São Paulo, 03.31.2023 – A SUSEP 638/2021 is important for establishing rules and standards for the data protection and information in the insurance industry. Through this circular, SUSEP seeks to guarantee the privacy of data and policyholders and the integrity of information stored by insurers, thus promoting greater trust and transparency.
* Rodrigo Santiago
SUSEP Overview
SUSEP (Superintendence of Private Insurance) is a federal autarchy (autonomous and decentralized entity, supervised by the Federal Government that acts through its own resources) linked to the Ministry of Economy that acts in the supervision and regulation of the insurance market, open supplementary pension , capitalization and reinsurance in Brazil. Created in 1966, SUSEP's main objective is to establish norms and standards of conduct for companies in the field.
SUSEP Circulars
SUSEP circulars are norms issued by the autarchy with the aim of regulating the insurance sector in Brazil. They are published in the Official Gazette of the Union and establish the rules and guidelines that insurance companies and other companies in the sector must follow to operate in the Brazilian market.
SUSEP's circulars have different objectives and can address different topics being directed to different audiences, such as insurers, insurance brokers, reinsurers, among others.
Each SUSEP circular is identified by a number and a year, for example, SUSEP Circular 638/2021.
What is SUSEP Circular nº 638/2021?
Published in September 2021 and with mandatory execution from June or September 2022 (depending on the supervised segment), Susep Circular No. adopted by insurance companies, open private pension entities, capitalization companies and local reinsurers.
The Circular aims to instruct the implementation of requirements for mitigating cybersecurity risks. The mitigation of these risks comes through the visualization of the criticality of the information handled by the employees so that then the implementation of good practices to be followed and the execution of actions are carried out with the objective of ensuring a culture of cybersecurity within the organization.
We observe that more and more through these new regulations that cybersecurity is a growing concern in the era we live in and often in an attempt to reduce exposure to risk, we can leave attention focused only on technical aspects. However, it is important to remember that humans (the people pillar) are a fundamental part of the cybersecurity system and that many cybersecurity threats are caused by human errors such as disclosing sensitive information or creating weak passwords. That is why the circular reinforces the importance of organizations investing in processes, training and awareness campaigns on cybersecurity for their employees so that they become aware of the risks and know how to act to protect their personal information and that of their companies. Attention to processes and the human factor can be the difference between a security breach and a safe and secure organization.
We reinforce that for a cybersecurity environment, the concept of full security does not exist, and we must always be aware of new types of attack that can generate constant internal and external threats.
main challenges
The implementation of controls and an effective cybersecurity system to meet the requirements of laws and regulations can be a challenge for organizations, mainly due to the complexity and constant evolution of cyber threats. Some of the main challenges include:
- Changes in technology: The rapid evolution of technology means that cybersecurity systems can quickly become obsolete. Staying up to date with the latest technologies and trends in cybersecurity is critical to ensuring the effectiveness of the system.
- Lack of awareness and training: As we've already explained, users are often considered the weakest link in the cybersecurity chain. Lack of employee training and awareness can result in human errors such as clicking on malicious links or providing confidential information.
- The complexity of cyber threats: the hackers are constantly developing new forms of attack, which means that cyber protection must be a constant priority. Understanding and mitigating the complexity of cyber threats can be challenging.
Conclusion
SUSEP 638/2021 is important for establishing rules and standards for the protection of data and information in the insurance sector. Through this circular, SUSEP seeks to guarantee the privacy of data and policyholders and the integrity of information stored by insurers, thus promoting greater trust and transparency. Although the implementation of SUSEP 638/2021 may pose a challenge for some companies, its compliance is essential for compliance with the laws and regulations in force. Thus, SUSEP 638/2021 represents an important step towards strengthening cybersecurity and privacy protection in the Brazilian insurance market.
*Rodrigo Santiago ISO 27001 Lead Auditor, GRC, Privacy and Information Security Project Manager at [SAFEWAY]
How can we help?
SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 15 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered one one stop shopping with the best technology, process and people solutions. SAFEWAY can help your organization by validating the level of adherence and maturity to the requirements of Circular Nº 638, as well as support in the preparation and execution of initiatives for full regulatory compliance and, consequently, increased maturity in cyber security and less exposure to risk . If you want more information, contact our experts!
