The July 2025 breach at C&M Software — a technology services provider connecting smaller financial institutions to the Banco Central do Brasil's (BCB) reserve infrastructure — was, by most accounts, the largest cyber heist Brazil has ever suffered. According to reports, attackers used compromised credentials at the service provider to drain hundreds of millions of reais from reserve accounts feeding into PIX, the BCB's instant payments rails. The incident did not break PIX itself. It broke the trust perimeter around PIX: the chain of vendors, integrators, and middleware operators that connect a sprawling Brazilian financial sector to a single, very fast, very public clearing system.
Brazilian regulators have responded with speed. The BCB has tightened cybersecurity and incident-reporting obligations for payment-system participants and their service providers, building on the framework already established in Resolução BCB nº 1/2020 (the foundational PIX regulation) and Resolução CMN nº 4.893/2021, which sets out cybersecurity and cloud-outsourcing requirements for financial institutions. The Lula government, meanwhile, continues to advance the proposed Brazilian Cybersecurity Agency (ANCiber), the institutional capstone of the Política Nacional de Cibersegurança (PNCiber), established by Decree 11.856 of December 2023.
From a pro-innovation perspective, the diagnosis is largely correct — but the prescription needs care.
What the C&M incident actually revealed
PIX is a global success story. Launched in November 2020, it now processes more transactions per year than any other instant-payment system in the world and has driven extraordinary financial inclusion. The BCB built it as open infrastructure, deliberately lowering the technical and commercial barriers for smaller fintechs, credit unions, and payment institutions to plug in. That openness is a feature, not a bug.
The C&M breach reportedly did not exploit a flaw in PIX's cryptography or the BCB's core systems. It exploited the operational reality that hundreds of regulated entities reach PIX through a handful of specialised technology providers — and that those providers sit outside the perimeter of traditional banking supervision. When credentials at one such vendor are compromised, the blast radius can extend to every institution that routes through it.
This is not a uniquely Brazilian problem. The 2024 Change Healthcare ransomware incident in the United States and the ongoing string of attacks on European financial messaging vendors tell the same story: third-party concentration risk is now the dominant cybersecurity threat to modern payment systems.
The right kind of regulation
Brazil's emerging response has three sensible pillars worth defending — and one risk to watch.
1. Bring critical service providers inside the supervisory perimeter
Resolução CMN 4.893/2021 already requires regulated institutions to police their vendors. The post-C&M tightening sensibly extends direct, more granular obligations onto the providers themselves where they touch systemically important rails. This is consistent with the EU's Digital Operational Resilience Act (DORA), which since January 2025 has subjected critical ICT third-party providers to direct oversight by European supervisors. Brazil is not over-reaching here; it is catching up to international practice.
2. Mandatory, time-bound incident disclosure
Faster mandatory reporting to the BCB, the Autoridade Nacional de Proteção de Dados (ANPD), and — where personal data is implicated — to data subjects under the LGPD (Lei nº 13.709/2018) is an unambiguous good. Markets cannot price cyber risk, and consumers cannot defend themselves, if breaches surface only through leaked press accounts. Brazil should align timelines with the LGPD's evolving guidance and DORA's structured taxonomy rather than inventing a parallel regime.
3. ANCiber as a coordinator, not a super-regulator
PNCiber correctly diagnoses Brazil's main institutional problem: cybersecurity authority is splintered across the Gabinete de Segurança Institucional (GSI), the BCB, ANPD, Anatel, and sectoral regulators. A dedicated ANCiber can finally provide a single national focal point for threat intelligence, incident coordination, and international engagement — roles played by CISA in the United States and ENISA in the EU. The legislative debate, however, must resist the temptation to make ANCiber a heavy-handed licensing or content-control body. Its mandate should be coordination, capability-building, and rapid response — not duplicating the BCB's prudential authority or the ANPD's data-protection remit.
The risk: over-correction
Two dangers loom. The first is regulatory pile-on: if every Brazilian agency layers its own bespoke cyber incident-reporting form on top of the BCB's and ANPD's, smaller fintechs will drown in compliance paperwork while adding little real security. The second is a quiet retreat from the PIX openness model. After the C&M scare, it would be tempting to raise capital requirements, technical thresholds, or vendor-approval barriers in ways that effectively re-concentrate the system around incumbent banks. That would undo one of the most successful pro-competition reforms in modern Brazilian financial history.
Ransomware and credential-theft attacks against payments infrastructure are not going away. But the answer is not to slow PIX down or to ringfence it behind larger players. The answer is sharper supervision of the critical-service layer, harmonised incident disclosure, and an ANCiber that empowers defenders without becoming another bureaucratic chokepoint.
Brazil built the world's most ambitious instant-payments network in five years. Properly calibrated, the post-C&M reforms can make it the world's most resilient one — without trading away the openness that made it work.