Glória Faria

1. Technology, Complianceand information security in the insurance sector according toLaw 13,709/18 Glória Faria

2. Context Increasednumber offraudsrelated to the use of data Information-based society Data leaks Advance in new technologies Individualsunaware oftheir data being used

3. World Scenario David Danisar August 2018 Blue – general law for protectionof data Red – Law in projectorinitiative in progress for theapprovationofthelaw White – No initiativeofinformationconcerningtheissue

4. GDPR • The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. Since the entry of the ForeignCorruptionPracticeAct (FCPA), the world hadn’tknown a law with suchbroadening extraterritorial effects. • That's why giants of the digital economy, such as Google, Facebook and Amazon, have mobilized thousands of people to adapt to the regulation.

5. GDPR • How does the new European regulation change the legal paradigm on data protection for European citizens? • The General Regulation on Protection of Personal Data (GDPR) continues to follow the approach of the previous Data Protection Directive (95/46 / EC), and now regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU. . • It modernizes data protection rules and introduces a number of new elements to enhance the protection of individual rights. Noteworthy are the following changes: • Reinforcementof individual rights. • Change of paradigm for companies (processors and subcontractors). • Importance of cooperation mechanisms between national data protection authorities, including with regard to the application of fines. • Percentage and considerable increase in the value of fines.

7. Law 13.709/18 Fonte: Apresentação do Dr. Mario Viola no Workshop da CNseg sobre Proteção de Dados Pessoais

8. General Data Protection Act • The General Data Protection Act shall be effective in February 2020. • It is highlighted that any non-compliance with the law will imply: • Warning, indicating deadline for corrective measures; • Fines of up to 2% (two percent) of the billing of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited in total to R$ 50,000,000.00 (fifty million real) for infraction; • Publication of the infraction after duly verified and confirmed its occurrence; • Damage to the company's image, even at the global level; • Blocking of the personal data to which the infraction relates until its regularization; • Elimination of the personal data to which the infraction refers; • The enforcement of this law will affect the company's compliance teams, demanding the planning of the appropriate internal structures and procedures, such as controls, training, counseling and even specific positions and responsible for data processing, thus avoiding surprises for when law effectively take effect.

9. Impactsontheinsuranceindustry • Elaboration of impact report on data protection, at the discretion of the authority - article 38. • Greater transparency for the consumer of the subscription and pricing policy, once the holder can request access to information about the treatment of their data - article 18.

10. Impactsontheinsuranceindustry • Review of automated processes, when requested by the holder by physical person - article 20. • Indication of the person in charge, who acts as channel of communication between the responsible and the holders and the competent body - article 41. • The insurance company shall inform the insured persons about the possibility of sharing or communicating their data with their commercial partners (workshops, risk managers, service providers, outside lawyers, etc.) - article 18.

11. Complianceandtheinsuranceindustry • What is compliance? • The pillars of compliance are in preventive action, in the appropriate processing of sensitive information, staff training, in order to monitor, prevent and restrain noncompliance with legislation, promoting a sustainable and ethical environment. • Compliance follows the same principles of Law 13,709/18, especially those of necessity, transparency, security, prevention and accountability.

12. Complianceandtheinsuranceindustry • Compliance applied to the insurance industry The Compliance function is directly linked to Corporate Governance, and only becomes effective, as Insurance Companies develop programs that also contemplate cultural and paradigm changes. • The implementation and strict observation of the ethical conduct in the activities and businesses developed by all the executives, employees and collaborators, including outsourced ones, is of primary importance. • Fonte: Http://cnseg.org.br/data/files/B8/61/97/33/A4D214107E8578047E88C584/Manual%20de%20Boas%20Pr%C3%A1ticas%20em%20Compliance_site.pdf

13. Complianceandtheinsuranceindustry • Compliance applied to the insurance industry • Dissemination of the culture of risk assessment and internal controls at all levels, in order to prevent and detect the practice of acts contrary to applicable regulations; • Definition of specific and segregated functions to avoid conflicts of interest, with determination of the levels of authority and decision making, according to the complexity of the activities; • Training of executives, employees and collaborators, including subcontractors; • Identification of legal norms and other regulation and disclosure of policies and procedures aiming at the strict compliance of such dispositions by all its executives, employees and collaborators, including outsourced; and • Periodic and updating review of risk assessment procedures and internal controls.

