Navigating the technical and cybersecurity requirements for Brazil’s igaming market

On 2 May 2024, Brazil’s Secretariat of Prizes and Bets (SPA) and Ministry of Finance (MF) issued Ordinance No. 722. 

This set of regulations outlines the essential technical and cybersecurity criteria that igaming and online sports betting operators must adhere to within six months of obtaining their gaming licences in the South American country.

Some of the most critical requirements include a recovery and backup system, business continuity and disaster recovery plan, firewall protection and penetration testing.

Establishing robust recovery and resilient business continuity plans for igaming platforms

Ordinance 722, Annex IV, section 15 – Recovery: In the event of a catastrophic failure where the betting system, or any component or platform, cannot be reset in any other way, it must be possible to restore the system from the last backup point and fully recover it

Ordinance 722, Annex IV, section 17 – Business continuity and disaster recovery plan: A business continuity policy and disaster recovery plan must be adopted to recover betting operations if the production environment of the betting system or any of its platforms becomes inoperable

In the regulations outlined for igaming and online sports betting in Brazil, robust recovery and business continuity mechanisms must be in place to ensure that, should a catastrophic failure occur, the operator or supplier can restore the betting system and fully recover from the last backup point. 

Ordinance 722’s recovery section explains such backups must encompass not only the recorded information, but also extend to include location-specific details such as security configurations and user accounts. 

Furthermore, current system encryption keys and a comprehensive record of system parameters – whether modifications, reconfigurations, additions, merges, deletions, adjustments or changes to parameters – need to be meticulously maintained. 

Meanwhile, Ordinance 722’s business continuity and disaster recovery section recommends that the plan comprise data storage methodologies to minimise losses, document the recovery procedures and provide a comprehensive recovery guide. 

Continent 8 recommendation: Begin with an audit service to verify compliance with igaming regulatory standards and to pinpoint vulnerabilities in your organisation’s business continuity and disaster recovery plan. Next, employ a backup service that can seamlessly protect and restore files, databases and applications, thereby supporting disaster recovery and ensuring ongoing business continuity.

Securing the network with advanced firewalls for igaming cybersecurity

Ordinance 722, Annex IV, section 31 – Firewall: All communications, including remote access, must pass through at least one approved application-level firewall.  

An effective firewall serves as the guardian of the network, meticulously scrutinising all incoming and outgoing communications to thwart unauthorised access and potential threats. Ordinance 722’s firewall communication suggests the firewall be placed at the juncture of different security domains, ensuring no alternative network path exists that could circumvent the firewall. 

Only essential applications related to the firewall’s operation are permitted to reside on the device, and access is restricted to a limited number of user accounts, primarily network or system administrators. 

Continent 8 recommendation: Utilise firewall services equipped with advanced threat intelligence to gain comprehensive insights into your threat landscape and perimeter activities, enabling effective detection, prevention and response to both known and emerging threats.

Implementing comprehensive penetration testing to address potential weaknesses

Ordinance 722, Annex IV, section 41 – Penetration testing: The purpose of penetration testing is to exploit any weaknesses discovered during the vulnerability assessment in any publicly exposed applications or systems that host applications that process, transmit and/or store sensitive information.

Executing thorough penetration testing is a testament to an organisation’s dedication to safeguarding user data. Ordinance 722 defines penetration testing as systematically challenging the strength of network and application layers so that operators and suppliers can identify and rectify vulnerabilities.

Continent 8 recommendation: Leverage regularly scheduled vulnerability assessment and penetration testing (VAPT) services for continuous and comprehensive security assessments of your infrastructure and applications. 

This enables you to achieve regulatory compliance and understand your attack surface area, providing a strong foundation for strengthening your security posture.

A 360-degree cybersecurity approach 

For complete end-to-end protection, we recommend operators and suppliers adopt a holistic risk mitigation approach. A complete, 360-degree defence strategy includes:

• Endpoint detection and response (EDR) services to protect against advanced malware, ransomware and phishing threats

• Distributed denial-of-service (DDoS) services to deliver comprehensive perimeter network mitigation against DDoS attacks

• Managed security operations centre (MSOC) and security incident and event management (SIEM) services to prevent, detect or remediate vulnerabilities and threats

• Regulatory security compliance services – including compliance audit, VAPT and vulnerability scanning (V-Scan) solutions – to achieve regulatory compliance and gain a deep understanding of one’s attack surface area

• Mobile protect services to safeguard mobile endpoints against modern security threats

• SafeBait services to provide customised simulations to combat social engineering threats, including sophisticated MFA, phishing, smishing, vishing and quishing attacks

By adhering to the SPA and MF’s Ordinance 722 policies and collaborating with a trusted solutions provider like Continent 8, operators and suppliers can meet Brazil’s newest technical and cybersecurity standards, ensuring secure and reliable gaming environments and experiences.

Continent 8 – your trusted partner

Continent 8, the trusted managed hosting, connectivity, cloud and cybersecurity partner to the global igaming and online sports betting industry for over 25 years, is live in every major regulated Latin American jurisdiction, including Brazil. 

We offer operators and suppliers access to state-of-the-art data centres, connectivity to a global private network featuring 100-plus locations and best-in-class managed and professional services to support the most demanding gaming requirements. 

For more information on how Continent 8 can support your organisation’s regulatory and cybersecurity requirements, stop by booth 4235 at the Global Gaming Expo in Las Vegas (7-10 October), stand A62 at the SBC Latinoamerica Summit in Miami (29-31 October) or visit www.continent8.com.

Luana Monje is as a sales executive at Continent 8 Technologies, where she supports both new and existing customers in launching and expanding their operations within the Brazilian igaming and online sports betting market. Based in São Paulo, Monje possesses extensive knowledge of the region’s regulatory and cybersecurity requirements.