BRAZIL Law and Practice Contributed by: Thomas Gibello Gatti Magalhães, André Dágola Brostoline and Luisa Grespan Danhoni Neves, Magalhães & Zettel
The rule is inspired by the recommendations of the Task Force on Climate Related Financial Disclosure (TCFD), which seeks to promote transparency and market discipline, enabling identification of the institutions’ commitment to a sustainable and inclusive economy, in addition to improving the perception of risks and sup - porting decisions. The GRSAC Report shall address governance in risk management, its impacts on the institution’s strategies and the environmental, social and cor - porate governance risk management processes. BCB Resolution No 151/2021 requires financial institutions in Segments S1, S2, S3 and S4 to submit information to BCB on the assessment of social, environmental and climate risks. The submission shall follow what is provided for in PRSAC of each institution and in the risk man - agement rules, and it is not necessary to provide information not required by these regulations. With regard to digital operational resilience, CMN Resolution No 4,893/2021 establishes that institutions authorised to operate by BCB are required to implement and maintain a cyber - security policy. This policy must be formulated based on principles and guidelines aimed at ensuring the confidentiality, integrity and avail - ability of the data, as well as the information sys- tems used by these institutions. In addition, the cybersecurity policy must be aligned with the institution’s size, risk profile and business model, considering the nature of the transactions and the complexity of the products, services, activities and processes that the insti - 10. DORA 10.1 DORA Requirements
tution develops. The sensitivity of the data and information under the institution’s responsibility shall also be assessed in the preparation of the policy, thus ensuring the adequate protection of information. CMN Resolution No 4,893/2021 also establishes that institutions authorised to operate by BCB must prepare an incident response and action plan, which must include the necessary meas - ures to adapt their organisational and operational structures to the principles and guidelines of the cybersecurity policy. This plan shall include the routines, procedures, controls and technologies to be employed in preventing and responding to incidents. In addition, the rule obliges institu - tions to submit, annually, a detailed report on the implementation of the incident response and action plan, with a base date of December 31. Similarly, CVM Resolution No. 35/2021 estab - lishes rules and procedures to be observed in the intermediation of transactions with securi - ties on regulated markets, and imposes rele - vant provisions concerning cybersecurity. Such provisions include an obligation for institutions authorised to act as intermediaries in the distri - bution system, both on their own behalf and on behalf of third parties, in the trading of securities on regulated markets (“Intermediary”), to devel - op an information security policy. Such policy must cover: • the processing and control of customer data; • cybersecurity; • the guidelines for assessing the relevance of security incidents, including cybersecurity, and the circumstances in which affected cus - tomers must be communicated; and • the contracting of relevant services provided by third parties.
49
CHAMBERS.COM
Powered by FlippingBook