The regulatory landscape for cybersecurity in Costa Rica has become significantly stricter. The Law on the Protection of Individuals with Regard to the Processing of Their Personal Data (Law 8968), SUGEF’s guidelines on information security, and the growing adoption of ISO 27001 as a benchmark standard create a framework that no company can ignore.
ISO 27001: The Gold Standard
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Its most recent version (2022) organizes 93 controls into four categories: organizational, human, physical, and technological.
ISO 27001 certification is not mandatory in Costa Rica, but an increasing number of companies are requiring it of their suppliers, especially in the financial, healthcare, and technology sectors. For many small and medium-sized enterprises (SMEs), certification has become a competitive advantage and a requirement for securing contracts with large corporations.
SUGEF and the Financial Sector
The General Superintendency of Financial Institutions (SUGEF) has issued specific guidelines on technology risk management and cybersecurity for supervised institutions:
- SUGEF 14-17: Information Technology Management Policy — requires periodic risk assessments, business continuity plans, and access controls.
- SUGEF Agreement 2-10: It includes security requirements for electronic transactions and digital channels.
- Cybersecurity Regulations 2024: Specific requirements for continuous monitoring, incident response, and breach reporting.
Companies that provide services to the financial sector are also subject to these requirements as part of third-party management.
Law 8968: Protection of Personal Data
Costa Rica has the Agency for the Protection of Residents' Data (PRODHAB), which oversees compliance with Law 8968. Companies that process personal data must:
- Register your databases with PRODHAB
- Implement technical and organizational security measures
- Report data breaches affecting citizens
- Ensure ARCO rights (Access, Rectification, Erasure, Objection)
Additional relevant frameworks
- PCI DSS v4.0: Mandatory for companies that process card payments. Version 4.0 requires multi-factor authentication, continuous monitoring, and annual penetration tests.
- SOC 2 Type II: It is increasingly in demand among international clients, especially technology and SaaS companies.
- NIST Cybersecurity Framework 2.0: Although it is not mandatory, it is the most widely used benchmark for evaluating cybersecurity posture.
How to Prepare Your Business
- Gap Assessment: Compare your current status against ISO 27001 or the relevant framework to identify what is missing.
- Risk Analysis: Identify critical assets, threats, and vulnerabilities. Prioritize actions based on their impact on the business.
- Implementation of controls: Implement the necessary technical and organizational controls—from policies to monitoring tools.
- Continuous monitoring: Compliance is not a project—it is a process. A SOC provides the ongoing evidence that auditors need.
- Auditing and Certification: Work with an accredited certification body to obtain formal certification.
