The Central Bank of Brazil (Bacen) is accepting comments until November 21 on the proposed resolution on the implementation of cybersecurity policy by financial institutions and other authorized institutions. Published on September 19, Public Consultation Notice No. 57/2017 also addresses the requirements for contracting data processing and storage services and cloud computing services.
The rule is a response to the current scenario of growing use of electronic media and technological innovations in the financial sector, which demand increasingly robust controls and security systems from institutions.
The proposed resolution provides that cybersecurity policy should be compatible with (i) the size, risk profile, and business model of the institution; (ii) the nature of the operations and the complexity of the institution's products, services, activities, and processes; and (iii) the sensitivity of the data and information under the responsibility of the institution. This policy should include the institution's cybersecurity objectives and the specific controls and technologies adopted to reduce vulnerability to incidents and to ensure traceability and security of customer information.
In addition, the text provides that institutions should establish an action and incident response plan, with the actions, routines, procedures, controls, and technologies to be employed both to adapt the organizational and operational structure to the cybersecurity principles and policy guidelines in order to prevent and respond to incidents.
The institution should designate a director responsible for cybersecurity policy and the implementation of the action and incident response plans, and prepare an annual report on its implementation.
With regard to contracting for data processing and storage and cloud computing services, the resolution submitted for public consultation provides that institutions should adopt corporate governance and management practices in proportion to the relevance of the service to be contracted and the risks to which they are exposed. They must also ensure: (i) the vendor’s ability to identify and segregate client data from that of the institution using physical or logical controls; and (ii) the quality of the access controls adopted by the vendor to protect the data and information of the institution's customers.
In addition, institutions must require the vendor to ensure access to the data and information it processed or stored, in addition to the confidentiality, integrity, availability, and retrieval of such data and information.
Bacen also proposes that contracts for the provision of data processing, data storage, and cloud computing services provide for minimum mandatory content, which includes: (i) an indication of the location of the facilities where the services will be provided and the data to be stored, processed, and managed; (ii) maintenance, while the contract is in force, of segregation of data and access controls to protect customer information; (iii) the need for the institution’s approval for the vendor’s subcontracting of services; and (iv) the maintenance, in Brazil, of backup copies of data and information stored by the vendor, as well as information about the corresponding processing.
The proposed resolution prohibits the hiring of relevant data processing, data storage, and cloud computing services abroad. It also provides that, without prejudice to the duty of secrecy and free competition, institutions should develop initiatives to share information on relevant incidents. This initiative should cover information received from companies providing services to third parties that handle sensitive data or information that is relevant to the management of the institution's activities. Bacen should have access to this shared information.
The following must be available for Bacen for a period of five years: (i) the cybersecurity policy; (ii) the action and incident response plans; (iii) the annual implementation report of the action and incident response plans; (iv) contracts for relevant processing, data storage, and cloud computing services, with the time period counted as of the date of termination of the contract; and (v) data, records, and information on the mechanisms for monitoring and controlling the cybersecurity policy, action and incident response plans, and requirements for hiring data processing and storage and cloud computing services.