Following recent cyberattacks on supplier chains in Brazil, the Central Bank published Resolution BCB nº 498 earlier this month. This resolution mandates the purchase of cyber insurance for technology service providers operating within the national financial system, alongside imposing stringent requirements for information security, risk management, and compliance. For Howden Brasil, a global brokerage specializing in complex insurance, the norm represents a watershed moment: it pushes for greater governance within supply chains and demands from contracting companies a more rigorous control over their technological partners.
Large companies invest heavily in cybersecurity, but are impacted by vulnerabilities in smaller partners, who often do not follow the same governance standards. The resolution is intended to address this mismatch. Cyber insurance, in addition to financial protection, is an important tool for inducing improvements in companies' controls," analyzes Marta Helena Schuh, Director of Cyber and Technology Insurance at Howden Brazil.
The standard requires these providers, often startups or early-stage companies, to adopt effective information security, risk management, and compliance practices. In addition to the mandatory cybersecurity insurance, other requirements include the adoption of tools like encryption, strong authentication, and data breach protection; the formation of specific cybersecurity governance committees; and audits focused on digital security.
"Now, maturity in processes, controls, and governance will be necessary to demonstrate. Large companies will actually need to demand security from their partners. This completely changes the relationship standard with technology suppliers," the expert emphasizes.
The expert highlights that the Central Bank's move reflects a broader picture: cybersecurity risks have become strategic and are now treated at the same level as other classic corporate risks, such as fire, theft, or credit risk.
According to the World Economic Forum, cybercrime already generates financial volume comparable to the third-largest global GDP. In Brazil, recent incidents show that the losses are real and increasing. A report from cybersecurity firm NetScout indicates that Brazil suffered 550,550 DDoS (Distributed Denial of Service) attacks in the first half of 2025 alone, a surge of over 50% compared to the previous semester. These attacks, which overwhelm networks and servers by bombarding them with malicious traffic, aim to take systems offline and disrupt essential services, directly impacting the operations of businesses and their technology providers. The volume positions the country as the most targeted in Latin America in this type of offensive, highlighting the growing risk to digital supply chains.
"Today, boards of directors already recognize that digital security isn't just a technical issue. It's a matter of business continuity, reputation, and financial survival," Marta states.
