CIRCULAR SUSEP Nº 638, OF 27 JULY 2021 (versão em inglês/LegisMap)

CONTENTS

CIRCULAR SUSEP Nº 638, OF 27 JULY 2021 (*)

Establishing requirements in cyber security to be complied with by insurance companies, open supplementary pension companies (EAPCs), savings bonds companies and local reinsurers.

THE SUPERINTENDENT OF THE PRIVATE INSURANCE SUPERINTENDENCY – SUSEP, in accordance with the provisions set forth in sub item "b" of art. 36 of Decree-Law 73, of 21 November 1966; sole paragraph of art. 3 of Complementary Law 126, of 15 January 2007; § 2 of art. 3 of Decree-Law 261, of 28 February 1967, with the wording provided by Complementary Law 137, of 26 August 2010; and art. 74 of Complementary Law 109, of 29 May 2001, and considering the contents of Susep File 15414.600373/2021-23, resolves:

CHAPTER I
SUBJECT AND SCOPE

Art. 1. Establishing requirements in cyber security to be complied with by insurance companies, open supplementary pension companies (EAPCs), savings bonds companies and local reinsurers.

CHAPTER II
DEFINITIONS

Art. 2. The following definitions apply to this Circular:

I - supervised companies: insurance companies, EAPCs, savings bonds companies and local reinsurers;

II - cyber security: set of strategies, policies and standards concerning cyber risk mitigation;

III - cyber risk: possibility of losses occurrence resulting from a compromise in confidentiality, integrity or availability of data and information in digital support, arising from their unauthorized manipulation, or damages to equipment and systems used in their storage, processing or transmission;

 IV - relevant data: personal data, as defined by the legislation in force, data related to clients or to critical business processes, as well as any other data or information deemed as sensitive under the guidelines established by the supervised company;

V - relevant services in processing or data storage: processing or data storage services, including cloud computing that:

a) involve access or manipulation of relevant data; or

b) support activities deemed by the supervised company as essential for its business continuity;

VI - relevant incidents: adverse events, whether arising from malicious activity or not, that according to parameters defined by the supervised company substantially compromise:

a) the relevant data confidentiality, integrity or availability; or

b) relevant services in data processing or storage;

VII - cloud computing: a service for enabling on-demand access regardless of the location, to a shared pool of configurable computing resources provisioned with minimal management effort or services provider interaction;

VIII - management bodies: Board of Directors and Executive Board; and

IX - business associates: managers, officers, outsourced services providers and other relevant partners of the supervised company. 

CHAPTER III
GENERAL PROVISIONS

Art. 3. Cyber security integrates the general context of the Internal Controls System (SCI) and Risk Management Structure (EGR), as established in their regulations, being the supervised company additionally in charge of:

I - applying national and international best practices in cyber security while adopting its treatment and control of cyber risks, including:

a) physical security of equipment and premises;

b) systems and information access control;

c) cryptography;

d) protection against malwares;

e) maintenance of data and information security copies;

f) maintenance of users activity logs, exceptions and failures;

g) techniques for networks protection and communications security; and

h) development and acquisition of systems; and

II - advance actions towards the dissemination of a cyber security culture, including permanent training programs, based on the sensitiveness of the information dealt with by the business associates.

Sole paragraph. As to the regulations mentioned in the head of this article:

I - cyber risks should be incorporated into the operational risk category, of obligatory usage; and

II - the cyber security policy mentioned in Chapter IV should be considered as supplementary to the risks management policy, being subject to the same defined requirements for such supplementary policies.

CHAPTER IV
CYBER SECURITY POLICY

Art. 4. The supervised company should have a cyber security policy in place, comprising at least: 

I - the cyber security purposes;

II - its management bodies' commitment to the cyber security and to the permanent improvement of the related processes, procedures and controls; and

III - parameters and guidelines to:

a) data, incidents and services classification according to their relevance, taking into account the provisions of art. 2, items IV to VI;

b) cyber security processes, procedures and controls implementation, based on the classification mentioned in sub item "a"; and

c) outsourcing of the data processing and storage services, particularly the relevant ones, describing minimum requirements and authority levels concerning contracts approval and amendments.

