COMPLIANCE · BACEN

Evidence of technical compliance for the regulation of cybersecurity by the Central Bank.

Resolutions CMN 4.893 and 4.557 require authorized institutions under the supervision of the Central Bank to demonstrate a demonstrable posture of cybersecurity, supported by technical evidence. CSURFACE continuously and audibly produces this technical evidence that supports such demonstration.

WHAT REGULATION REQUIRES

Cybersecurity that needs to be proven

The CMN Resolution No. 4.893, of 2021, mandates that authorized institutions by the Central Bank maintain a formal cybersecurity policy and meet specific requirements for the procurement of processing, data storage, and cloud computing services. The CMN Resolution No. 4.557, of 2017, establishes the structure of continuous risk management, including the risk associated with relevant suppliers.

The common requirement is evidence. During an inspection, it's not enough to have the policy on paper: one must demonstrate, with technical data, that the controls are operating — that assets are known, that exposures are tested, that suppliers are monitored, and that senior management receives this information. Manually gathering this evidence using spreadsheets and ad-hoc checks is a weeks-long task for each cycle.

CSURFACE automates the collection of this evidence regarding the external attack surface of the institution — continuously and exportable for inspection.

COVERAGE

How CSURFACE supports each requirement

The platform acts on external exposure — the portion of the attack surface accessible via the internet.

1

Cybersecurity policy

Regulation requires a formal cybersecurity policy. CSURFACE generates the technical evidence that this policy is being executed in practice — through asset discovery, credential monitoring, and validation of exposures.

2

Continuous inventory of assets

The institution must know and maintain an up-to-date inventory of its assets. CSURFACE continuously discovers the external attack surface, classifies each asset by business criticality, and records a verifiable audit trail of every change.

3

Periodic testing and evaluation

The standard requires periodic assessment of controls and vulnerabilities. CSURFACE continuously validates exposures and produces verifiable evidence of each test, always up-to-date throughout the entire period.

4

Vendor and cloud risk

Resolution 4.893 addresses the contracting of cloud services, while Resolution 4.557 covers the evaluation of relevant suppliers. CSURFACE maps the digital supplier chain embedded in its assets and continuously tracks each third party's exposure.

5

Incident response

Regulation requires an incident response plan. By monitoring leaked corporate credentials and emerging threats, CSURFACE reduces the window between compromise and detection, giving the incident response plan a faster trigger.

6

Reporting to senior management

The policy must be monitored by top administration. CSURFACE delivers periodic reports on the evolution of risk translated into financial value, ready for the risk committee and senior management.

WHITEPAPER

BACEN Cybersecurity Compliance with CSURFACE

The full document: what Resolutions 4.893 and 4.557 require, requirement by requirement, and how CSURFACE supports the evidence for each.

Read the whitepaper →

FREQUENTLY ASKED QUESTIONS

FAQ

Does CSURFACE guarantee compliance with BACEN?

Compliance is the responsibility of the institution. CSURFACE provides the technical capabilities and continuous, auditable evidence that support several requirements of Resolutions 4.893 and 4.557—especially those related to external exposure.

What part of the regulation does CSURFACE cover?

The part related to the external attack surface: inventory of exposed assets, continuous vulnerability assessment, supply chain risk, and evidence for reporting to senior management. The platform does not analyze the internal network.

Does the evidence serve for inspection?

Yes. CSURFACE maintains an auditable trail of findings, classifications, and tests, exportable in the required format to demonstrate the operation of controls.

How long does it take to have evidence available?

The discovery begins producing data within hours and consolidates in the first few days—without the traditional scanner deployment cycle.

Start with your external exposure evidence.

Enter the institution's domain and receive a preliminary analysis of the attack surface. No card, no meeting.

Receive preliminary analysis