*Marcos Paulo Freitas
THE Resolution No. 4893 of February 26, 2021 of the Central Bank of Brazil (BACEN) provides for the structuring of cybersecurity policy and the requirements for contracting data processing and storage and cloud computing services to be observed by institutions authorized to operate by the Central Bank of Brazil (BACEN). This Resolution comes into effect as of July 1, 2021 and revokes Resolutions 4658: 2018 and 4752: 2019, which addressed the same theme.
Cybersecurity Policy and Action Plan and Incident Response
Resolution No. 4893 maintains requirements regarding the preparation and disclosure of the Cybersecurity Policy and the Action and Incident Response Plan by the institutions.
The main points to be observed are:
- The need for the institution to have mechanisms (procedures and controls) to reduce the level of exposure to incidents. Such mechanisms should cover at a minimum: authentication, encryption, intrusion prevention and detection, prevention of information leakage, periodic testing and scanning for vulnerabilities, protection against malicious software, establishment of mechanisms traceability, access controls and segmentation of the computer network and the maintenance of backup copies of data and information.
- Development of a cybersecurity policy. This document must have at least the institution's objectives related to the theme, the procedures and controls adopted to reduce vulnerability to incidents, the specific controls that seek to guarantee the security of information and guidelines for the correct registration, analysis of cause and impact and timely treatment of incidents relevant to the institution's activities.
- Need for a specific area for recording and controlling the effects of relevant incidents and an established process where the cause and impact are identified, as well as the preparation and monitoring of incident response plans;
- Preparation of an annual report on the implementation of the action plan and response to incidents, containing incidents that occurred in the period and the result of continuity tests, considering non-availability scenarios. It is important that this report is presented to the institution's board of directors or board of directors by March 31 of the year following the base date.
Both the cybersecurity policy and the action plan and incident response must be reviewed annually and approved by the board of directors or, in their absence, by the institution's board of directors.
Hiring of Data Processing and Storage and Cloud Computing Services
The Resolution updates the requirements related to the Contracting of Data Processing and Storage and Cloud Computing Services. Institutions authorized to operate by the Central Bank of Brazil (BACEN) must:
- Ensure that its policies, strategies and structures for risk management include the contracting of this type of service in the country or abroad;
- Present and document governance practices and procedures that include, before contracting, the verification of the service provider's capacity and compliance with the requirements of the institution and the regulations in force, considering the criticality of the service and the sensitivity of the data;
- Be responsible for the reliability, integrity, availability in relation to the contracted services, as well as for compliance with the legislation and regulations in force;
- Communicate to the Central Bank of Brazil (BACEN) the contracting or contractual updating of relevant processing, data storage and cloud computing services. This communication must be made within ten days after contracting the services or contractual update and contain the name of the contracted company, the details of the contracted services, the indication of the countries and regions in each country where the services may be provided. and the data that will be stored, processed and managed;
The hiring of services rendered abroad must comply with the following requirements:
- Existence of an agreement between the Central Bank of Brazil (BACEN) with country authorities. If there is no agreement, it is necessary to request an authorization from the Central Bank of Brazil (BACEN) at least 60 (sixty) days before contracting or updating an existing contract;
- Prior definition of contracting countries and regions where data will be stored, managed and processed;
- Business continuity if service provision is not possible;
- Measures to ensure the security of the transmission and storage of information.
It is important to mention that Institutions that on April 26, 2018 had already contracted data processing and storage and cloud computing services must adapt the contracts signed with their service providers until December 31, 2021.
The action of the Central Bank of Brazil (BACEN) in publishing this standard demonstrates its concern and commitment to cyber security and reinforces the need for institutions to continuously improve their operations in order to be increasingly protected and prepared to react to threats and cyber attacks that are increasingly sophisticated and are reported periodically.
In general, there were minimal and complementary changes to what was set out in Resolutions 4658: 2018 and 4752: 2019, which can be considered a response to questions that the institutions have previously made.
* Marcos Paulo Freitas is GRC and Information Security Manager at [SAFEWAY]
Safeway is an Information Security company recognized by its customers for offering high added value solutions through Information Security projects that fully meet the needs of the business.
Today through 22 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions for technology, processes and people. SAFEWAY can help your organization by validating the level of adherence and maturity to the requirements of Resolution No. 4893, as well as supporting the preparation and execution of initiatives for regulatory compliance and for the continuous improvement of processes.