Sole paragraph. The cyber security policy should be compatible with the size, nature and complexity of the supervised company's operations and the extent of its exposure to cyber risk.

CHAPTER V
PREVENTION AND TREATMENT OF INCIDENTS

Art. 5. The supervised company should have duly updated effective processes, procedures and effective in place to:

I - proactively identify and reduce vulnerabilities; and

II - detect, counteract and recover from incidents.

Art. 6. The processes, procedures and controls mentioned in item II of art. 5 should set forth at least:

I - permanent monitoring of the communication network, using techniques to help with the detection of incidents;

II - assessment of the nature, reach and impact of the detected incidents, according to a previously established scale of criticality that acknowledges the relevance of the affected data, systems or services and their corresponding degree of compromise;

III - timely adoption of actions to contain the effects of the incident; 

IV - reestablishment of the affected systems or services and resume of the normal condition of operation;

V - incident registry;

VI - sharing of the information about relevant incidents with other supervised companies, under a mutually agreed form, assuring the secrecy of confidential information and trade secrets;

VII - communication with the parties affected by the incident, chiefly clients; and

VIII - identification and treatment of the exploited vulnerabilities.

§ 1. The containment actions mentioned in item III should include, where appropriate, previous communication with services providers, business partners and other potentially involved parties, aiming to the adoption of a coordinated response.

§ 2. The supervised company should assure that the reestablishment mentioned in item IV is performed in a safe manner, without giving rise to vulnerabilities that may aggravate the impacts of the on-going incident or substantially increase the risk of further incidents.

§ 3. As for the incidents resulting in operational loss, the supervised company should enforce instruments of reconciliation between the registry of incidents mentioned in item V and the date base of operational losses (BDPO), if existent.

Art. 7. The processes and procedures mentioned under items II to IV of art. 6 should be established in the business continuity plan, at least for attack scenarios and other events that, according to the supervised company's assessment, may cause:

I - damages to information technology infrastructures or to communication systems deemed as critical;

II - unauthorized relevant data access, alteration, exclusion or disclosure; or

III - interruption of relevant services in data processing and storage.

Art. 8. The supervised company should inform Susep the occurrence of relevant incidents within 5 (five) working days as of the event detection, therefore detailing the damage extent and, in this case, the current actions taken to the complete correction of the situation, the persons in charge and deadlines.

Art. 9. The supervised company should prepare an annual report on incidents prevention and treatment, including at least: 

I - description of detected relevant incidents, detailing its causes, effects and adopted response actions;

II - statistics on the totality of detected incidents, including their quantity and main causes and effects;

III - tests results related to the scenarios anticipated by the business continuity plan, in accordance with art. 7; and

IV - description of the major vulnerabilities identified and actions adopted for their treatment.

§ 1. As to the actions mentioned in item IV not yet completed, the report should inform the persons in charge and deadlines.

§ 2. As a minimum, the report should be forwarded to the: 

I - management bodies;

II - Audit and Risk Committees, if existent; and

III - internal controls officer in charge and, if existent, to the risk management unit.

§ 3. The persons, management bodies and units mentioned in § 2 should take into account the findings of that report in the performance of their assignments, particularly in so far as they refer to the effectiveness of the processes, procedures and cyber security controls.

CHAPTER VI
OUTSOURCING OF DATA PROCESSING AND STORAGE SERVICES

Art. 10. In the case of data processing and storage services outsourcing, the supervised company should:

I - possess the resources, expertise and practices in governance needed to the adequate monitoring of the services to be outsourced;

II - assure that the potential services providers are capable of complying with the requirements established in art. 11; and

III - in the case of relevant services in data processing and storage, inform Susep within 30 (thirty) days as of the contractual formalization:

a) the relevant services to be outsourced;

b) the name of the contracted company, and those of the subcontracted companies, if any, in charge of the services mentioned in sub item "a"; and

c) as much as possible, the countries and regions in each country where the services mentioned in sub item "a" may be provided and the data may be stored, processed and managed.

