Sign In


CVM calls public hearing on rules that regulate business continuity plan and information security

Capital Markets; Data Protection and Cybersecurity

On October 8, 2018, the Brazilian Securities Commission ("CVM") called a public hearing on a proposal to amend CVM Rule No. 505/2011, which regulates the rules and procedures applicable to underwriters in securities transactions on regulated markets (the "Draft").

The Draft seeks to refine underwriters' internal control mechanisms in relation to (i) events that may interrupt their activities; and (ii) risks of information security failures within their processes, systems and infrastructure.

Briefly, the most relevant provision for discussion are, as follows:

  1. Business Continuity Plan: CVM proposes to require underwriters to develop a business continuity plan, addressing procedures and systems to be used to ensure continuity and resumption of activities in case of interruption of critical business processes. The practice is in line with Resolution No. 4,557/2017 issued by the National Monetary Council and B3's Operational Qualification Program, both of which contain a similar requirement.
    The Draft lists a minimum number of processes that should be classified as critical, namely those relating to (a) receipt and execution of orders; (b) settlement with organized market managing entities; (c) settlement with clients; (d) reconciliation; and (e) client position updates. Other processes may be considered critical – or not, at the discretion of the relevant underwriter, who should identify and classify those processes.
    An underwriter should also establish a structure to enable provision of assistance to investors through other channels in cases of suspension of services on the Internet as a result of unavailability or peak demand.

  2. Information Security: CVM proposes to improve information security rules by passing provisions relating to (a) customer data processing and controlling; (b) cybersecurity; and (c) engagement of services provided by third parties.
    Regarding the treatment and control of customer data, the Draft seeks to ensure the confidentiality, authenticity, integrity, and availability of sensitive data and information, being considered as sensitive at least those that allow clients and operations to be identified.
    The Draft states that underwriters must develop and implement a cybersecurity program that addresses at least (a) the identification of cyber risks to which the underwriter is exposed; (b) procedures and controls to verify the effectiveness of cybersecurity measures and conduct continuous monitoring and detection of cyber-attacks in a timely manner; and (c) establishment of a response plan for incident handling and retrieval of data and systems.
    The proposal also contemplates an obligation to inform CVM about any cybersecurity incidents within 24 hours of identification. After 45 days of the incident, the underwriter should provide CVM with a report containing the description of the incident, the measures taken, communications with clients and any improvements identified, with the respective implementation schedule, as the case may be.
    Underwriters should also identify and assess the controls adopted by their critical service providers and ensure (in the relevant services agreement) (a) compliance with filing requirements set forth in the Draft; (b) access to data and information; (c) confidentiality, integrity, availability and retrieval of data and information processed or stored by the service provider; and (d) access by CVM and the self-regulatory authority to the contents of contracts, documents, data and information processed or stored by the providers and their facilities.
    As reinforced by CVM, other regulators have also voiced concerns about information security, including the National Monetary Council, which recently issued Resolution No. 4,658/2018, establishing rules on cybersecurity and requirements for retaining services, processing and storage of data and cloud computing.

  3. Transmission of orders: CVM also proposes to update the means by which customers may transmit orders to underwriters in order to reflect market practices, and suggests the development, by underwriters, of specific procedures for filing data and voice records relating to orders that are not carried out in systems whose control and registration are under the control of a broker.
    In addition to the above provisions, there is a proposal to change how often an internal controls report is to be submitted. According to the Draft, submission will no longer be on half-yearly, but on an annual basis in order to reduce the costs of compliance by underwriters. In this regard, on October 10th, CVM published Public Hearing SDM No. 06/2018, proposing changes to other regulations, also with a view to reduce the costs of compliance by market participants.
Comments and suggestions can be sent to the Superintendency of Market Development preferably by email to [email protected] before November 30, 2018. To access the full contents of the announcement, in Portuguese only, please click here

Our lawyers are available to provide further information and explanations on this matter.

Attorneys of the Capital Markets and Data Protection and Cybersecurity Practices.