Sign In

   

National Monetary Council amends resolution regarding cybersecurity and contracting third parties to provide cloud computing and data services

27Abr2018Apr27,2018
Banking and Finance; Data Protection and Cybersecurity; Telecommunications

​On April 26, 2018, the Nacional Monetary Council – CMN issued Resolution No. 4,658/2018 (“Resolution”) (full text here), which contemplates the implementation of cybersecurity policies by financial institutions and other entities authorized to operate by the Central Bank (“Financial Institutions”). It also establishes requirements to be followed by Financial Institutions when engaging third parties to provide data processing, storage and cloud computing services.

The Resolution, which was subject to a public consultation launched by the Central Bank in September 2017, proposes a transformation of the cybersecurity model and cloud services in order to mitigate risks and security failures within the cybernetic environment. Accordingly, it stipulates rules and guidelines regarding preventive and reactive treatments of incidents concerning information security, minimum contractual requirements for engaging third parties for the provision of data processing, storage and cloud computing services and the allocation of responsibility within Financial Institutions.

Below, we highlight the main topics addressed in the Resolution:

Mandatory adoption of cybersecurity policies by Financial Institutions;

Clear, precise and friendly language;

Minimum contractual requirements for engaging third parties for the provision of data processing, storage and cloud computing services;

Minimum contractual requirements for engaging third parties for the provision of data processing, storage and cloud computing services, which are provided offshore;

Mandatory appointment of a director of the Financial Institution responsible for cybersecurity;

Obligation to inform the Central Bank of the intention to contract data processing, storage and cloud computing services;

Establishment of specific rules for the treatment of incidents concerning the cyber environment, including measures for disclosure of information regarding such incidents;

The ability of the Central Bank to reject or impose restrictions on the contracting of data processing, storage and cloud computing services if it identifies a failure in compliance with the provisions of the Resolution.

The Resolution will take effect on the date of its publication, which occurred on April 30, 2018. The approval of cybersecurity policies and incident plans must occur no later than May 6, 2019. Those Financial Institutions that already have engaged third-parties for data processing, storage and cloud computing services must submit to the Central Bank, within one hundred and eight (180) days as of the publication of the Resolution, a timeline for adequacy and compliance with the minimum contractual and procedural requirements established in the Resolution.

For more information, please contact:

Data Privacy and Cybersecurity Practice
Banking and Financial Services Practice

See our recent publications