The Brazilian Pension Funds Authority (PREVIC) outlined a new cycle of strategies and forthcoming supervisory and regulatory standards on cybersecurity and data privacy for closed supplementary pension entities (EFPC), focused on protecting systems and sensitive participant and beneficiary data. The authority indicated the changes will be introduced gradually, calibrated to each entity’s maturity and developed in ongoing dialogue with other bodies in Brazil’s financial system. PREVIC’s studies and draft standards are being developed with reference to the NIST framework, CIS Controls and ISO 27000, alongside guidance from the International Organisation of Pension Supervisors, Brazil’s Information Privacy and Security Programme and relevant federal decrees. The proposed implementation approach starts with awareness-raising and self-diagnosis so entities can measure vulnerabilities, followed by risk-based supervision with periodic assessments and monitoring of governance controls such as backups, access and password restrictions, and incident response planning. Cybersecurity will also feature in PREVIC’s 2026 Annual Supervision Plan as a thematic supervision area for the largest and most complex pension funds in segments S1 and S2.
Brazilian Pension Funds Authority (PREVIC) 2025-09-26
Brazilian Pension Funds Authority outlines phased cybersecurity and data privacy standards for closed pension funds
The Brazilian Pension Funds Authority (PREVIC) announced new strategies and regulatory standards on cybersecurity and data privacy for closed supplementary pension entities, referencing frameworks like NIST and ISO 27000. Implementation will begin with awareness and self-diagnosis, followed by risk-based supervision and governance control assessments. Cybersecurity will be a focus in PREVIC’s 2026 Annual Supervision Plan for the largest pension funds.