THE CENTRAL BANK APPROVES NEW RULES FOR CYBERNETICS SECURITY
On April 26, 2018, the National Monetary Council approved the Resolution No. 4658/2018 which established the cybernetic security policy and the requirements to hire data processing and storage services and cloud computing services.
Due to the recent scandals involving the data and information exchanges, Resolution No. 4.658/2018 establishes that the institutions authorized to operate by the Central Bank shall implement and maintain a cybernetic security policy, which shall be based on the principles and guidelines, whose purpose is to ensure the confidentiality, integrity and availability of the information systems used.
This policy shall be consistent with the risks that arise from the activities performed by the institution and shall contemplate at least: the cybernetics security institution goals; the general and specific procedures and matters to reduce vulnerability, including the ones related to information traceability.
Furthermore, the policy shall contemplate mechanisms to disseminate the cybernetics security culture in the institutions, including: the implementation of training programs and the personnel periodic evaluation; and the manner to provide information to clients and users regarding the precautions in using financial products and services; and shall also mention initiatives to share information on the relevant incidents, with the aforementioned institutions.
The risk management policies, strategies and structures, shall mind the hiring of relevant service data processing, data storage and cloud computing services, in the country or abroad. These services shall at least cover one of the following services: (i) data processing, data storage, network infrastructure and other computer resources that allow to the contracting institution implement and execute software, which may include operational systems and applications developed or purchased by the institution; (ii) implementation and execution of applications developed or acquired by the contracting institution, using services provider’ s computer resources; or (iii) the execution, through the internet, of the implantation or development of applications by the service providers, using the proper service provider’s computer resources.
Therefore, to provide cybernetics security and integrity, the policy shall be disclosed to the institution employees and to third parties’ providers, throughout precise, accessible and detailed language compatible with the performed functions and compatible with the information sensitivity.
Please bear in mind that the institution shall disclose the policy to the public by a summary which shall include the general lines.
In addition, the institutions shall ensure the continuity of the services provided by, notifying the Central Bank about the incidents occurrence, aiming to mitigate their effects.
The companies that have already hired these services shall present to the Central Bank, in one hundred and eighty (180) days, a schedule to comply with this Resolution No. 4.658/2018.
The Digital Law Department of Kestener, Granja & Vieira Advogados is available to provide any further information required on this subject.
Fabio Alonso Vieira
Phone: +55 11 3149-6111
fabio.vieira@kgvlaw.com.br
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados in relation to the matters herein addressed. Copyrights are reserved toKestener, Granja & Vieira Advogados.
