Instruction 612/2019 of the Brazilian Securities and Exchange Commission (CVM) will enter into force in September of this year and bring in new obligations related to cyber security for securities market brokers.
Although it is becoming increasingly important, the subject is not exactly new in terms of financial regulations. Institutions authorized to operate by the Central Bank of Brazil (BCB), including brokerage houses and distributors, have already been subject to National Monetary Council (CMN) Resolution No. 4658/2018 since April of 2018.
The subject has also been widely explored for years via self-regulation, with the creation of parameters and good practices, especially through Anbima's guides and research,[1] which served as a basis for even state regulators to develop their standards. In addition, Law No. 13,709/2018 (the General Data Protection Law), in force as of August of this year, brings in various obligations related to the security of client data processing for activities of any nature.
As some recent incidents of data leakage at large companies in Brazil show, however, this issue is still critical. The dissemination of cases involving financial institutions after CMN Resolution 4,658 came into effect also showed that this sector is not immune to cyber attacks, despite the current regulatory framework.
Therefore, the new rule issued by the CVM introduces a series of additional obligations for brokerage firms in relation to CMN Resolution 4,658, without breaking with its logic or creating incompatibilities with the standards and practices in force.
The main changes involve a more detailed approach by the regulator. While CMN Resolution 4,658 is less thorough and gives institutions ample room to define their policies and models according to their own needs, ICVM 612 opted to detail the regulation of some points, defining minimum content for certain items of the policies established.
For example, while CMN Resolution 4,658 provides that it is incumbent on the institution to define what relevant incidents are without imposing specific content,[2] ICVM 612 requires that incidents affecting critical processes or sensitive information, as well as those with a significant impact on clients, must necessarily be on the list of incidents defined as relevant by the institution.[3]
A similar fact occurs with the classification of data. CMN Resolution 4,658 requires it to be done, but does not specify the content thereof.[4] In turn, ICVM 612 determines that, as a minimum, registration data and information that allow identification of client transactions are considered sensitive.[5]
The obligations in addition to CMN Resolution 4,658 created by ICVM 612 may be reviewed in the comparative table below:
Obligation described in CMN Resolution 4,658 |
Additional obligation imposed by ICVM 612* |
The classification of data as to relevance must be done according to guidelines defined in the Cyber Security Policy (article 3, V, “c”). The standard does not define which types of data are to be considered relevant. |
At the very least, registration data and information enabling identification of clients or their transactions and positions must be considered relevant/sensitive (article 35-E, sole paragraph). |
The Policy should bring in a number of provisions on cyber security, including vulnerability assessment, cyber security objectives, and specific procedures for them to be met (article 3). |
The Policy should also provide for a mapping of the cyber risks to which the brokerage firm is exposed (article 35-H, I). |
The classification of incidents as to relevance must be established in accordance with the guidelines defined in the Policy (article 3, V, “d”). There is no definition of the types of incidents that should necessarily be deemed relevant. |
As a minimum, incidents affecting critical processes or sensitive information, as well as those with significant impacts on clients must mandatorily be considered relevant (article 35-D, paragraph 4). |
The Policy should provide for procedures to be adopted in the event of relevant incidents, but the standard does not define minimum mandatory procedures, but only requires provisions on mitigation of effects of incidents and business continuity in risk management policies. Specific actions would be defined in the Policy (article 19 and 20). Guidelines should also be established to carry out business continuity tests, but there is no mandatory minimum frequency (article 3, V, “a” and article 19, III). |
In the procedures defined in the Policy, internal and external communication actions should be included, including those aimed at clients and managers of organized markets. Also specified are some services that must necessarily be covered by continuity plans: receipt and execution of client orders, settlement with clearing houses and clients and reconciliation of positions (article 35-A). In addition, a minimum frequency of one year has been established for continuity tests (article 35-A). |
