Sign In

   

Brazilian Central Bank establishes rules regarding cybersecurity and contracting third parties to provide cloud computing for Payment Institutions

20Ago2018Aug20,2018
Data Protection and Cybersecurity; Telecommunications; Banking and Finance

​On August 15, 2018, the Executive Board of the Brazilian Central Bank (“Central Bank”) issued Circular No. 3,909 (“Circular No. 3,909” – full text here), which contemplates the implementation of cybersecurity policies by payment institutions authorized to operate by the Central Bank (“Payment Institutions”). It also establishes requirements to be observed by Payment Institutions when engaging third parties to provide data processing, storage and cloud computing services.

Circular No. 3,909 introduces similar obligations to those established in Resolution No. 4,658/2018, issued by the National Monetary Council (“CMN”), (“Resolution No. 4,658” – full text here), which establishes the requirements to be met by financial institutions and other entities authorized to operate by the Central Bank when engaging third parties to provide data processing, storage and cloud computing services. Similarly to Resolution No. 4,658, Circular No. 3,909 proposes a transformation of the cybersecurity model and cloud services in order to mitigate risks and security failures within the cybernetic environment. 

Circular No. 3,909 stipulates rules and guidelines regarding preventive and reactive treatment of incidents concerning information security, minimum contractual requirements for engaging third parties for the provision of data services and the allocation of responsibility within Payment Institutions.

Below, we highlight the main topics addressed in Circular No. 3,909: 

Mandatory adoption of cybersecurity policies by Payment Institutions;

Minimum content that must be included in cybersecurity policies;

Minimum contractual requirements for engaging third parties for the provision of data processing, storage and cloud computing services;

Minimum contractual requirements for engaging third parties for the provision of data processing, storage and cloud computing services, which are provided offshore;

Mandatory appointment of a director of the Payment Institution responsible for cybersecurity;

Obligation to inform the Central Bank of the intention to contract data processing, storage and cloud computing services; 

Establishment of specific rules for the treatment of incidents concerning the cyber environment, including measures for disclosure of information regarding such incidents; 

The ability of the Central Bank to reject, or impose restrictions on, the contracting of data processing, storage and cloud computing services if it identifies any failure in compliance with the provisions of Circular 3,909.

Circular No. 3,909 will come into effect on September 1, 2019. The approval of cybersecurity policies and incident plans must occur within ninety (90) days of Circular No. 3,909 coming into effect. Those Payment Institutions that already have engaged third-parties for data processing, storage and cloud computing services must submit to the Central Bank, within ninety (90) days, a timeline for compliance with the minimum contractual and procedural requirements established in Circular No. 3,909.



See our recent publications