São Paulo/SP – June 07, 2023 – Operational resilience: how Bacen Resolution No. 304 contributes to the security of the financial ecosystem
* Carlos Borella is a partner and leader of the Cyber area at Safeway
In recent years, we have seen several resolutions and circulars published by the Central Bank of Brazil (BCB), which prove the concern of the regulatory body with the level of maturity of the national financial ecosystem.
Some of these regulations were focused on specific issues, such as the case of BC 4,658 (replaced by BC 4,893) – focused on Information Security, others more focused on the operation of the system itself (operation of the Brazilian Payments System), as is the case of BCB 304.
When talking about operational risk, among other topics that must be considered, the resolution is clear and establishes that the Financial Market System Operator Institutions (IOSMF) must deal with issues such as fraud management, service outsourcing management (supplier management), business continuity, management of information technology services and information and cybernetic security, which must be designed in order to achieve the objective of operational resilience of the system.
Such guidelines reflect – and reinforce – the need for a comprehensive approach to protecting financial institutions against increasingly sophisticated threats.
The resolution also states directly that the IOSMF must establish monitoring and control mechanisms, in order to ensure the implementation and effectiveness of the information and cyber security policy, the information security master plan, the response plan to incidents and requirements for contracting services, in particular data processing and storage and cloud computing.
Still on the concern with operational resilience, the resolution presents activities that must be established for business continuity management, citing: carrying out a business impact analysis (AIN, known in English as Business impact analysis (BIA)), definition of strategies for limiting losses, business continuity plans with procedures that establish recovery deadlines and a communication plan, tests and revisions of the plan at appropriate intervals.
From the point of view of information security and cybernetics, the resolution does not present much news in relation to the topics that should be prioritized by the IOSMF, in addition to reinforcing the need for actions focused on the three pillars (processes, technology and people). Some of these topics are well known, such as: prevention, detection, vulnerability mitigation, response and recovery; monitoring and traceability of information and analysis of cause and impact; business continuity, incident management (sharing relevant incidents to the BCB), awareness program, information classification, periodic system tests, annual monitoring of evolution/implementation of the information security master plan.
It is worth mentioning that BCB 304, as well as other BCB resolutions or circulars, mentions the need for controls and protections at more strategic and tactical levels, such as, for example, for the topic of business continuity. However, it does not direct or detail its implementations (operational level). In short, it presents “what” to apply, but not “how” to apply it. In this way, the use of references and good cybersecurity practices – ISO 27002, ISO 22301, NIST, SANS, among others – should continue to be used.
In general, BCB 304 disciplines, within the scope of the Brazilian Payment System, the operation of the systems, and thus deals with business-sensitive issues (settlement, registration and deposit of financial assets). In this article, we focus on presenting the main controls related to information security and cybernetics. In this sense, for institutions that already have an information and cybernetic security strategy, and governance already established, for example, to meet a Management System, it is important that they review and incorporate it into their system. Additionally, this action will allow information security and cybernetic initiatives to converge, thus avoiding the overlapping of controls to cover and mitigate the risks already mapped.
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
