What is BACEN CMN resolution 4.893 compliance

Resolution CMN 4.893, issued by Brazil's National Monetary Council (Conselho Monetário Nacional - CMN) on February 26, 2021, and implemented on July 1, 2021, represents a landmark regulatory framework that fundamentally transformed cybersecurity governance for financial institutions operating under the supervision of the Central Bank of Brazil (Banco Central do Brasil - BACEN). This comprehensive regulation establishes mandatory cybersecurity policies and stringent requirements for contracting data processing, data storage, and cloud computing services by financial institutions and other entities licensed by BACEN.

The resolution emerged in response to the rapidly evolving digital landscape of financial services, where cloud adoption, digital transformation, and the increasingly sophisticated cyberthreats created the need for a robust regulatory framework. Resolution CMN 4.893 replaced earlier regulations (Resolutions 4.658 of 2018 and 4.752 of 2019) to provide more comprehensive guidance on cybersecurity governance, incident management, and third-party risk management. Notably, the regulation applies to financial institutions but excludes payment institutions, which are governed separately under BCB Resolution No: 85 of April 2021.

The resolution addresses critical areas including the implementation of formal cybersecurity policies, establishment of incident response plans, appointment of designated cybersecurity officers, annual reporting requirements, and strict processes for engaging cloud service providers. By making these measures mandatory, BACEN aims to ensure the confidentiality, integrity, and availability of data and information systems while maintaining the stability and resilience of Brazil's financial system.

Compliance levels and requirements

Resolution CMN 4.893 is divided into five chapters, each covering a key component of the cybersecurity governance framework mandated for financial institutions operating in Brazil. Together, these chapters define the strategic, operational, and oversight mechanisms required to ensure cyber resilience, protect sensitive information, and maintain the integrity of financial operations.

Chapter I: Object and scope of application

This first chapter defines the purpose, applicability, and general principles of the resolution.

It states that every financial institution and other entity under the Central Bank’s supervision must:

• Establish and maintain a comprehensive cybersecurity policy proportionate to its size, risk profile, business model, and data sensitivity.
• Implement standards and procedures to ensure the confidentiality, integrity, and availability of data and systems.
• Apply these controls not only internally but also to outsourced environments, including data processing, data storage, and cloud computing services.

The chapter also clarifies exceptions—notably, that payment institutions are governed by their own regulatory framework and not by this resolution. It also introduces the principle of proportionality, emphasizing that cybersecurity measures must be consistent with the scale and operational complexity of the institution rather than uniform across all entities.

Chapter II: Cybersecurity policy

The second chapter forms the core of the regulation, setting forth how institutions must establish, disclose, and operationalize their cybersecurity policies. It is subdivided into three key sections.

Section I: Implementation of the cybersecurity policy

This section defines the minimum content and operational requirements of a cybersecurity policy. Institutions must adopt a formal document approved by senior management or the board which explicitly details objectives, responsibilities, and controls.

Key components include:

• Cybersecurity objectives: Define prevention, detection, and mitigation strategies for vulnerabilities, incidents, and intrusions.
• Comprehensive controls: Cover encryption, authentication, network segmentation, access management, intrusion prevention and detection, malware defense, and information-leakage prevention.
• Traceability and accountability: Maintain mechanisms to trace sensitive data and access histories for auditability.
• Incident management: Ensure continuous monitoring, classification, and analysis of events with cause identification and impact evaluation.
• Business continuity planning: Integrate cybersecurity scenarios into continuity and disaster-recovery plans.
• Cybersecurity culture: Promote awareness among employees, clients, and outsourced entities through periodic training.
• Information sharing: Establish channels for collaboration with other institutions and the Central Bank on threats and best practices.

The goal of this section is to ensure an environment where cybersecurity is embedded into enterprise risk management rather than treated as a siloed technical function.

Section II: Disclosure of the cybersecurity policy

This section mandates that institutions disseminate their cybersecurity policies internally and externally, ensuring all relevant parties are informed and aligned.

Core obligations set forward:

• The complete policy must be available to all employees, executives, and third-party service providers.
• A public summary must be published, describing the main objectives and principles without disclosing sensitive or confidential information.
• The content and format of disclosures must be clear, accessible, and appropriate to the audience’s level of understanding.

