In the last two years, Brazilian companies have intensified their digital transformation process, adopting solutions such as cloud computing, Artificial Intelligence (AI) and automation to gain efficiency and agility. The issue is that, by incorporating these new technologies, companies also begin to deal with new vulnerabilities. In recent quarters, Brazil has witnessed a significant increase in cyber incidents. A report published by Check Point Research showed that, in the 3rd quarter of 2024, Brazilian companies suffered on average 2,766 weekly attacks each 95% jump over the same period of 2023.

Many companies accelerated digital cloud projects during the pandemic and post-pandemic, but not all of them strengthened their defenses at the same pace.As a result, 83% of large companies suffered at least one serious cyber attack in 2023, causing unplanned downtime, financial losses and data leakage.

In addition to strengthening corporate defenses, we are still far from having mature governance processes.Data indicate that the number of organizations in Brazil without data governance can reach 80%.

Innovation versus security: are we expanding our vulnerability?

Even though investments in cybersecurity and governance structuring remain timid, the race for innovation has seen an increase in IT budgets over the past year: from 2023 to 2024, the Brazilian IT market has grown by 13.9%, surpassing the global average and reaching US$ 58.6 billion. Investment priorities have included cloud infrastructure modernization, business process digitalization, and adoption of generative AI.

Traditional sectors, such as banking, lead innovation investments 2023 and 2024 banks and fintechs invest heavily in cloud and AI to offer mobile banking and digital payments. In general, Brazilian companies allocated about 9.4% of their revenue in 2023 and 2024 for Information and Communication Technology (ICT). The Getulio Vargas Foundation (FGV) estimates that this percentage will rise to 11% in the next two or three years, as organizations continue investing in innovation and modernization.

On the other hand, the country has become the second most attacked country in the world in cybercrime, with more than 700 million attacks in 12 months (1,379 attacks per minute!). In 2024 alone, there were 356 billion attempts of cyberattacks in the Brazilian territory, an alarming scenario, and one that is repeated worldwide.

Globally, there was a record 75% increase in 2024, a phenomenon attributed in part to the use of AI by cybercriminals to automate and make the attacks more sophisticated. Mass custom phishing, adaptive malware and more powerful DDoS are examples of threats powered by malicious artificial intelligence.

Vulnerabilities also grow in new ways: a study points out that 57% of Brazilian companies already use AI to generate software code, the third highest rate in the world. Paradoxically, 44% of these organizations have AI-generated code as the main security concern, fearing unexpected failures or loopholes introduced by autonomous software generation. APIs : essential to integrate systems and applications (44%) of these organizations have AI-generated code in Brazil sees high risks in exposed APIs. In short, at the same time they amplify innovation, initiatives such as agile DevOps, migration and amplify the use of AI to extend the environments to extended vectors, to extended the use of AI.

The problem is that innovation does not necessarily go hand in hand with the increase in digital security. Even though many companies are more innovative in cybersecurity, and increasing their arsenal of solutions for defense, the stage is still initial. Last year, the Markets, Innovation & Technology Institute (MiTi) and Security Design Lab (SDL) released a sectoral cybersecurity survey, which evaluated the maturity of 181 Brazilian companies. The study pointed out that, despite improvements, the average level of maturity in cybersecurity was 53%, still medium (TP3T although it is an advance compared to the previous year 4913.

This number indicates that most companies are still below best practices. For example, 53% of companies authenticate critical systems only with login and password, an outdated method, while 24% do not have a budget dedicated to cybersecurity and 27% do not perform penetration tests regularly. These numbers show that although investments are growing, there are still important gaps to be filled in terms of policy, culture and governance.

Governance: along with innovation, can increase cyber resilience

There is a clear correlation between governance and compliance maturity and the company's ability to withstand cyber incidents or drive innovations successfully. The data suggests that organizations with good GRC practices (Governance, Risk and Compliance) suffer less impacts and achieve better results in their digital transformation projects.

For example, the same survey conducted by MiTi and SDL also brought the data that 38% of companies do not have an incident response plan and 46% do not have a disaster recovery plan. These numbers are worrying, as the absence of effective contingency plans tends to prolong and aggravate the damage when an attack occurs.

In contrast, companies that anticipate risks and invest in security reap tangible benefits.A global study by PwC highlights that only 5% of companies actually put security at the center of their innovation, integrating the work of the CISO since the beginning of the projects.

