The Brazilian Superintendence of Private Insurance (Susep) published, on May 22, 2026, Normative Instruction (IN) No. 7/2026, which establishes guidelines and internal procedures for handling personal data breaches within the authority. The regulation is part of Susep’s compliance efforts with the Brazilian General Data Protection Law (LGPD) and aligns with ANPD Board Resolution No. 15/2024, which regulates the communication of incidents to the Brazilian Data Protection Agency (ANPD).
This measure is relevant because Susep, as controller of personal data relating to policyholders, brokers, market agents and other stakeholders, must maintain a governance structure capable of responding swiftly to events that compromise the confidentiality, integrity or availability of such information. In this context, IN No. 7/2026 formalizes obligations already provided for under data protection legislation.
What the Normative Instruction Defines as a Security Incident
The IN adopts the same conceptual approach as the LGPD in defining a security incident involving personal data. It is a confirmed adverse event that results, or may result, in the compromise of the confidentiality, integrity or availability of personal data. The regulation also reiterates important definitions such as sensitive personal data, data protection officer and processing agent, aligning Susep’s internal terminology with federal legislation.
It is important to note that the Instruction does not apply to supervised entities (insurers, reinsurers and other entities regulated by Susep). It is addressed to the authority itself, as a public body that processes personal data in the course of its supervisory and regulatory activities.
The regulation applicable to supervised entities is Susep Circular No. 638/2021. This circular establishes cybersecurity requirements to be observed by insurance companies, open private pension entities (EAPCs), capitalization companies and local reinsurers. Failure to comply with these guidelines may subject entities to administrative sanctions imposed by Susep and even by the ANPD, if the noncompliance is related to LGPD provisions.
Internal Responsibilities and Roles
IN No. 7/2026 allocates responsibilities among three internal actors. The data protection officer acts as the communication channel with the ANPD and affected data subjects, in addition to supporting the assessment of the impact of incidents. The information security unit is responsible for monitoring, identification, analysis and technical containment activities, through the Incident Handling and Response Team (ETIR). Finally, the business units responsible for the affected systems and data collaborate in the impact assessment and recovery of compromised environments.
Stages of Incident Handling
The regulation establishes seven mandatory stages in the incident handling process: incident notification, identification and analysis, classification, containment, eradication, recovery, and communication to the ANPD and data subjects, when applicable. This sequence reflects the established lifecycle of information security incident response, adapted to the protection of personal data.
The incident handling workflow will be formally established by the Administration and made available on Susep’s internal intranet through a process modeling tool. The Normative Instruction provides for semiannual updates of this workflow by the information security unit, without requiring amendments to the regulation itself for procedural adjustments. In this way, Susep grants operational flexibility to the process without compromising the regulatory framework.
Interaction with the Data Protection Regulatory Ecosystem
IN No. 7/2026 must be read together with other regulations. ANPD Board Resolution No. 15/2024 establishes that controllers must communicate to the ANPD the occurrence of a personal data security incident within three business days from becoming aware that the incident affected personal data, whenever the event may entail relevant risk or damage to data subjects. This obligation applies to Susep in its role as data controller.
On the other hand, Susep Circular No. 638/2021 already required insurers and other regulated entities to report relevant incidents to the authority within five business days. IN No. 7/2026 therefore complements this framework by organizing Susep’s own response whenever its systems and data are affected. However, the deadlines should not be confused, since one applies to Susep itself and the other to supervised entities.
Relevance for Entities Supervised by Susep
Although the Normative Instruction is internal in nature, it signals to the market the importance Susep places on personal data governance. Entities supervised by Susep, due to a series of other rules such as the submission of periodic information (FIP) and the Operations Registration System (SRO), for example, share data with the authority or depend on integrated systems within accreditation entities or the Open Insurance ecosystem. Therefore, they should be aware that Susep, by structuring its own response procedures, is likely to require equivalent standards from supervised entities. The electronic petitioning system (SEI) and responses submitted through the market documents tab also contain personal data.
In addition, the formalization of the role of the data protection officer and the incident response team within Susep reinforces the expectation that regulated entities maintain equivalent internal structures, as already provided for in Circular No. 638/2021 and Susep Resolution No. 45/2024, which addresses the authority’s Information Security Policy.
Next Steps for Entities Supervised by Susep
Companies operating in the market supervised by Susep should review their own security incident response plans, especially to ensure compatibility with the communication workflow now formally established by the authority. It is advisable to map the personal data shared with Susep, assess communication protocols with the authority’s incident response team, and keep incident records and compliance evidence up to date, considering Susep’s accountability obligations under the LGPD.
All of this takes place in a context in which Susep’s sanctions framework is undergoing changes introduced by Supplementary Law No. 213/2025, with a substantial increase in the fines that may be imposed by the authority. Fines may reach up to BRL 35 million, twice the amount of the contract, twice the losses caused to consumers as a result of the violation, or three times the economic benefit obtained or the loss avoided as a result of the violation.
