Cybersecurity policy for electricity sector approved in Brazil
Resolution promotes governance and best practices to avoid data security incidents
On December 22, 2021, the National Electric Energy Agency (Aneel) officially published its cybersecurity guidelines. Agents operating within the electricity sector will now be required to adopt a cybersecurity policy, which aims to promote governance and best practices in the sector that ensure reliable services and the security of critical data.
The cybersecurity guidelines was approved in the wake of a public consultation period concerning cybersecurity regulation in Brazil’s electricity sector. A total of 226 contributions were received during the consultation, which Aneel then used to improve the final wording of its Normative Resolution No. 964/2021.
Although the National Energy Policy Council (CNPE) approved cybersecurity guidelines for the electricity sector in October 2021, the rules still required Aneel’s regulation to take effect.
In order to avoid undesirable cybersecurity incidents and situations, Aneel’s resolution seeks to:
- Establish a need for companies to implement cybersecurity policies compatible with their size;
- Establish an obligation to report cybersecurity breaches to Aneel;
- Establish a requirement for disclosing relevant cyber incidents among agents and with Aneel;
- Regulate companies’ obligations to periodically apply capability maturity models (C2M2, CMMI) for evaluating and improving their cybersecurity frameworks;
- Ensure companies’ cybersecurity policies provide for the segmentation of IT and Internet operating networks;
- Mandate that cybersecurity policies provide for rapid response procedures to contain incidents;
- Regulate the need to perform management, assessment and processing of cybersecurity risks;
According to Aneel, the lack of a cybersecurity policy could increase the frequency of interruptions to Brazil’s power supply and leave data vulnerable to potential security breaches. Given the critical nature of the issue, the publication of the resolution was brought forward by six months.