The Superintendence of Private Insurance (SUSEP) opened Public Consultation No. 15/2021, putting forward a draft Circular that introduces new provisions about cybersecurity to be applied to supervised companies (insurers, open pension plans, capitalization companies and local reinsurers).
The Circular seeks to harmonize the insurance market with existing legal provisions and should be interpreted in accordance with the General Data Protection Law (LGPD), with the rules to be issued by the National Data Protection Authority (ANPD), and with consumer legislation, if applicable.
As a general rule, the proposal imposes on the supervised companies the duty to manage cyber risk, which must be in compliance with the Company’s Internal Controls System (SCI) and Risk Management Framework (EGR).
The Draft under public consultation introduces several innovations, of which we highlight:
- Creation of a “Cybersecurity Policy”, which may be unique in the case that the Supervised are served by a unified ICS/EGR, and should:
- Contain the objectives of cybersecurity and the internal departments’ commitment to improving the processes related to it;
- Provide guidelines for (i) the classification of data according to its sensitivity; and (ii) the implementation of new cybersecurity processes and procedures;
- Be compatible with the Company’s size, including the nature and complexity of its operations and its level of exposure to cyber risk; and
- Be (i) registered in writing; (ii) approved by the Company’s highest management board; (iii) disclosed to employees using accessible language and at a level compatible with their job functions, and to its clients, at least in a summarized version; and (iv) reviewed, at minimum, every year.
- The Company must have and keep updated processes, procedures and controls to identify and reduce vulnerabilities, as well as to detect, respond to and recover from incidents, which must be provided for in the business continuity plan.
- The Company must communicate to SUSEP, in a maximum period of 5 (five) business days, the occurrence of incidents that had material adverse impacts, detailing the extent of the damage caused and, if applicable, the actions in progress for the complete regularization of the situation and the respective responsible persons and deadlines.
- The obligation to document in an annual report the results of the Company’s prevention and treatment of incidents.
- The Company must inform SUSEP in advance about the outsourcing of data processing and storage services, including the name of the provider, the activity to be performed by the provider and the countries and regions where the services will be provided and the data will be managed, as well as any contractual changes to these conditions. In the contracts already in force, the Company will have a period of 2 (two) years for informing SUSEP and adapting them, if necessary.
- The Company will be responsible for requiring that the providers of data processing and storage services comply with the legal and regulatory provisions in force, as well as that they have cybersecurity processes, measures and procedures that are not inferior to its own, which does not exempt the Company from complying with its legal and regulatory obligations.
- The Company must appoint an officer responsible for implementing the measures established in the Circular, who cannot be the same as the one appointed as responsible for internal controls.
The Draft provides for the obligation to keep various documents involving the Company’s cybersecurity, which, pursuant to SUSEP Circular No. 605/2020, must be stored for a minimum period of 5 (five) years.
Finally, we highlight that the Draft provides for the future circular to come into force on March 3, 2022, however, the supervised companies in segments S3 and S4 (defined by CNSP Resolution No. 388/2020) will have a different deadline to comply with the determinations.
The full draft Circular can be accessed at this link. Interested parties may send comments or suggestions by electronic message addressed to firstname.lastname@example.org, in accordance with the specific standardized table duly completed, by June 2, 2021.
Demarest’s Insurance and Reinsurance and Privacy, Technology and Cybersecurity teams are closely monitoring the development of this public consultation through to the publication of the final version and make themselves entirely available to provide any clarifications on the subject.