Financial Crime World

Cybersecurity Standards for Financial Institutions in Brazil

Central Bank of Brazil Issues Resolution CMN 4,893 on February 26, 2021

The Central Bank of Brazil has issued a regulatory resolution, known as CMN 4,893, which sets out cybersecurity standards for financial institutions in Brazil. The resolution aims to ensure the secure processing, storage, and cloud computing services used by these institutions.

Key Points

Content

The resolution covers several critical aspects of cybersecurity, including:

  • Cybersecurity policy: Financial institutions must develop a comprehensive cybersecurity policy that defines processes, tests, and audit trails.
  • Metrics and indicators: Institutions must establish adequate metrics and indicators to measure their cybersecurity posture.
  • Incident response: Institutions must have a plan in place for responding to incidents, including notification of relevant incidents to third-party providers.
  • Sharing information: Institutions are encouraged to share information on relevant incidents with the Central Bank of Brazil and other financial institutions.
  • Contracting services: Institutions must ensure that contracted services for data processing, storage, and cloud computing meet certain requirements.

Key Provisions

The resolution introduces several key provisions, including:

  • Notification of subcontracting: Financial institutions must notify the Central Bank of Brazil of any subcontracting arrangements for relevant services.
  • Internal audit: Institutions must submit their cybersecurity mechanisms to periodic tests by internal audit, if applicable.
  • Sharing information: Information shared among financial institutions and with the Central Bank of Brazil must be made available to all parties involved.
  • Retention of documents: Financial institutions are required to retain certain documents related to their cybersecurity posture for a period of five years.

Implementation

The resolution takes effect on July 1, 2021. Institutions that had already contracted services for data processing, storage, and cloud computing as of April 26, 2018, must adjust their contracts by December 31, 2021, to comply with the new requirements.