Ayrton de Aquino Santos, director of inspections at the Central Bank (BC), said this year’s cyberattacks on some institutions of the financial system “were the result of social engineering.” He also recalled steps BC has taken in recent months, including changes to information technology service provider (PSTI) capital requirements and pocket accounts.
“This shows that central banks are paying attention and that we need to move forward and that we need to act as direct supervisors of institutions,” he said at the 15th International Risk Management Conference organized by the Brazilian Banking Federation (Febraban).
Asked if BC was late in discovering the industry’s cyber vulnerabilities, he said BC was not late. “I think we’re not behind. Everything we’ve done, we’ve not been behind.” “Pain always teaches us,” he added.
- Also read: Regarding the reaction of financial institutions to the new minimum capital regulations, BC director says, “Are you trying to kill us?”
- B.C.’s Aquino says Brazil needs new bank resolution law
He stressed that there are currently 300 payment institutions and a systematic approach is needed to strengthen risk culture. “We need to strengthen the risk culture of these companies, we need to strengthen the cyber resilience of these companies,” he said.
Aquino also noted that B.C.’s latest measures were very clear on this point. “There is work to be done if we clearly recognize that a significant number of IPs (payment institutions) were always present in most of the attacks and the two major cyber incidents against C&M and Sinkia,” Aquino said.
For directors, there are two standards that need to be discussed with the industry. One is about connectivity through APIs (Application Programming Interfaces) and the other is about third-party services. “Why do I think third-party services are fundamental? The event featured social engineering and involved third parties. We learned that.”
According to the director, third-party risks in the financial system are among the most important. “How you treat third parties on your premises, how you manage them, and how you manage them is one of the most complex risks,” he said.
President Aquino also pointed out that “operational risks destroy the system.” “We’ve had two (cyber) incidents where low-impact institutions have suffered, lost some of their assets, and potentially perished due to non-compliance. This is my message to ladies and gentlemen: Be cautious, manage your risks well, map your risks and strengthen your internal audits,” he said.
Asked if the Risk and Control Rating System (SCR) methodology used to supervise banks could be used for non-bank institutions, President Aquino said yes, and said the move was well-planned.
The director noted that first tests are currently being carried out and full-scale production should begin in 2026.
“The internal decision is to apply the same rules to everyone. We are going to move in that direction. It doesn’t matter whether you are an IP (Payment Institution), an SCD (Direct Credit Society), a People’s Financing Association (SEP) or a large cooperative with 20 billion reais in assets. We need to apply the same rules,” he explained.
About The Author
