Brazilian Monetary Council Enacts Resolution on Cyber-Security Abiding Financial Institutions
Resolution No. 4,658 of the Brazilian Monetary Council (Conselho Monetário Nacional – CMN), released on April 26, 2018, requires the implementation of a cyber-security policy by financial institutions and other institutions authorized to operate by the Brazilian Central Bank, and provides requirements for them to retain data processing, storage services and cloud computing.
The Resolution also requires a plan of action for the adaptation of organizational structures to the policy principles and guidelines, and for prevention and response to incidents.
This initiative comes as a response to the exponential increase of the usage of electronic means and technological innovation in the financial sector.
Prior to the issuance of Resolution No. 4,658, there was no regulation dealing specifically with cyber-security in the financial environment in Brazil. Initiatives involving information technology were addressed as part of the operational risk management, based on the guidelines contained in Resolution No. 3,380, dated of June 2006, later replaced by Resolution No. 4,557, dated of February 2017.
With the release of Resolution No. 4,658, organizational structures responsible for the maintenance and management of information within financial institutions are required in order to improve security not only towards customers and consumers but also within the national financial system as a whole.
The Resolution is divided into two main sections, the first one dealing with the so-called cyber-security policy, subdivided in implementation, disclosure and action plan and response to incidents; and the second one, dealing with the retention of data processing, storage services and cloud computing services.
With regard to the cyber-security policy specifically, such policy must be in line with factors such as the institution's size and business model, nature of operations, complexity of products and sensitivity of information. Generally speaking, the policy must aim at preventing, detecting and reducing the vulnerability to incidents related to the cyber environment.
The Resolution also requires that the policy be disseminated not only to employees but to the public in general.
Another novelty brought by the Resolution concerns the creation of an action and response to incidents plan. The plan must provide measures to comply with the principles and guidelines of the cyber-security policy, covering routines, procedures, controls and technology dedicated to prevention and response to incidents.
An officer must be designated by the financial institution as the person responsible for the cyber-security policy and for the implementation of the action and response to incident plan. Such officer may only carry out other activities if there is no conflict of interests vis-a-vis the function for which he is appointed as above.
The Regulation provides the obligation to prepare an annual report on the implementation of the plan, addressing issues such as effectiveness, summary of results, relevant incidents related to the cyber environment and results of business continuity tests.
The cyber-security policy and the action plan must be approved by the Board of Directors of the financial institution or, in its absence, by the Board of Officers, and must be documented and reviewed annually at least.
In relation to the retention of relevant data processing, storage and cloud computing services, the Resolution requires financial institutions to ensure that their policies, strategies and structures for risk management take into consideration the retention of such services, in Brazil or abroad, specifically in relation to the criteria for outsourcing said services. It is important to note that the Resolution provides very clearly that the financial institution will be deemed responsible for the reliability, integrity, availability, security and confidentiality of the retained services.
The retention of services must be communicated to the Brazilian Central Bank at least sixty days in advance of the actual retention. In the case of foreign providers, the following requirements shall apply: (i) existence of an agreement for the exchange of information between the Brazilian Central Bank and the supervisory authority(ies) of the country(ies) where the services are provided (or, in the absence of such an agreement, the institution obtain the prior authorization from the Brazilian Central Bank to retain the services); (ii) the financial institution must ensure that the provision of the services will not harm its regular functioning nor hurdle supervision by the Brazilian Central Bank; (iii) the institution must define in advance the countries and regions where the services will be provided and data will be stored, processed and managed; and (iv) the institution must provide alternatives for the continuity of the business in case of discontinuity or termination of the services retained. The institutions are also responsible for ensuring that the laws and regulation in the countries where the services are provided and where data is stored do not restrict or impede access to data and information by the contractor and by the Brazilian Central Bank staff.
The Resolution lists those matters that must be provided in the agreements by means of which the services are retained.
It is important to mention that the above provisions do not apply to the retention of systems operated by liquidation and settlement service providers nor to registration or centralized deposit activities.
Demarest's Banking and Restructuring practice group closely monitors the regulatory developments of this matter and remains available to advise and clarify any doubts about this and other relevant issues relating to cyber-security in the financial environment.