Sole paragraph. The contractual amendments modifying any of the sub items "a" to "c" of item III should be informed to Susep within 30 (thirty) days as of its formalization.

Art. 11. The supervised company should require that the processing and data storage services providers:

I - comply with the regulations and legal provisions in force;

II - release information and management resources allowing the supervised company to properly monitor the outsourced services;

III - maintain cyber security processes, procedures and controls standards not lower than those the supervised company itself adopts for the same sensitiveness degree, also considering mitigation controls; 

IV - assure that the supervised company's data and those of its clients are duly separate from the other services providers' clients data, by means of physical and/or logic controls;

V - notify the supervised company when subcontracting relevant services;

VI - in the case of the contract termination, arrange for:

a) the transfer of the data covered by the contract to the new services provider or back to the supervised company, as the case may be;

b) the exclusion of the data covered by the contract, further to the transfer mentioned in sub item "a", and the confirmation by the supervised company of the received data's integrity and availability; 

VII - do not hinder Susep's work.

§ 1. The supervised company should employ at least one of the following procedures, in order to assure that the provisions of item III are satisfied in the case of relevant services in data processing and storage:

I - requesting a formal certification granted by an independent institution, in relation to the service to be contracted; or

II - performing due diligence.

§ 2. The cyber security policy may establish exceptions for the provision of item III, concerning data processing and storage services not classified as relevant, therefore expressly defining the minimum cyber security requirements to be complied with.

§ 3. The supervised company should demand that the services provider assures Susep access to the data covered by the contract, to the information concerning the rendered services and to the signed contracts and agreements for their performance, being the supervised company's responsibility to verify that laws and regulations in force in the countries and in the regions of each country where the services may be rendered, do not impose restrictions on the cited accesses, thereby complying with item VII of the head of this article.

§ 4. The services rendering contracts in data processing and storage, except in the case that the contract is of adhesion, should expressly set forth the requirements cited in this article.

Art. 12. The data processing and storage services outsourcing does not exempt the supervised company from its responsibility for the compliance with the laws and regulations in force, as well as from assuring the confidentiality, integrity and availability of the data in the hands of the services provider.

Art. 13. The supervised company should define and document its strategies for the replacement of services providers, or for its in-house performance of the outsourced services, to be adopted in the case of termination of relevant services rendering in data processing and storage.

Art. 14. The provisions of this Chapter affect each and every services outsourcing in data processing and storage, including cloud computing, with the sole exception of the supervised company's operations registry services by a registry system previously validated by Susep and managed by a registry entity duly accredited, in accordance with the specific regulation terms.

CHAPTER VII
TRANSITIONAL AND FINAL PROVISIONS

Art. 15. The supervised company should maintain current and previous versions of the following documents, in accordance with regulations in force:

I - the cyber security policy, mentioned in Chapter IV;

II - the annual incidents prevention and treatment report, mentioned in art. 9;

III - the outsourcing contracts for relevant services in data processing and storage, mentioned in § 4 of art. 11; and

IV - other documents demonstrating compliance with the provisions of this Circular.

Art. 16. The data processing and storage outsourcing contracts signed before the date of enforcement of this Circular should be adjusted up to 1 September 2024.

Art. 17. The supervised companies will have the following deadlines to conform to the provisions of this Circular:

I - 30 June 2022 for the supervised companies classified in segments S1 or S2; and

II - 1 September 2022 for the supervised companies classified in segments S3 or S4.

Art. 18. This Circular becomes effective on 1 September 2021.

SOLANGE PAIVA VIEIRA

(Official Gazette of 03 august 2021 - pages 23 and 24 - Section 1)

*The information provided in this publication is general and may not apply to a specific situation or person. Every effort has been made to ensure that matters of concern to readers are covered. Although the information provided is accurate, be advised that this is a developing area. The information contained herein is not intended to be relied upon or to be a substitute for legal advice in relation to particular circumstances. Specific legal advice should always be sought from experienced local advisers. Accordingly, Editora Roncarati accepts no liability for any loss that may arise from reliance upon this publication or the information it contains.

Tags Legismap: