Cybersecurity formal policy
A policy approved by senior management, compatible with the institution’s size and risk profile, with clear objectives, guidelines, and information security responsibilities established.
WHITEPAPER · CENTRAL BANK REGULATION
How continuous external attack surface management supports authorized financial and payment institutions to meet the cybersecurity requirements of Central Bank Resolutions CMN nº 4.893/2021 and nº 4.557/2017 — with asset discovery, exploitability validation, and auditable evidence.
EXECUTIVE SUMMARY
The Central Bank of Brazil and the Monetary Council (CMN) have established a regulatory framework that obligates financial institutions and payment entities to maintain a formal cybersecurity policy, manage cyber risks as part of their risk management structure, and control the risks associated with the contracting of processing, data storage, and cloud computing services.
This framework is principle- and outcome-oriented: it requires the institution to demonstrate, in documented and verifiable form, that it knows its assets, identifies its vulnerabilities, assesses its risks, tests its controls, and responds to incidents—without prescribing a specific tool for each obligation. Central Bank supervision operates on evidence; technical-backed statements of intent are insufficient.
The majority of today's attack surfaces exploited begin outside the traditional perimeter: forgotten domains and subdomains, exposed test environments, subsidiary and supply chain assets, leaked corporate credentials, and poorly configured cloud services. It is precisely this layer—the external attack surface—that CSURFACE discovers, monitors, and prioritizes continuously.
This whitepaper maps, thematically, the cybersecurity requirements of the Central Bank's regulation to the capabilities of the CSURFACE platform, delineating with precision the scope of coverage: CSURFACE acts on external exposure and produces auditable technical evidence; it supports compliance—without replacing it. Governance, policy definition, incident response, and internal controls remain the institution's responsibility.
IN THIS DOCUMENT
1 · REGULATORY CONTEXT
The cybersecurity of institutions regulated by the Brazilian Central Bank is anchored in two Monetary Council resolutions that complement each other: one specifically addresses cybersecurity and cloud computing policies; the other addresses the risk management structure, which includes cyber risk.
Monetary Council Resolution CMN No. 4.893/2021 establishes the cybersecurity policy and requirements for the contracting of data processing and storage services and cloud computing by institutions authorized to operate by the Central Bank. It consolidated and updated the previously established framework set out in Monetary Council Resolution CMN No. 4.658/2018.
In general, Resolution 4.893/2021 requires that the institution:
Monetary Council Resolution CMN No. 4.557/2017 establishes the risk management and capital structure of financial institutions. It requires a continuous and integrated risk management framework, which includes operational risk — encompassing risks arising from information security and system failures, as well as outsourcing-related risks.
In combination, both resolutions establish that cyber risk is not an isolated technical issue: it must be identified, measured, evaluated, monitored, controlled, and reported within the formal risk management structure of the institution, with defined roles and reporting to senior management.
To whom it applies. The framework covers institutions authorized to operate by the Brazilian Central Bank — banks, credit cooperatives, payment institutions, and other supervised entities — taking into account the size and nature of each institution's operations. Other sector-specific norms and applicable regulations complement this set but maintain the same logic: formal policy, risk management, and demonstration of control.
2 · KEY REQUIREMENTS
Reading Resolutions CMN nº 4.893/2021 and nº 4.557/2017 thematically, seven areas concentrate the cybersecurity requirements that directly touch the attack surface.
A policy approved by senior management, compatible with the institution’s size and risk profile, with clear objectives, guidelines, and information security responsibilities established.
Cyber risk managed within the risk management structure: identified, measured, evaluated, monitored, and reported continuously and integratedly, with accountability to senior management.
Procedures and controls for prevention, detection, and treatment of relevant incidents, with logging, classification, cause analysis, and communication to involved parties and regulator when applicable.
The institution must know the information assets that support its operations—including those exposed to the internet—to protect them. Risk is not managed of what one cannot see.
Periodic assessment of the effectiveness of security controls, identification of vulnerabilities, and verification that applied corrections have effectively reduced exposure.
Due diligence and continuous monitoring of service providers for processing, data storage, and cloud computing—and the relevant supply chain for operations.
Designation of a responsible director for the cybersecurity policy, periodic review and updating of documents and controls, and public disclosure of key policy lines. Governance closes the loop: defines who is accountable, how often it is reviewed, and what is communicated.
