Text Block]

The Technology Risk Management Area has guidelines integrated into the overall Bank’s risk management process to ensure the execution of risk assessment processes as described below:

Project Assessment: This process refers to the identification and assessment of risk scenarios arising from new technological changes to be implemented in response to specific business needs (e.g., regulatory changes, system upgrades or implementation of functionalities associated with the Bank’s new products).
Suppliers Assessment: This process seeks to ensure cybersecurity in the Bank’s supply chain, through risk analysis and controls prior to and during the implementation of outsourced services. The scope of this process considers all current suppliers and those in the process of providing services to the Bank.
Asset Assessment: This process consists of assessing the risk level based on threats, vulnerabilities and sensitivity associated with each technology and information asset owned by the Bank. In turn, the asset assessment process allows us to integrate specific information into the evaluation of the processes, projects, and suppliers.
Process Assessment: This process enables a comprehensive identification of technology, information security and cybersecurity risks associated with the Bank’s business processes.
Red Team Testing: This process consists of an independent technical security test with the objective of identifying and evaluating vulnerabilities, testing hypotheses, techniques, tactics, and procedures (TTP) of a cyber-attack to improve security processes and configurations within the Bank.
Phishing Simulation Testing: This process refers to the performance of testing exercises across the Bank in order to evaluate the Bank´s awareness plan, in order to continue learning about malicious emails that may expose the Bank to cybersecurity threats.

In 2024, we added the following two:

Vulnerability management: This process assesses and determines the technical vulnerabilities that could affect the Bank, prioritizing them according to their potential impact, as well as ongoing monitoring and verifying the effectiveness of its mitigation.
Cyber Intelligence: This process consists of identifying the threat landscape in which the Bank could be exposed. It is supported by the automation of internal and external threat sources and intelligence feeds.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Board of Directors Oversight [Text Block] In parallel, the Bank’s Board of Directors engages in cybersecurity decision-making through the higher operational risk committee, in which the technology risk management area consolidates and presents the information and results of the risk assessments, monitoring and management for a specific and accumulated timeframe.
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The results of technology risk management are firstly presented to the Bank’s senior management through the Higher Operational Risk Committee. This committee is composed by the chairman of the board, directors and alternate directors. According to its bylaws, this committee also includes the Chief Executive Officer and the managers of the Corporate Risk; the Marketing, Technology, and Digital; the Cybersecurity; and the Commercial divisions; and Global Control Area. This committee shares and promotes improvements in risk management with a multidisciplinary view and through collaborative work.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Although our business strategy, results of operations or financial condition have not been materially affected by cybersecurity incidents during the last five years.
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false