This Standard is intended to prevent cyber risks and protect financial institutions, in addition to requiring institutions regulated by the Central Bank to develop a cyber security policy, an incident response action plan and requirements for contracting outsourced services. The contracting of any outsourced service and processing, data storage and cloud computing performed by the financial institution must be previously communicated to the Central Bank at least 60 days in advance. Institutions have until December 31, 2021 to comply with the Resolution, in order to avoid the risk of BACEN sanctions.
- Cybersecurity objectives of the institution; - Procedures and controls adopted to reduce vulnerability to incidents; - Specific controls that ensure the security of sensitive information; - Recording and analyzing the causes and impacts of incidents for the institutions activities; - Definition of action plan, processes and guidelines for the discovery and response to security incidents;
- Prevention of information leaks; - Periodic testing and scanning to detect vulnerabilities; - Protection against malicious software; - Establishment of traceability mechanisms; - Access controls and segmentation of the computer network and maintenance of backup copies of data and information.