The goal is to ensure awareness and promote uniform adoption of security standards across the entire ecosystem, including vendors and clients.

Section III: Plan of action and response to cybersecurity incidents

This section requires institutions to create an operational plan that ensures immediate response to and recovery from cybersecurity incidents.

The plan must:

• Define organizational structures, responsibilities, and escalation paths for incident prevention, detection, and resolution.
• Include procedures and technologies to record and analyze incidents, assess impacts, and implement corrective measures.
• Assign a specific director who will be solely responsible for cybersecurity, ensuring direct accountability to senior management and regulators.

• Provide for annual reporting, detailing:

  • Effectiveness of the policy and control mechanisms.
  • Incidents recorded and lessons learned.
  • Results of business continuity and disaster recovery tests.

The annual cybersecurity report must be submitted to the board or equivalent governing body by March 31 of the following year. Both the policy and the response plan must undergo an annual review and reapproval, ensuring continuous improvement and adaptation to evolving threats.

Chapter III: Contracting of data processing, data storage, and cloud computing services

This chapter governs how institutions outsource technology operations, both domestically and internationally. It emphasizes that while services can be outsourced, responsibility cannot be.

Major obligations:

• Risk management integration: Outsourced services must be incorporated into the institution’s risk-management and internal control frameworks.
• Due diligence before contracting: The provider’s technical, legal, and operational capacity to safeguard confidentiality, integrity, and data recovery must be evaluated.

• Governance evaluation: Providers must be evaluated for:

  • Security and access control mechanisms.
  • Data segregation between clients.
  • Certifications and audit transparency.
  • Availability of independent audit reports and compliance attestations.
• Contractual requirements: Contracts must clearly specify responsibilities, including service-level agreements (SLAs), data access terms, and incident reporting obligations.

For foreign providers, additional controls apply:

• Ensure data location clarity, guaranteeing that the Central Bank can access the information even if the data is stored abroad.
• Confirm the existence of supervisory cooperation agreements between the Central Bank and the foreign jurisdiction’s regulator.

• Require explicit contractual clauses for:

  • Data confidentiality and localization.
  • Termination and data return procedures.
  • Audit and inspection rights
  • Compliance with Brazilian law and regulator access.

This chapter establishes a legal and operational bridge between cybersecurity governance and third-party risk management, ensuring that outsourcing does not weaken regulatory oversight.

Chapter IV: General provisions

The fourth chapter reinforces the integration of cybersecurity and outsourcing controls into broader business continuity and governance frameworks.

Key requirements:

• Develop a crisis management framework with criteria defining “crisis situations” related to cyber incidents or service disruptions.
• Implement continuous monitoring mechanisms, including performance indicators, control metrics, and periodic internal audits.
• Ensure that the continuity of critical operations is maintained during and after security events.
• Require incident reporting to the Central Bank whenever an event has systemic impact or originates from a third-party provider.

The underlying principle is that institutions must be capable of maintaining essential services even amid severe disruptions or cyberattacks.

Chapter V: Final provisions

The final chapter provides procedural, administrative, and enforcement details.

It mandates that:

• Institutions must maintain all cybersecurity documentation, including policies, plans, board resolutions, reports, and outsourcing contracts, for a minimum of five years.

• The Central Bank retains authority to:

  • Specify additional technical requirements.
  • Impose corrective actions or deadlines.
  • Restrict or prohibit contracts that pose security risks.
  • Apply administrative sanctions for non-compliance.
• The resolution established July 1, 2021 as the effective date for full compliance.
• It revokes any previous norms that conflict with its provisions, consolidating all cybersecurity obligations for the above mentioned supervised entities under one regulatory standard.

Challenges and benefits

Implementing Resolution 4893 introduces both significant challenges and meaningful benefits for Brazilian financial institutions, requiring strategic investment while strengthening long-term cybersecurity and governance.

