Cybersecurity policy
Regulation requires a formal cybersecurity policy. CSURFACE generates the technical evidence that this policy is being executed in practice — through asset discovery, credential monitoring, and validation of exposures.
COMPLIANCE · BACEN
Resolutions CMN 4.893 and 4.557 require authorized institutions under the supervision of the Central Bank to demonstrate a demonstrable posture of cybersecurity, supported by technical evidence. CSURFACE continuously and audibly produces this technical evidence that supports such demonstration.
WHAT REGULATION REQUIRES
The CMN Resolution No. 4.893, of 2021, mandates that authorized institutions by the Central Bank maintain a formal cybersecurity policy and meet specific requirements for the procurement of processing, data storage, and cloud computing services. The CMN Resolution No. 4.557, of 2017, establishes the structure of continuous risk management, including the risk associated with relevant suppliers.
The common requirement is evidence. During an inspection, it's not enough to have the policy on paper: one must demonstrate, with technical data, that the controls are operating — that assets are known, that exposures are tested, that suppliers are monitored, and that senior management receives this information. Manually gathering this evidence using spreadsheets and ad-hoc checks is a weeks-long task for each cycle.
CSURFACE automates the collection of this evidence regarding the external attack surface of the institution — continuously and exportable for inspection.
COVERAGE
The platform acts on external exposure — the portion of the attack surface accessible via the internet.
Regulation requires a formal cybersecurity policy. CSURFACE generates the technical evidence that this policy is being executed in practice — through asset discovery, credential monitoring, and validation of exposures.
The institution must know and maintain an up-to-date inventory of its assets. CSURFACE continuously discovers the external attack surface, classifies each asset by business criticality, and records a verifiable audit trail of every change.
The standard requires periodic assessment of controls and vulnerabilities. CSURFACE continuously validates exposures and produces verifiable evidence of each test, always up-to-date throughout the entire period.
Resolution 4.893 addresses the contracting of cloud services, while Resolution 4.557 covers the evaluation of relevant suppliers. CSURFACE maps the digital supplier chain embedded in its assets and continuously tracks each third party's exposure.
Regulation requires an incident response plan. By monitoring leaked corporate credentials and emerging threats, CSURFACE reduces the window between compromise and detection, giving the incident response plan a faster trigger.
The policy must be monitored by top administration. CSURFACE delivers periodic reports on the evolution of risk translated into financial value, ready for the risk committee and senior management.
WHITEPAPER
The full document: what Resolutions 4.893 and 4.557 require, requirement by requirement, and how CSURFACE supports the evidence for each.
FREQUENTLY ASKED QUESTIONS
Compliance is the responsibility of the institution. CSURFACE provides the technical capabilities and continuous, auditable evidence that support several requirements of Resolutions 4.893 and 4.557—especially those related to external exposure.
The part related to the external attack surface: inventory of exposed assets, continuous vulnerability assessment, supply chain risk, and evidence for reporting to senior management. The platform does not analyze the internal network.
Yes. CSURFACE maintains an auditable trail of findings, classifications, and tests, exportable in the required format to demonstrate the operation of controls.
The discovery begins producing data within hours and consolidates in the first few days—without the traditional scanner deployment cycle.
Enter the institution's domain and receive a preliminary analysis of the attack surface. No card, no meeting.
Receive preliminary analysis