Cybersecurity regulation in Brazil: an overview
Brazil has been increasing sector-specific regulation on cybersecurity, affecting different industries
Subjects
The potential of cyberattacks to compromise confidential information stored in databases poses a genuine threat to our interconnected world, affecting businesses and individuals alike. This threat has become increasingly relevant over the last few years as it has impacted financial institutions, private organizations, critical infrastructure and government systems. Concerningly, the number of cyberattacks is on the rise, becoming even more dangerous as cybercriminals develop new ways to break through security systems and access valuable data.
Brazil’s Center for Studies, Responses and Treatment of Security Incidents (CERT-BR) registered 875,327 security incident notifications in 2019 and 318,697 in the first half of 2020 alone, including fraud, scams, worms, DoS attacks and intrusions. These reports, however, are submitted voluntarily and therefore do not accurately reflect the actual number of security incidents identified. Moreover, Kaspersky has recently published a study indicating that cyberattacks in Brazil have increased by 23% in 2021. Given this scenario, cybersecurity has become a high-profile issue in Brazil, and there is an increasing demand for regulation.
Sectoral regulation
In Brazil, cybersecurity requirements are generally provided by regulatory agencies, such as the Central Bank (BACEN), the Securities and Exchange Commission (Comissão de Valores Mobiliários – CVM), the National Telecommunications Agency (ANATEL) and the Brazilian Private Insurance Authority (Superintendência de Seguros Privados – SUSEP).
BACEN’s Resolution No. 4,893/2021 and Resolution No. 85/2021 regulate how financial and payment institutions adopt cybersecurity measures. These resolutions require covered institutions to have cybersecurity policies in place and fully comply with the regulation by December 31, 2021. Notably, the resolutions also encompass third-party services contracted by covered institutions, including those outside Brazil.
Under both resolutions, covered institutions are required to appoint an officer responsible for implementing and overseeing their cybersecurity policies and must also adopt controls and procedures for preventing and responding to cybersecurity incidents. Though the regulations do not specify deadlines for data breach notifications, they state that regulated entities must make any notifications promptly. Covered financial institutions are also required to submit an annual report to the Central Bank disclosing any cybersecurity incidents, as well as remediation efforts.
Furthermore, BACEN’s resolutions require that covered institutions enter into agreements with third-party providers (including those outside Brazil) to ensure they comply with certain requirements when contracted for data processing, data storage or cloud computing. This includes a requirement to notify the covered institution of any relevant subcontractors and authorize the Central Bank’s access to all related documents and information. Covered institutions must also provide the Central Bank with certain information on third-party providers in advance. Notably, neither resolution contains any requirements regarding data localization.
Meanwhile, CVM’s Instruction No. 505/2011 establishes rules and procedures for operations in regulated securities markets. As part of the mechanisms and controls that intermediaries must adopt, this regulation sets forth several information security requirements, including rules for contracting relevant third-party services and notifying security incidents.
ANATEL has also issued Resolution No. 740/2020 (Cybersecurity Regulation), which applies to public interest telecommunications services with certain exceptions. The regulation establishes measures and procedures to enhance security in telecommunications networks and services, addressing both cybersecurity and critical telecommunications infrastructure protection. The Cybersecurity Regulation sets forth that telecommunications service providers must use products, services and equipment from service providers whose cybersecurity policy complies with the regulation, and who also conduct regular independent audits. When requested, the results of these audits must always be made available to ANATEL.
In August 2021, SUSEP published Circular No. 638/2021, which includes cybersecurity requirements that insurance companies, pension companies (EAPCs), capitalization companies, and local reinsurers must observe. These requirements align with a broader public agenda towards strengthening cybersecurity and data governance within Brazil’s financial institutions. SUSEP Circular No. 638/2021 establishes guiding principles for internal cybersecurity policies, new guidelines for identifying and limiting risks, failure prevention, and security measures concerning information security incidents. It also redefines requirements and procedures, as well as the extent to which entities are liable for incidents.
Regulations for data processing
It is important to note that Brazil’s General Data Protection Law (Law No. 13,709/2018 or LGPD) has established detailed rules regarding how personal data is collected, used, processed and stored. This affects all economic sectors, including the relationships between customers and suppliers, employees and employers and other relationships where personal data is collected, whether in the digital world or the real world.
The LGPD applies to any personal data processing carried out by a natural person or legal entity, irrespective of where it is based or where the data is located, provided that:
- The data processing is carried out in Brazil;
- Data is processed in order to offer goods or services in Brazil, or the data process related to individuals located in Brazil; or
- The personal data subject to processing was collected in Brazil.
The LGPD does not provide for specific security mechanisms, standards or certifications. It simply states that controllers and processors must “implement technical and organizational security measures capable of protecting personal data from unauthorized access, unlawful or accidental situations involving destruction, loss, change, communication or any other unlawful processing activity.” The Brazilian Data Protection Authority (ANPD) will also consider how measures have been adopted when assessing the penalties for companies liable for data breaches or non-compliance with the LGPD.
Under the LGPD, data controllers must also inform the ANPD and affected data subjects of any security incidents that could harm or put them at risk. This law sets forth several requirements for notifying personal data security incidents.
Cybersecurity and infrastructure
In a separate but related matter, Federal Decree No. 10,569/2020 has set forth rules concerning critical infrastructure – defined as facilities, services and assets whose interruption or destruction would have serious social, economic, political, national or international security impacts. The decree refers to strategic infrastructure for communications, energy, transport, finance, water and other areas that play an essential role in Brazil’s national security, sovereignty, integration and sustainable economic development.
Presidential decrees have also been issued on cybersecurity and critical infrastructure as part of the Brazilian government’s efforts to provide guidelines on these matters. Notably, Decree No. 9,573/2018 defines the National Policy for Critical Infrastructure Security, while Decree No. 10,569/2020 defines the National Strategy for Critical Infrastructure Security. However, it is important to note that the strategies and plans for protecting critical infrastructure are yet to be properly implemented, merely representing guidelines at this stage. Currently, the decrees can be considered ‘soft’ normative, instructing documents – they cannot be enforced, nor can penalties be issued for non-compliance – although there are long-term perspectives for a regulatory framework with mandatory rules and concrete measures.
Approved in 2020, the National Cybersecurity Strategy (or E-cyber) is a soft law via which the Federal Government aims to guide Brazilian society on the main cybersecurity-related measures it intends to take between 2020-2023. Although the E-cyber is not legally binding, it is an important instrument that supports government planning in relation to improving the security and resilience of critical infrastructure and national public services.
International cooperation
Brazil is making an effort to strengthen regulations on cybersecurity, requiring regulated entities to implement robust cybersecurity policies. However, as the internet has a global reach and transcends international borders, Brazilian authorities’ ability to investigate cybercrimes has been identified as one of the main challenges going forward. Brazil has recently been invited to accede to the Budapest Convention on Cybercrime, currently holding observer status. Originating in Europe, more than 60 countries have already signed the convention, which facilitates information exchanges between different jurisdictions for investigating cybercrimes. Ratifying the convention should ensure Brazil heads in the right direction in keeping up with the fast pace and evolution of cybercrime.