Key challenges

• Resource intensity: Compliance demands major financial and human investment in technology, training, and infrastructure, which can strain smaller institutions.
• Technical expertise gaps: The regulation’s focus on areas such as encryption, intrusion detection, and cloud security exposes shortages in specialized cybersecurity talent.
• Third-party risk management: Institutions must rigorously assess and monitor vendors, especially global cloud providers with who they have limited visibility into their internal security practices.
• Cross-border compliance: Using international cloud services adds complexity, as institutions must navigate jurisdictional data restrictions and authorization processes enforced by BACEN.
• Framework integration: Aligning Resolution CMN 4893 with existing frameworks like ISO 27001, NIST, and internal governance policies requires careful planning to avoid overlap.
• Administrative burden: Extensive documentation and record-keeping requirements increase workload, necessitating efficient document management systems.
• Evolving threat landscape: Rapidly changing cyber risks require continuous adaptation, as static annual reviews may not provide sufficient protection.

Key benefits

• Enhanced security posture: Comprehensive controls and monitoring significantly reduce cybersecurity risks and strengthen institutional resilience.
• Regulatory confidence: Demonstrated compliance builds trust with BACEN and can lead to reduced supervisory intervention.
• Customer trust: Strong cybersecurity practices reinforce institutional credibility and create a competitive advantage in the financial sector.
• Operational resilience: Emphasis on incident response and continuity planning ensures business stability during disruptions.
• Improved governance: Integrating cybersecurity into enterprise risk management enhances oversight and decision-making at the board level.
• Optimized vendor relationships: Rigorous due diligence and monitoring foster more transparent, accountable, and secure third-party partnerships.
• Support for digital transformation: A mature compliance framework enables the safe adoption of cloud and emerging technologies.
• Collaborative defense: Information sharing among institutions strengthens collective threat awareness and national financial security.
• Global credibility: Alignment with international cybersecurity standards enhances the institution’s reputation with global partners.
• Long-term cost efficiency: Although compliance requires upfront investment, it prevents costly breaches, penalties, and reputational damage over time.

Best practices

Achieving and maintaining Resolution CMN 4.893 compliance while maximizing associated benefits requires adopting proven best practices that go beyond minimum regulatory requirements.

Governance and technical implementation

• Designate executive cybersecurity champions ensuring resource allocation and strategic focus with clear reporting relationships to the board and senior management.
• Integrate cybersecurity into enterprise risk management frameworks appearing on institutional risk registers with risk-based asset prioritization allocating resources to highest-risk systems.
• Implement a defense-focused architecture with layered controls combining all perimeter defenses, network segmentation, and endpoint protections systems into one.
• Adopt zero trust principles with continuous authentication and least privilege access, supported by automated vulnerability scanning, patch management, and incident detection systems.

Incident management and vendor oversight

• Develop detailed incident response playbooks for common scenarios specifying roles, decision authorities, and communication protocols.
• Conduct quarterly exercises with senior management and establish clear escalation criteria defining when incidents require BACEN notification.
• Establish tiered vendor assessment approaches with intensive scrutiny for critical vendors and streamlined assessments for low-risk providers.
• Require independent audit reports rather than self-attestations and integrate security requirements into procurement processes which are bound by contractual provisions aligned to Resolution CMN 4893.

Training, monitoring, and documentation

• Implement differentiated training for general employees, IT personnel, developers, and senior management using realistic methodologies including simulated phishing and red team exercises.
• Subscribe to threat intelligence services and participate in industry information sharing arrangements to strengthen collective defense.
• Define meaningful metrics aligned with cybersecurity objectives including threat detection effectiveness and response efficiency.
• Implement robust document management systems with version control and retention enforcement, maintaining compliance evidence continuously rather than during audit periods.

Conclusion

Resolution CMN 4893 represents a pivotal moment in the evolution of cybersecurity governance for Brazilian financial institutions, establishing comprehensive requirements that elevate security practices while enabling safe digital transformation. While achieving compliance demands significant organizational commitment and resource investment, the resulting benefits extend far beyond regulatory adherence to encompass enhanced security postures, operational resilience, customer trust, and strategic flexibility.

Financial institutions approaching Resolution CMN 4893 strategically should view compliance as an opportunity to build lasting capabilities rather than merely a regulatory burden. andThose doing so will be in a position to thrive in this increasingly threat-filled financial services landscape. By following structured implementation roadmaps, adopting recognized best practices, and maintaining commitment to continuous improvement, Brazilian financial institutions can achieve compliance while strengthening the overall resilience and security of Brazil's financial system.