SUSEP Circular No. 638/2021: Rules About Cybersecurity

On August 3, 2021, the Superintendence of Private Insurance (SUSEP) published Circular No. 638/2021, resulting from SUSEP Public Consultation No. 15/2021, which introduces new provisions about cybersecurity to be applied to supervised companies (insurers, open entities of complementary pensions, capitalization companies and local reinsurers).

The Circular seeks to align the insurance market with existing legal provisions and should be interpreted in accordance with the General Data Protection Law (LGPD), with rules to be issued by the National Data Protection Authority (ANPD), and with consumer legislation, if applicable.

As a general rule, the Circular imposes on supervised companies the duty to manage cyber risk, which must be in compliance with the Company’s Internal Controls System (SCI) and Risk Management Framework (EGR).

The rule introduces several innovations, of which we highlight:

  • Creation of a “Cybersecurity Policy”, which shall:
    • Contemplate the purposes of cybersecurity and internal departments’ commitment with improving the processes related to it;
    • Provide guidelines for (i) classification of data according to its sensitivity; (ii) implementation of new cybersecurity processes and procedures; and (iii) outsourcing of data processing and storage services, especially the relevant ones; and
    • Be compatible with the Company’s size, including the nature and complexity of its operations and its level of exposure to cyber risk.
  • The Company must have and keep updated processes, procedures and controls to identify and reduce vulnerabilities as well as to detect, respond to and recover from incidents, which must be provided for in the business continuity plan.
  • The Company must communicate SUSEP, within a maximum of 5 (five) business days from the knowledge of the event, about the occurrence of relevant incidents, detailing the extent of the damage caused and, if applicable, the actions in progress for the complete regularization of the situation and the respective responsible persons and deadlines.
  • The obligation to document the results of the Company’s prevention and treatment of incidents in an annual report.
  • The Company must inform SUSEP, within 30 days after the signing of the contracts, about any outsourcing of data processing and storage services, including the name of the provider, the activity to be performed by the provider and the countries and regions where the services will be provided and the data will be managed, as well as any contractual changes to these conditions. The Company must adapt the contracts already in effect by September 1, 2024.
  • The Company will be responsible for requiring that the providers of data processing and storage services comply with the legal and regulatory provisions in force as well as that they have cybersecurity processes, measures and procedures that are not inferior to its own, which does not exempt the Company from complying with its legal and regulatory obligations.

The Circular provides for the obligation to keep several documents involving the Company’s cybersecurity, which, pursuant to SUSEP Circular No. 605/2020, must be stored for a minimum period of 5 (five) years.

Finally, although the Circular comes into force on September 1, 2021, the supervised companies in segments S1 or S2 (defined by CNSP Resolution No. 388/2020) must comply until June 30, 2022, while companies in segments S3 or S4 have until September 1, 2022.

The full Circular can be accessed at this link.

Demarest’s Insurance and Reinsurance and Privacy, Technology and Cybersecurity teams make themselves entirely available to provide any clarifications on the matter.