Yes, there are several measures. First, Brazilian National Monetary Council ("CMN") Resolution No. 4,893, effective as of 26 February 2021 ("Resolution 4,893"), provides for cybersecurity policy and requirements for data processing and storage and cloud computing services to be followed by financial institutions and similar entities. In this context, Brazilian Central Bank ("BCB") Resolution No. 85, effective as of 8 April 2021 ("Resolution 85"), regulates these matters with respect to payment institutions.
Additionally, Brazilian Securities and Exchange Commission ("SEC") Resolution No. 35, effective as of 26 May 2021 ("Resolution 35"), establishes rules and proceedings to be followed in respect of the intermediation of securities on regulated securities markets by the entities under its supervision (for example, brokers).
Cloud services, including processing and storage of data provided offshore, must also observe, among other issues, the following, pursuant to Article 16 of Resolution 4,893 and Resolution 85:
-
An agreement to exchange information between the BCB and the regulatory authorities of the countries where the services are provided.
-
A contracting financial or payment institution must ensure that the provision of services does not damage its regular functioning nor hinder BCB activities.
-
A contracting financial or payment institution must define, prior to retaining services, the countries and regions (in each country) where those services may be provided and where data may be stored, processed and managed.
-
A contracting financial or payment institution must establish alternatives for the continuity of its business activities, in case the cloud service agreement is terminated or becomes impossible to maintain.