Last month, the Brazilian National Monetary Council (the “CMN”) issued Resolution No. 4,658 (the “Resolution”), which establishes new cybersecurity requirements covering institutions regulated by the Brazilian Central Bank (Banco Central do Brasil). The Resolution requires covered financial institutions to have cybersecurity policies in place by May 6, 2019, and be fully compliant with the regulation by December 31, 2021. Notably, the Resolution’s requirements cover third-party service providers that contract with covered institutions, including those located outside of Brazil.
Under the Resolution, covered institutions are required to appoint an officer who will be responsible for implementing and overseeing the cybersecurity policy, and to adopt procedures and controls to prevent and respond to cybersecurity incidents. The regulations do not specify deadlines for data breach notifications, but state that regulated entities must make such notifications promptly. Covered financial institutions are also required to provide an annual report to the Central Bank disclosing any cybersecurity incidents, as well as remediation efforts. In addition, where third-party service providers are hired for data-processing, data storage, or cloud computing, the Resolution requires that covered institutions enter into agreements requiring that the third-party providers—including those outside of Brazil—comply with certain requirements. These include the requirement to notify the covered entity of any relevant sub-contractors, and to authorize the Central Bank to access all documents and information related to the services. Further, covered institutions are required to provide to the Central Bank certain information regarding the third-party providers in advance of their retention. Notably, the Resolution does not contain any data localization requirements, which has been a trend in some regions, including in China.
Although Brazil has yet to pass a general data protection law, the CMN’s Resolution demonstrates the growing trend across Latin America towards the implementation of more robust cybersecurity measures. As discussed in our previous alert memo, several Latin American countries have already taken steps to bolster their data protection laws, including Argentina, Mexico, and Chile. It remains to be seen whether the Central Bank’s resolution begins a trend within Brazil towards more general data protection regulations, or leads central banks in other Latin American countries to follow suit.