14. SecurityInformation • UnderstandingSecurityInformation • Security information (SI) is directly related to the protection of the whole set of information, in order to preserve the value they have for the individual or for an organization. • It is a set of methods strategically adopted to manage and prevent risks of theft, loss, spurious alterations and damage of data, systems, networks, devices and files. • It aims to detect, document and combat digital and non-digital threats. • They are basic properties of Security Information: confidentiality, integrity, availability and authenticity. In consideration of these four core principles, TI security experts have created the most appropriate practices to support organizations to ensure the security and integrity of information. • The identification and correction of failures is paramount to generate internal and external reliability and improve the image of the business. Regular backups have been shown to be more efficient than essential storage in different locations.

15. SecurityInformation • The number of security information incidents in Brazil has grown 21% in the last 12 months between June 2017 and June 2018, despite the high investments made by Security information companies. • Investments in security information were in the order of US$ 8 billion, in the same period, a record figure according to PwC. • Font: https://economia.estadao.com.br/blogs/coluna-do-broad/ciberataques-a-empresas-no-brasil-sobem-21-em-um-ano-aponta-pesquisa

16. SecurityInformation • Why is it important to incorporate Security Information into your business? • It gives managers a 360-degree view of tangible and intangible assets and potential threats. • It facilitates the prior identification of vulnerabilities in information systems and acts in a preventive and timely manner against leaks and theft of data. • It builds credibility and reinforces the positive image of the business vis-à-vis consumers. • It contributes to the increase of its market value.

17. Cyber security Cyber ​​insurance It is the insurance to cover cyber risks that has several coverages related to the disclosure of private and corporate data, crisis management, defense costs, etc. It provides several coverages related to private and corporate data leaks, crisis management, defense costs, indemnification negotiation, etc. • Some data: • USD 22 billion loss in 2017 (Brazil) due to cyber attacks. (Norton Cyber ​​Security Insights Report 2017). • 52% of companies still do not invest in prevention. https://www.grantthornton.com.br/grant-thornton-noticias/press-releases/2017/ataques-ciberneticos/) • Brazil is the 6th most attacked country in the world (https://oglobo.globo.com/economia/brasil-considerado-6-pais-mais-vulneravel-virus-que-sequestra-informacoes-de-computadores-21370922) • 250 days - It's the average time it takes businesses to discover they are suffering data leakage. (2017 Cost of Data Breach Study - Ponemon Institute)

18. Cyber security • Some data: • Brazil suffered a USD 22 billion loss in 2017 from cyber attacks. (Norton Cyber ​​Security Insights Report 2017). • 52% of companies still do not invest in prevention. (https://www.grantthornton.com.br/grant-thornton-noticias/press-releases/2017/ataques-ciberneticos/) • Brazil is the 6th most heavily attacked country in the world. (https://oglobo.globo.com/economia/brasil-considerado-6-pais-mais-vulneravel-virus-que-sequestra-informacoes-de-computers-21370922) • 250 days - It's the average time it takes businesses to discover they are suffering data leakage. (2017 Cost of Data Breach Study - Ponemon Institute)

19. Cyber security future • Cyber ​​insurance to grow 400% by 2025 (Munich Re) • The economic costs of large-scale cyber attacks, such as the WannaCry malware attack, already outweigh the damage caused by natural disasters. • "Cyber ​​risk is one of the biggest threats to the network economy," TorstenJeworrek, chairman of Munich Re's reinsurance committee, spoke on a conference in Monte Carlo. "We can not ignore the cybernetic side.“ • The insurance industry can not but act in the protection of risk against cyber attacks, otherwise it will become a market, said Golling (Munich Re's head of corporate underwriting).

20. Thankyou Gloria Faria gloria@cnseg.org.br