2018/2019 Edition of the Global Regulatory Update

Treasury and Trade Solutions 68 Importantly, the policy should also include initiatives for the sharing of information on relevant incidents with other institutions covered by the resolution. Institutions must also have clear incident action and response plans. With respect to cloud computing, the resolution specifies requirements for hiring cloud computing services to ensure service providers comply with applicable laws and regulations, and guarantee the institution’s access to the data. Hiring cloud computing services requires at least a 60-day notification to the Central bank, and assurance by the institution that the cloud computing services will not cause any damages to the institution’s operations or those of the Central Bank. Contracts must be in place that specify the regions and countries in which the data will be processed, the adoption of secure methods to exchange and store data, clauses related to data breach, and others. Institutions must assure that business continuity risks are adequately considered. The resolution also specifies administrative requirements like the appointment of a director for the cybersecurity policy and incident plans, the preparation of an annual report on the policy and plans, ongoing monitoring and testing of controls, etc. Finally, of particular note, provisions apply equally to external third parties and internal affiliates of institutions. Prior to publishing the final resolution, a series of public consultations were held which resulted in a significant improvement to the original draft. Notably, the final resolution removed the requirement for data localization in Brazil and restrictions on cross-border data flows.