3 · HOW CSURFACE MEETS
CSURFACE is a platform for external attack surface management. It does not cover all regulation — it covers, in depth, the external exposure layer, which concentrates the origin of most exploited vectors against financial institutions. The following areas of regulation are mapped to the corresponding capabilities of the platform.
The regulation requires that the institution knows the assets supporting its operations. In practice, what most frequently escapes control is what operates outside the knowledge of the security area: abandoned subdomains, published test environments without control, assets from incorporated subsidiaries, certificates, and services exposed by teams with no formal interface to the information security function. The official inventory records only what is already known.
CSURFACE continuously discovers the external attack surface of the institution using Machine Learning to correlate domains, certificates, IP blocks, services, and technologies and assign them to the organization — including shadow IT and the digital presence of suppliers. The result is a dynamic external inventory that is automatically updated as the exposure evolves — not a one-time snapshot subject to immediate degradation. Each discovered asset is classified by criticality, providing the factual base needed for structured risk treatment prioritization.
Identifying assets and vulnerabilities is necessary but not sufficient; regulation requires that the risk be measured, evaluated, and reported. CSURFACE prioritizes exposures by real exploitability — cross-referencing threat intelligence, active exploits, and active exploitation catalogs with the criticality of each asset. The result is a ranked and objectively justifiable risk queue that replaces the unstructured volume of findings with a structured treatment agenda.
For the risk management structure required by CMN Resolution No. 4.557/2017, CSURFACE translates external exposure into financial risk quantification — a metric assimilable by the board and the risk area, directly integrable into the formal operational risk reporting. Cyber risk is expressed in comparable magnitude to other risks of the institution, allowing treatment decisions based on objective and hierarchical criteria.
The regulation expects periodic evaluation of control effectiveness. CSURFACE operates continuously — not in annual cycles — and where test modules are available, it actively validates the exploitability of an exposure, confirming whether it is actually attackable. In other cases, the assessment is passive detection with version and configuration matching. When a correction is applied, the platform re-verifies the asset and confirms if the path to attack was effectively closed.
This continuous validation complements — does not replace — the penetration testing and formal evaluations that the institution contracts. It reduces the monitoring gap between periodic evaluations, during which new exposures may arise and remain untreated.
CMN Resolution No. 4.893/2021 devotes specific attention to cloud service contracting and significant outsourcing. CSURFACE monitors the external attack surface of suppliers and providers in the digital supply chain, identifying third-party exposures that may convert into risk for the contracting institution. For cloud services, discovery identifies assets and services published on cloud providers and signals observable exposed configurations.
The scope must be precisely delimited: CSURFACE evaluates the third party from its observable external exposure. Due diligence, clause evaluation, data location verification, and provider audit remain institutional processes — the platform provides the technical component of continuous monitoring that supports and documents these processes.
An effective incident response plan depends on early detection. CSURFACE monitors the leakage of corporate credentials in public sources and deep/dark web, alerting when access data from the institution or its employees appear exposed — often the first indication of an imminent compromise.
When a critical exposure is discovered, the platform issues prioritized alerts with context and correction suggestions, feeding the institution's incident response process. CSURFACE provides the trigger and technical evidence; the response structure — team, procedures, communication to the regulator, and cause analysis — is operated by the institution according to its policy.
The formal policy, designation of the responsible director, and periodic review are acts of governance that fall to the institution. What CSURFACE offers is the factual input that gives substance to this governance: a continuous and dated record of the external attack surface, identified exposures, prioritizations, and evolution of remediation over time. The annual policy review now rests on objective data about how the institution's external exposure evolved during the period, with factual evidence.
