On May 2, 2024, the Secretariat of Prizes and Bets (SPA) and the Ministry of Finance (MF) issued Ordinance No. 722 (link here in Portuguese). This set of regulations outlines the essential technical and cybersecurity criteria that iGaming and online sports betting operators must adhere to within six months of obtaining their gaming licenses.
In her blog series, Luana Monje, Sales Executive at Continent 8 Technologies, examines the latest infrastructure, cloud, cybersecurity and regulatory developments for the newly regulated Brazilian iGaming and online sports betting market. In her first blog, Luana explored the Ordinance 722’s penetration testing requirement, and in this blog, she investigates the recovery and backup system, business continuity and disaster recovery plan and firewall protection requirements in full detail.
1. Establishing robust recovery and resilient business continuity plans for iGaming platforms
Ordinance 722, Annex IV, section 15 – Recovery: In the event of a catastrophic failure where the betting system, or any component or platform, cannot be reset in any other way, it must be possible to restore the system from the last backup point and fully recover it.
Ordinance 722, Annex IV, section 17 – Business continuity and disaster recovery plan: A business continuity policy and disaster recovery plan must be adopted to recover betting operations if the production environment of the betting system or any of its platforms becomes inoperable.
In the regulations outlined for iGaming and online sports betting in Brazil, robust recovery and business continuity mechanisms must be in place to ensure that, should a catastrophic failure occur, the operator or supplier can restore the betting system and fully recover from the last backup point.
Ordinance 722’s recovery section explains that such backups must encompass not only the recorded information but also extend to include location-specific details such as security configurations and user accounts. Furthermore, current system encryption keys and a comprehensive record of system parameters – whether modifications, reconfigurations, additions, merges, deletions, adjustments or changes to parameters – need to be meticulously maintained.
Meanwhile, Ordinance 722’s business continuity and disaster recovery section recommends that the plan comprise data storage methodologies to minimise losses, document the recovery procedures and provide a comprehensive recovery guide. Moreover, it should propose the process for resuming administrative operations post-recovery, tailored to the system’s operational context.
The Continent 8 solution: Our multi-pronged services approach offers operators and suppliers the optimal path to backup and business continuity in the event of an incident or disaster.
- Our Compliance Audit service provides comprehensive security assessments of your organisation’s business continuity and disaster recovery plan. This approach ensures compliance with iGaming regulatory requirements while identifying potential vulnerabilities and actionable insights to strengthen your organisation’s overall security posture.
- Our Backup service ensures the seamless protection and restoration of files, databases and applications across Continent 8 data centres, customer on-premises environments and hyperscale clouds. Our solution is tailored to bolster resilience, support disaster recovery and maintain business continuity. We manage backup and retention policies to align with your organisation’s recovery objectives, while providing comprehensive reporting on the backup and recovery tasks.
Watch the webinar on Continent 8’s disaster recovery approach and a real-world use case with LATAM-based customer Boldt.
2. Securing the network with advanced firewalls for iGaming cybersecurity
Ordinance 722, Annex IV, section 31 – Firewall: All communications, including remote access, must pass through at least one approved application-level firewall.
An effective firewall serves as the guardian of the network, meticulously scrutinising all incoming and outgoing communications to thwart unauthorised access and potential threats. Ordinance 722’s firewall communication suggests that the firewall be placed at the juncture of different security domains, ensuring that no alternative network path exists that could circumvent the firewall. Only essential applications related to the firewall’s operation are permitted to reside on the device, and access is restricted to a limited number of user accounts, primarily network or system administrators. These firewalls should analyse all incoming and outgoing communications, ensuring that only traffic from trusted network sources is permitted. Furthermore, stringent access controls, backed by the latest encryption protocols, safeguard remote interactions with the gaming platform.
The Continent 8 solution: Our Firewall service includes customisable IDS/IPS capabilities. When combined with our managed Security Operations Centre (SOC) service, IDS/IPS events are enriched with specific threat intelligence and ingested into our Security Incident and Event Management (SIEM) platform. Our SOC analysts can then deliver powerful insights into a customer’s current threat state and perimeter activities, providing detection, prevention and responses to known and emerging threats.
A 360-degree cybersecurity approach
Recovery and business continuity plans, along with firewall protection, provide an excellent starting point for iGaming and online sports betting operators and suppliers launching operations in Brazil’s regulated gaming market. For end-to-end protection, we recommend operators and suppliers adopt a holistic risk mitigation approach. A complete, 360-degree defense strategy includes:
- Endpoint Detection and Response (EDR) services to protect against advanced malware, ransomware and phishing threats.
- Distributed Denial-of-Service (DDoS) services to deliver comprehensive perimeter network mitigation against DDoS attacks.
- Managed Security Operations Centre (MSOC) and Security Incident and Event Management (SIEM) services to prevent, detect or remediate vulnerabilities and threats.
- Regulatory security compliance solution – including Compliance Audit, Vulnerability Assessment and Penetration Testing (VAPT) and vulnerability scanning (V-Scan) services – to achieve regulatory compliance and gain a deep understanding of one’s attack surface area.
- Mobile Protect services to safeguard mobile endpoints against modern security threats.
- SafeBait services to provide customised simulations to combat social engineering threats, including sophisticated MFA, phishing, smishing, vishing and quishing attacks.
By referencing the SPA and MF’s Ordinance 722 policies and partnering with an experienced and trusted solutions provider like Continent 8, operators and suppliers can deploy multi-defense, multi-layer cybersecurity protection strategies for their iGaming and online sports betting platform. This approach enables them to comply with Brazil’s latest technical and cybersecurity regulations while demonstrating their commitment to providing secure and trustworthy gaming environments and experiences.
Continent 8 Technologies – your trusted partner
Continent 8 Technologies, the trusted managed hosting, connectivity, cloud and cybersecurity partner to the global iGaming and online sports betting industry for over 25 years, is live in every major regulated Latin American (LATAM) jurisdiction, including Brazil.
Operating out of the LATAM region since 2020, we offer operators and suppliers access to state-of-the-art data centres, connectivity to a global private network featuring 100+ locations across four continents and best-in-class managed and professional services to support the most demanding iGaming and online sports betting requirements.
Discover why Continent 8 is the go-to infrastructure and cybersecurity provider for leading LATAM operators and suppliers such as Betcris, Boldt, Bplay and Vibra Gaming, and learn how we ensure the seamless implementation of compliant and secure infrastructures so that your Brazilian gaming operations are live from day one.
For more information on how Continent 8 can support your organisation’s regulatory and cybersecurity requirements, visit www.continent8.com/br or contact Luana at luana.monje@continent8.com.
