Portuguese 
English 
Spanish 
4 min of reading 
0 comments 
Central Bank Requires Cyber Insurance and Accreditation for PSTIs, and Short Deadline Pressures the Sector Potentially Accelerating Risk Management Maturity in the Financial System.
The new regulation from the Central Bank (BCB) made the procurement of civil liability and operational risk insurance compulsory, including fraud and cybersecurity incidents, for Information Technology Service Providers (PSTIs) that connect institutions to the National Financial System Network (RSFN).
The regulation (BCB Resolution No. 498, dated 9/5/2025) also establishes criteria for accreditation, governance, and business continuity. According to legal analyses, active PSTIs have four months to comply.
The measure comes with adjustments in Pix and TED: institutions using unaccredited PSTI are subject to a limit of R$ 15,000 per transaction, with possible exemptions if security requirements are proven. The regulatory package aims to raise the operational resilience level of the SFN/SPB.
-
The largest food company on the planet, JBS, has just opened a 4,000 square meter laboratory in Florianópolis to develop customized proteins that modulate muscle mass gain, immune response, and metabolic performance.
-
After nearly 30 bids and competition among industry giants, a Spanish company purchases one of the largest airports in Brazil for almost R$ 3 billion and takes over the management of Galeão in a concession that will last until 2039.
-
The Federal Revenue Service now automatically cross-references everything you declare with data from banks, credit cards, brokerage firms, and insurance companies, and any discrepancy between your income and your expenses triggers an alert in seconds.
-
Amid global tensions, Brazil blocks the United States’ proposal at the WTO and paves the way for a trade crisis and possible retaliations.
According to Marta Helena Schuh, Director of Cyber and Technology Insurance at Howden Brasil and director of DESEG/FIESP, the BCB requirement is a turning point. “We are facing a historic moment… digital risk is now treated as an essential part of the financial system’s solidity,” said Marta in an interview.
What Exactly Changes with BCB Resolution 498
The 498 regulates the requirements, procedures, and conditions for the accreditation of PSTIs that process data for access to the RSFN. Among the key points are minimum governance structure, specific directors for information/cybersecurity, risk management and compliance, capital stock, and annual external audit.
The item that resonates most in the market is the insurance requirement: the PSTI must prove the procurement of civil liability and operational risk insurance, with minimum coverage as defined by the BCB, including cybersecurity and fraud. Specialized offices detail this requirement in their opinions.
Non-compliance may lead to measures such as de-accreditation and more restrictive operational limits. According to sector analyses, the regulator’s goal is to provide scale and standard to the technological layer that connects institutions to the SFN and SPB.
Immediate Impacts on Pix, TED, and the RSFN
The same regulatory round introduced changes in Pix (Res. BCB 496) and TED (Res. BCB 497). Participants connecting via PSTI are limited to R$ 15,000 per transaction, unless they access the RSFN through a credited PSTI and demonstrate controls such as non-sharing of private keys and integrity validations, via assurance report from an independent auditor.
These constraints create a regulatory incentive: those who become accredited and prove robust controls gain operational flexibility. For the end user, the expected effect is more security and greater predictability in electronic transactions, in line with the BCB’s strategy to enhance the cybersecurity of the system.
According to the timeline outlined by experts, active PSTIs must comply with the new rules within four months, under penalty of sanctions that include restrictions on connection to the RSFN. This accelerates compliance, auditing, and risk transfer projects through insurance.
Mandatory Insurance: Maturity, Cost, and Network Effect
According to Marta Schuh, the main challenge is accurately measuring digital risks and aligning policies with compliance policies. “The Brazilian market is still maturing in this regard… it will require intensive consulting work between insurers and brokers,” she claims.
In Brazil, Susep has mapped rapid evolution in branch 0327 (cyber), but still has coverage gaps compared to developed markets. The 2024 working group highlights the role of insurance as a regulatory instrument and risk management services (cyber health checks, incident response), essential for reducing losses.
Globally, the cyber insurance market totaled approximately US$ 16.3 billion in 2025, with expectations to double by 2030, according to Munich Re. The trend is for accelerated growth as attacks and sector requirements increase.
People, Risk Culture, and the Role of Brokers
For the executive, risk is transversal: it involves legal, compliance, HR, communication, and top leadership. “The human factor remains the greatest vulnerability,” she says. Continuous training, simulations, and behavior metrics reduce incidents and demand claims.
Howden, a multinational broker present in 56 countries, views the 498 as a catalyst for standardization and scale. The broker states that it translates technical complexity into accessible programs for SMEs and large corporations, connecting reinsurance, auditing, and incident response. Corporate data informs its global reach and solution design capability.
Marta summarizes the priority: “Prevention, monitoring, and rapid response. Cyber insurance does not replace technical protection; it ensures financial resilience when the worst happens.”
Generative AI and Governance: Lessons from the AI Act
The arrival of generative AI expands both efficiency and attack surface. Digital governance policies, transparency, and bias management are coming into focus. The external reference is the European AI Act, published in the Official Journal on 7/12/2024 and in effect since 8/1/2024, with staggered application deadlines.
Brazilian companies can anticipate best practices from the AI Act when dealing with high-risk models, supply chains, and security audits. The convergence with 498 is likely to raise standards of compliance in the financial ecosystem.
In the short term, risk and IT teams need to align model inventories, data controls, and continuity plans, including for ransomware and AI-mediated fraud — requirements that correlate with insurance and audits mandated by the BCB.
So What Now? The BCB rule should indeed require PSTIs to purchase cyber insurance and change market prices or coverage? Do you agree that limits on Pix/TED for users of unaccredited PSTIs are the right way forward? Comment on whether 498 creates real protection or just regulatory cost — your viewpoint helps enhance the debate.
-
2 pessoas reagiram a isso.