| Regulatory Area | Scope | How CSURFACE Contributes |
|---|---|---|
| Asset Identification and Inventory | Platform | Continuous discovery of the external surface by Machine Learning — domains, services, cloud, shadow IT — with automated criticality classification. Covers what is exposed to the internet; the internal network inventory remains with the institution. |
| Cyber Risk Management | Shared | Prioritization by real exploitability and financial risk quantification, ready for operational risk reporting. Integration into the formal risk structure and treatment decisions are of the institution. |
| Periodic Testing and Evaluations | Platform | Continuous evaluation of the external surface; active validation of exploitability where test modules are available, passive detection in other cases; re-verification after correction. Complements, does not replace, formal penetration testing. |
| Cloud and Third-Party Risk | Shared | Continuous monitoring of the external surface of suppliers and cloud assets. Due diligence, audits, and legal evaluation of the provider remain institutional processes. |
| Incident Response Plan | Shared | Monitoring of leaked credentials and prioritized alerts for critical exposures — trigger and evidence for the response. The operation of the plan, team, and communication to the regulator are of the institution. |
| Formal Cybersecurity Policy | Shared | Provides continuous data on external exposure that gives substance and factual basis to the policy. The drafting, approval, and maintenance of the policy are of the institution. |
| Governance, Review, and Transparency | Shared | Auditable and dated trail of exposures and remediations useful for periodic review and reporting. The designation of the responsible director and public disclosure are institutional acts. |
4 · EVIDENCE FOR INSPECTION
The supervision of the Central Bank requires verifiable evidence—not statements of intent. The regulator expects records that demonstrate that controls exist, operate effectively, and are periodically reviewed. CSURFACE was designed to produce this continuous, dated, and exportable record.
A continuous log of the external attack surface, with the date of discovery for each asset—demonstrating that the institution maintains up-to-date visibility into what it exposes to the internet.
Each identified exposure is logged with severity, asset criticality, and rationale for prioritization—a trail that proves that the risk was identified and evaluated, not ignored.
Reverification after correction logs when an exposure was opened and when it was effectively closed—objective proof that the treatment cycle works.
Where there is active validation, the log shows that the assessment confirmed—or dismissed—the real exploitability, supporting risk decisions with technical basis.
Logs of external exposures from relevant suppliers, which give substance to the continuous monitoring of providers required for cloud and outsourcing services.
Executive and technical views exportable—for annual policy review, operational risk reporting to the board, and supervision demands.
5 · CONCLUSÃO
The CMN Resolutions nº 4.893/2021 and nº 4.557/2017 do not prescribe a specific technology — they require demonstrable capability. They demand that the institution knows what it exposes to the internet, measures the risk this represents, tests its controls, monitors its suppliers, and responds to incidents, all within a governance structure with defined roles and accountability to senior management.
The bulk of this requirement materializes in the external attack surface — and it is precisely here that CSURFACE acts with depth. Continuous asset discovery through Machine Learning, prioritization based on real exploitability, validation, monitoring of leaked credentials, supply chain surveillance, and quantification of risk in financial terms: each of these capabilities directly responds to a regulatory area and produces the auditable evidence that regulators expect.
CSURFACE does not promise automatic compliance, and no responsible platform would. The policy, governance, incident response, and internal controls remain the institution's responsibility. What CSURFACE offers is the most solid technical foundation available for the external layer: continuous visibility of the exposure surface, quantified risk in financial terms, and a structured trail of evidence for supervision. For an institution regulated by the Central Bank, these elements represent the difference between presenting compliance statements and demonstrating them with verifiable data.
FREQUENTLY ASKED QUESTIONS
No. No tool provides automatic compliance. CSURFACE offers capabilities and auditable evidence that support the institution in meeting CMN Resolutions nº 4.893/2021 and nº 4.557/2017, specifically at the external exposure layer. The policy, governance, and internal controls remain the responsibility of the institution.
No. CSURFACE is a platform for external attack surface management. It covers, in depth, asset discovery, risk prioritization, exploitability validation, credential and third-party monitoring. Internal controls, endpoint security, HR processes, and governance are not within its scope.
No — it complements. CSURFACE operates continuously and reduces the unmonitored exposure window between formal assessments, validating the exploitability of the external surface where modules are available. Periodic penetration tests continue to be a recommended and necessary practice for full compliance.
The platform maintains a continuous and dated record of the attack surface, exposures, and remediation. This history provides factual basis for periodic policy reviews, operational risk reporting to management, and compliance with supervisory demands.
Yes. Cybersecurity and risk management policy requirements cover a wide range of Central Bank-authorized institutions, considering size and profile. The external attack surface must be managed in any institution operating digital services.
Enter the domain of your institution and receive a preliminary analysis of the external attack surface — the factual starting point to support compliance with CMN Resolutions nº 4.893/2021 and nº 4.557/2017.
Receive preliminary analysis