Central Bank extends cybersecurity policy requirement to payment institutions.

(Reuters)- The Central Bank extended the requirement to establish a cybersecurity policy to payment institutions, after imposing a similar measure on banks in April.

Published this Thursday, the Central Bank circular addressing the issue will come into effect on September 1, 2019.

"The procedures and controls... must encompass authentication, encryption, intrusion prevention and detection, prevention of information leaks, periodic testing and scanning for vulnerabilities, protection against malicious software, the establishment of traceability mechanisms, access controls and segmentation of the computer network, and the maintenance of backups of data and information," the Central Bank defined in the circular.

The security policy should also include initiatives for sharing information about relevant incidents with other institutions in the financial system, the Central Bank highlighted in a press release.

The circular establishes that the policy must be compatible with the size, risk profile, and business model of the payment institution, while also taking into account the complexity of the products offered.

The rule aims to regulate primarily payment processing companies that are independent of large banks. It involves names such as iZettle, First Data, Stone, and Mundipagg, among others.

The Central Bank also specified the rules that companies must follow to contract data processing and storage services, including cloud computing.

Companies will have until September 1, 2019 to comply with the Central Bank's requirement.