The SBS, through SBS Resolution No. 504-2021, has approved the Regulation for the management of information security and cybersecurity, which will have an impact on the regulations of: i) internal audit, ii) external audit, iii) single text of administrative procedures (TUPA) of the SBS, iv) corporate governance and comprehensive risk management, v) operational risk, vi) credit and debit cards; and vii) regulation of operations with electronic money.
This measure is taking place within the framework of the growing adoption of digital channels in financial services, for which the SBS considered it necessary to create an adequate legal framework to provide minimum conditions for the safety of users. In this sense, the Regulation is incisive in stating that the management of information security and cybersecurity must be in proportion to the operations that the entity manages. Likewise, the responsibilities are entrusted to the company's management bodies, that is, the management, the board of directors and even the risk committee.
On the other hand, the Regulation also establishes the obligation that the companies to which the law is applicable, must report incidents in cybersecurity to the Superintendency. Similarly, the standard has a special section on the provision of third-party services on issues related to data storage in the cloud and data processing.