On October 30th, the Guatemalan Monetary Board published two important resolutions about technology in the Official Newspaper, one related to technological risk management in financial institutions and the other on security management in electronic channels.

Resolution JM-98-2025 creates new Regulations for Technological Risk Management, repealing the previous 2021 regulations, with the aim of "establishing the minimum guidelines that banks, financial companies, and companies specializing in financial services that are part of a financial group must comply with in order to manage technological risk." This involves, among other things, updating and strengthening aspects related to cybersecurity and the introduction of new technologies such as Artificial Intelligence (AI). It also includes stricter requirements and mechanisms for the exchange of information or the hiring of third parties.

Below are some of the most notable new features:

• It introduces important concepts and definitions such as cyber threat, cyberattack, cybersecurity, cyber incident, technological risk, artificial intelligence systems, and cyber vulnerability, among others.
• It adds the obligation to conduct at least one internal audit per year to assess the effectiveness of processes in technology risk management, information security measures, cybersecurity, and relationships with information technology (IT) service providers, in accordance with the regulations.
• Institutions must also have an IT strategic plan, aligned with their business strategy, to manage IT infrastructure inventories. It will also be necessary to have one for assets in cyberspace. Previously, the regulation referred to inventories of IT infrastructure, information systems, and databases.
• The functions of the Chief Information Security Officer (CISO) (a service that may be contracted to a third party) are expanded. Now, in addition to coordinating and directing the cyber incident response team and managing those incidents, the CISO must establish key indicators to measure and evaluate the effectiveness of controls.
• The institutions concerned must manage the security of their information assets to guarantee the confidentiality, integrity, and availability of data, as well as mitigate the risks of loss, improper extraction, and corruption of information through mechanisms such as information identification and classification, security monitoring, physical security controls, and preventive safeguards.
• Article 22 is specific about the use of artificial intelligence systems. It will be necessary to create a "governance framework for artificial intelligence systems that includes policies and procedures, organization, and risk management." Among the controls to be implemented, "human oversight of decisions made by these systems" is required.
• There is greater emphasis on governance, as institutions will now be required to develop and implement policies, processes, and procedures for adequate cybersecurity governance, including the definition of objectives, general processes, assignment of specific roles and responsibilities, monitoring mechanisms, and IT service risk management. In addition, cybersecurity training must be provided to personnel performing specialized functions, a computer security incident response team must be organized, and a disaster recovery plan must be implemented (Art. 34).
• Providers that process and store information must have valid certifications related to technology, information security, and cybersecurity. It will also be mandatory to perform a criticality analysis before each contract[1], and at least during the first quarter of each year, the analysis must be performed again to determine whether the criticality classification of the services has changed.
• Institutions must keep an up-to-date record of services contracted with third parties that process and/or store information. This must include information such as the name of the vendor and service provider, the service provided, the criticality classification, the contract expiration date, and the geographic location where the information is processed or stored.

The resolution also includes some important dates for implementing the new requirements:

• Organizations must update their information asset inventories within three (3) months of the entry into force of this regulation.
• The Technology Risk Management Manual and its disaster recovery plan must be updated within twelve (12) months of the entry into force of this regulation.
• No later than January 31, 2027, organizations must perform a criticality analysis of all information processing and/or storage services that have been contracted and classify them as critical or non-critical.

For its part, the National Telecommunications Commission (resolution JM-99-2025) includes amendments to Article 9 of the Regulation on Security Measures in Electronic Channels. Specifically, it seeks to establish measures that include, at a minimum, the implementation of multiple authentication factors, the use of encrypted communication channels, the use of complex passwords and periodic password changes, the implementation of temporary access blocking measures and alerts to identify unusual movements, as well as the restriction of connections to sources of malicious activity and the identification of internet domains and web pages, in order to ensure the traceability of the devices of customers and users of financial services.

Both approved provisions seek to adapt to updated international standards and implement mechanisms for the protection and control of IT infrastructure. In addition, they respond to the evolution of the technological tools we use daily to implement compliance with best practices and procedures in technological risk management.