Brazilian Private Insurance Authority publishes new cybersecurity requirements
SUSEP Circular No. 638/2021 establishes guidelines for security policies and monitoring third-party services
On August 3, 2021, Brazil’s Private Insurance Authority (SUSEP) published SUSEP Circular No. 638/2021, which includes a series of cybersecurity requirements that insurance companies, pension companies (EAPCs), capitalization companies, and local reinsurers must observe.
The new regulation inserts cybersecurity within the scope of SUSEP’s Internal Control System (SCI) and Risk Management Framework (EGR). This establishes a need for supervised entities to adopt good local and international cybersecurity practices as standards, aiming to minimize potential vulnerabilities within their systems without discouraging innovation.
A key aspect of the new regulation concerns the need for entities to develop and implement an adequate cybersecurity policy that compliments their risk management policies. At a minimum, such a policy must outline its objectives, a general commitment to cybersecurity practices from management and steps to improve related processes, procedures, and controls. Moreover, it must include guidelines and parameters for classifying data, cybersecurity procedure implementation, and outsourcing-related services.
SUSEP Circular No. 638/2021 also addresses the prevention and handling of cybersecurity incidents. Supervised entities must keep processes, procedures, and controls up to date so that they may proactively identify and reduce possible vulnerabilities – as such, they need to not only be capable of detecting incidents, but adequately responding to and recovering from them. Entities under the supervision of SUSEP must also outline these processes and procedures in their business continuity plans.
If an entity identifies any relevant incidents, it must describe them in an annual report submitted to the management, audit, and risk committees, head of internal controls, and its risk management area. The report must present the results of investigations, defining the causes and effects of the incidents and the response adopted by the entity. It must also:
- contain statistical data on detected incidents, and note what actions will be taken to handle them;
- indicate responsibility for incidents and deadlines for taking action.
Cybersecurity measures for outsorcing
The cybersecurity requirements in SUSEP Circular No. 638/2021 have also taken the outsourcing of data processing and storage into account. In such situations, the supervised entity must have the necessary resources and governance practices to be able to regularly monitor any contracted third-party services, and must also certify third parties’ technical capabilities to provide data services. SUSEP must be informed of any outsourcing by supervised entities within 30 days of contracts being signed.
Furthermore, throughout the duration of the contract, entities must also inform SUSEP of any adjustments or amendments to third-party contracts, as well as changes to the location or form in which services are provided.
SUSEP Circular No. 638/2021 gives supervised entities the power to monitor third-party services. Therefore, they have the right to demand that these third-party service providers:
- comply with applicable legal and regulatory provisions;
- make available information and tools that allow for regular monitoring of their services;
- adopt processes, procedures, and data security controls in line with those of the supervised entity, which are capable of guaranteeing that the data remains separate from data corresponding to the service provider’s other clients.
However, the regulation does not exempt supervised entities from their responsibility to guarantee the integrity, confidentiality, and availability of outsourced data – they must still comply with applicable data legislation and regulations.
Deadlines for adapting to SUSEP Circular No. 638/2021
The new regulation takes effect as of September 1, 2021, and provides for the following deadlines:
- Contracts for outsourced data processing and storage services signed before the regulation takes effect must adapt to its provisions by September 1, 2024;
- Supervised entities in the S1 or S2 segments have until June 30, 2022, to adapt. This includes the development and implementation of an adequate cybersecurity policy;
- Supervised entities in the S3 or S4 segments have until September 1, 2022, to adapt. This includes the development and implementation of an adequate cybersecurity policy.
For further information about this subject, please contact Mattos Filho’s Insurance, Reinsurance and Pensions practice area.