The BCB should be informed of relevant incidents causing a crisis at the institution. In theory, if an incident is not provided for in the Policy as relevant, it need not be reported. The minimum content of the communication is the information on the occurrence and the measures taken to remedy it (article 20, III). |
In addition to material incidents (including those affecting critical systems and having a significant impact on clients), episodes that cause the triggering of continuity plans, whether defined as material incidents or not, must be reported to the CVM's Market and Broker Relations Bureau (SMI) (article 35-A, paragraph 4, article 35-C, paragraph 1, and article 35-I, paragraph 1). The minimum content of the communication to the SMI is more extensive. In addition to a description of the incident and the remedial measures, the following must be included: (i) the data affected, (ii) the clients potentially affected, and (iii) the time taken to resolve the event or deadline for doing so, as well as any other relevant information (article 35-A, paragraph 4, article 35-C, paragraph 1, and article 35-I, paragraph 1). |
The Policy should provide for training programs and personnel evaluation as mechanisms to disseminate the culture of cyber security (article 3, VI, "a"), without further specification in that regard. |
The frequency of training becomes mandatory content in the Policy (article 35-D, paragraph 2, III). |
The Policy shall be disclosed in its entirety to employees and third parties. An abstract should be published on the institution's website (articles 4 and 5). |
The content to be published on the website must contain, as a minimum, guidelines on the main practices adopted, including access controls and confidentiality of personal information, and cyber security precautions to be taken by clients when accessing their systems (article 35-G). |
An annual report shall be prepared on the effectiveness of the implementation of the Policy, the results obtained in the performance of prevention and response procedures, the relevant incidents that occurred in the period, and the results of business continuity tests (article 8). |
The annual report shall also contain statements by the officer in charge regarding the deficiencies found and the remedying thereof; the results of the remedying of deficiencies found in prior years; a reasoned evaluation of the compliance with ICVM 505; and an evaluation on the adequacy of the business continuity plan and any improvements (article 4, paragraph 7). |
It does not bring in any specific obligation regarding critical systems, although this topic is already partially covered in some points of the Policy, especially in the procedures and controls adopted to reduce the institution's vulnerability (article 3, paragraph 2). |
Specific policies should be created for critical systems to ensure their integrity, security, and availability, including guidelines for assessing the relevance of incidents (article 35-C). |
Regarding the hiring of third party services in general, the Policy should provide guidelines for the definition of procedures and controls adopted by providers handling sensitive or relevant data of the institution (article 3, V. “b”). There are a number of rules for engaging cloud services, including various pre-contract checks, mandatory contract terms, reporting to the BCB, and permits to be obtained, among others (article 11 to 17). |
Brokerage firms must list the most relevant providers and assess their ability to store the information required by ICVM 505 and keep it available to the SMI. They must also assure the institution’s access to the data processed and the confidentiality, completeness, availability, and recoverability of the data (article 35-J). Contracts with cloud providers must also comply with the requirements of Resolution 4,658/2018. |
It provides a list of the information that must be available to the BCB for a period of five years (article 23). |
The rule is broader: brokerage firms must store and keep at the SMI's disposal all documents related to compliance with ICVM 505, in addition to all internal or external correspondence and all work papers, reports, and opinions related to the exercise of their functions, whether physical or electronic, as well as all recordings of conversations with clients (article 36). |
* The articles in this column refer to the numbering of ICVM 505 as amended by ICVM 612.
[1] In this regard, see ANBIMA's Cyber Security Guide, published for the first time in 2016 and edited 2017, available at https://www.anbima.com.br/data/files/F5/62/AB/91/FBC206101703E9F5A8A80AC2/Guia-de-Ciberseguranca-ANBIMA.pdf. In addition, it is also interesting to review the research that has been conducted by the association on this subject since 2017: https://www.anbima.com.br/data/files/E4/93/9C/7E/156306101703E9F5A8A80AC2/GT%20Ciberseguran_a-Pesquisa%202017_ANBIMA.pdf.
[2] As per article, subsection V, item “d”.
[3] As per article 35-D, paragraph 4, included in ICVM 505.
[4] Cf. article 3, V, “c”.
[5] Cf. article 35-E, sole paragraph, included in ICVM 505.