São Paulo/SP – 19 de fevereiro de 2024 – A ação da SUSEP em publicar resoluções e circulares para o mercado de seguros, é uma consequência de uma movimentação e preocupação global com continuidade de negócios e segurança cibernética que se tornou evidente nos últimos anos.
*Kelli Ribeiro – Safeway GRC Manager
THE SUSEP (Superintendência de Seguros Privados) e outros órgãos de fiscalização e controle, estabelecem regras e requisitos que as empresas fiscalizadas devem atender para estimular o desenvolvimento dos mercados de seguros, resseguros, previdência complementar aberta e capitalização garantindo a livre concorrência, estabilidade e respeito ao consumidor.
Within this context, regulations and requirements are continuously established that seek to guarantee the protection of data and transactions of investors and consumers.
These regulations determine that inspected companies structure business continuity plans, which include contingency measures to mitigate risks and maintain their operations in the event of disasters, economic crises and other significant interruptions.
CNSP Resolution 416
The business continuity discipline is associated with risk management, as determined in Resolution CNSP No. 416, of July 20, 2021, que dispõe sobre o Sistema de Controles Internos, a Estrutura de Gestão de Riscos e a atividade de Auditoria Interna, conforme descrito a seguir:
Section IV
Requirements for the Management of Specific Risks
Subsection I
Business Continuity
Art. 22. Os riscos que possam ocasionar interrupção total ou redução significativa dos processos críticos de negócio da supervisionada deverão ser mitigados através de um plano de continuidade de negócios que preveja, no mínimo:
I. specific roles and responsibilities in relation to business continuity;
II. minimum level of operation and maximum period of return to normal operation;
III. communication procedures with internal and external stakeholders; It is
IV. periodic tests.
SUSEP Circulars and Cybersecurity
According to the Resolution CNSP 416 2021 and SUSEP Circular 638 of 2021 insurers and insurance brokers need to have a business continuity plan for identified risks of total interruption or that may cause a significant reduction in their activities.
Circular 638/21 establishes cybersecurity rules and requirements to be observed by insurers, open private pension entities, capitalization companies and local reinsurers to ensure business continuity and minimize impacts in the event of incidents.
THE SUSEP estabelece requisitos para a elaboração de planos de contingência pelas empresas do setor. Esses planos devem apresentar medidas preventivas, como:
- Creating data backups;
- Strategies for quick recovery of the operation in case of interruption (minimum level of operation and maximum payback period);
- Own and keep updated roles and responsibilities, processes, procedures and controls, to identify and reduce vulnerabilities, to detect, respond and recover from incidents, which must be foreseen in the business continuity plan.
- Periodic testing of your business continuity strategies to ensure the effectiveness of contingency plans.
These actions aim to guarantee the protection of the interests of policyholders and the security of the insurance market in times of crisis (resilience of the insurance ecosystem).
Failure to comply with these requirements can lead to serious penalties, such as fines, bans from operating and loss of essential licenses for the operation of companies. Therefore, regulatory compliance is critical to ensuring business continuity, as well as maintaining the trust of investors, customers and other stakeholders.
Main Challenges
The main challenges encountered during the implementation of Business Continuity Management (BCM) are:
- Identifying risks that could lead the organization to disruptive or catastrophic events, especially those that are difficult to predict, is a challenging task.
- Justify the investment in resources: To ensure business continuity, financial, human and technological resources are needed. Prioritizing investments in continuity is challenging due to the absence of an integrated vision of corporate risk management.
- Lack of awareness: Continuity Management is normally seen as secondary and necessary only in times of crisis.
- Lack of Commitment: Continuity requires the involvement of different areas and stakeholders of the organization, which can lead to conflicts and challenges to demonstrate this commitment.
- Testing and updating: Plans need to be tested and updated frequently to ensure that the response measures to a disruptive event work effectively.
Conclusion
SUSEP's action in publishing resolutions and circulars is a consequence of a movement and global concern with business continuity and cybersecurity that has become evident in recent years.
Business continuity management is responsible for ensuring that an organization can survive disruptive or catastrophic events and continue its vital operations.
Um plano de GCN eficaz ajuda a minimizar esses riscos, definindo procedimentos claros para lidar com essas situações críticas. A primeira etapa para o planejamento de um programa de continuidade de negócios é entender as ameaças e os desafios atuais; após essa etapa será necessário:
- assessment of risks and impacts;
- prioritization of critical processes and systems;
- development of a response plan, training and testing of the plan;
- periodic adjustment and review of the plan.
The contingency plan helps in analyzing the impact that an incident may cause, giving managers more security in crisis management, ensuring that essential operations are not impaired.
By prioritizing business continuity, organizations can protect their reputation and ultimately ensure the long-term resiliency of their operations.
How can we help?
A SAFEWAY é uma empresa de consultoria em Segurança da Informação reconhecida pelos seus clientes por oferecer soluções de alto valor agregado por meio de projetos que atendam integralmente às necessidades do negócio. Em 16 anos de experiência, acumulamos diversos projetos de sucesso que nos renderam credibilidade e destaque em nossos clientes, os quais constituem em grande parte as 100 maiores empresas do Brasil.
Today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered one one stop shopping with the best technology solutions, processes and people. SAFEWAY can also help your organization by validating compliance and maturity with GDPR (General Data Protection Regulation) and GDPR (General Data Protection Law) considering the business environment in which it is inserted, in order to identify the main action plans for compliance with regulations, aiming at improvements in the process and gains for your organization.
With our business continuity planning solutions, we help you identify, prepare for, and prevent events that could disrupt business activities, developing the necessary plans for recovery, assessment, implementation, testing, and BCM training.