That is, inserting governance and security from the conception of new IT initiatives increases the probability that new projects will be put into operation without increasing the digital attack surface and without leaving companies even more vulnerable. Without governance, big data initiatives, artificial intelligence or digital transformation are at risk of failure or generating unwanted consequences (such as misuse of information or fragile systems).

Companies with more mature governance have an easier time meeting customer and regulatory requirements, which enables participation in new markets and innovation partnerships. On the other hand, the lack of compliance can hinder projects IMAGINE developing an innovative solution that deals with personal data without meeting the LGPD: the project will face legal and reputational obstacles. Therefore, solid compliance and security structures increase stakeholder trust and allow innovation to flourish in a responsible and resilient way.

In short, governance and security are not antagonistic to innovation 'on the contrary, they function as a foundation for sustainable innovation. Companies that structure committees, policies and response plans suffer less from cyber unforeseen events and can focus on growing the business. Those that neglect these strategic elements end up more exposed to interruptions, financial losses and the need for emergency remediation, which invariably delays or redirects investments that could go to innovation. The numbers confirm: maturity in governance, compliance and security go hand in hand with greater resilience and success in technological ventures. Companies that can align these fronts should not only achieve sustainability against sustainability but also better protect themselves against innovation and confidence.

A incorporação de critérios ESG (Environmental, Social and Governance) nas etapas de due diligence – investigação e análise aprofundada feita antes da concretização de fusões, aquisições, parcerias ou investimentos – é uma prática relativamente recente. Porém, tem ganhado espaço de forma ligeira nos últimos anos, refletindo a crescente preocupação do mercado com riscos não financeiros que impactam diretamente reputação, sustentabilidade e valor de longo prazo das empresas.

A due diligence ESG surgiu como uma evolução da tradicional due diligence jurídica, contábil, trabalhista, fiscal e financeira. Ela tem como base as pressões exercidas por investidores, consumidores e órgãos reguladores, que consideram fatores ambientais, sociais e de governança como critérios essenciais na avaliação de riscos e oportunidades. Assim, a adoção da prática reflete uma mudança de paradigma: o desempenho ESG passou a ser entendido não apenas como vantagem competitiva, mas como exigência para a perpetuidade dos negócios.

Na prática, o processo inclui avaliar se a empresa respeita leis ambientais e adota práticas sustentáveis; verificar condições de trabalho, diversidade e direitos humanos na cadeia produtiva; e analisar estruturas de governança, transparência, ética e combate à corrupção. O objetivo é garantir que o negócio seja responsável e resiliente, protegendo o investidor contra passivos ocultos.

O primeiro passo para realização de due diligence ESG é planejamento e definição de escopo. Isto significa identificar os objetivos da due diligence; definir critérios ESG relevantes conforme o setor, região e porte da empresa; e estabelecer quem são os integrantes da equipe responsável pela realização do trabalho. Esta pode ser composta por colaboradores internos e também por profissionais ligados à uma consultoria especializada.

Posteriormente, deve-se fazer uma coleta de informações, sendo solicitados documentos e relatórios relacionados a políticas ambientais (licenças, uso de recursos, emissões, resíduos, gestão de riscos ambientais, etc), sociais (práticas trabalhistas, diversidade, saúde, segurança e relacionamento com comunidades) e de governança (estrutura de controle, ética, compliance, transparência e anticorrupção). Com tudo isso em mãos, é importante conversar com as lideranças da empresa que sejam responsáveis por ESG e áreas de risco e, se possível, realizar visitas técnicas in loco para verificação de práticas e estruturas físicas.

Após avaliação da conformidade com leis e regulamentos, alinhamento com padrões internacionais (como GRI, SASB, TCFD e OCDE) e identificação de riscos potenciais (baixo, médio, alto) – assim como de oportunidades de melhorias – deve-se dar início à elaboração de um relatório detalhado. Nele, além de todas as informações coletadas, devem ser sugeridas recomendações, como possíveis medidas corretivas; e indicadas cláusulas contratuais ou garantias (se for o caso de uma operação societária).

Para concluir, pode-se estabelecer mecanismos de monitoramento e acompanhamento da evolução ESG dentro da empresa, com possível realização de auditorias periódicas ou KPIs (sigla para Key Performance Indicators stories Indicadores-Chave de Desempenho) sustentáveis. Todo o processo contribui para que as decisões tomadas seja mais informadas, assertivas e sustentáveis, com mitigação de riscos legais, financeiros e reputacionais.