On July 1st, 2025, Brazil reported what may be the largest cyberattack in its financial history. Hackers infiltrated C&M Software (CMSW) — a critical third-party provider that connects banks and fintechs to Brazil’s instant payment system (PIX) and real-time settlement infrastructure (STR) operated by the Central Bank.
The attackers gained privileged access and initiated unauthorized transfers directly from the central bank reserve accounts of at least five financial institutions. Early estimates place the damage at up to R$ 1 billion (~USD 180 million).
The Central Bank of Brazil responded quickly, suspending CMSW’s access and launching an investigation with federal authorities. Services were partially restored under government oversight on July 3rd.
The full extent of the breach is still under review. But for boardrooms around the world, the message is clear:
Cybersecurity is not a technical matter. It is a strategic one — and the board must own it.
🤝 From Harvard to Reality: Cyber Risk as a Strategic Discipline
In 2021, I completed the executive program “Cybersecurity: Managing Risk in the Information Age” by Harvard VPAL. The course wasn’t designed for engineers. It was built for leaders — to equip them with the tools to govern cyber risk, not just react to it.
Week by week, we explored how to:
- Identify business-critical digital assets;
- Understand threat actors and legal exposure;
- Evaluate internal maturity;
- And build an integrated, metrics-based risk mitigation strategy.
One principle stood out:
You are always under attack — even if you haven’t noticed yet.
What differentiates resilient organizations isn’t the ability to block every intrusion. It’s their capacity to prepare, contain, respond, and recover — without losing control of the business or public trust.
🛩 The NIST Cybersecurity Framework: A Blueprint for Board-Led Action
The course was anchored in the NIST Cybersecurity Framework, which structures digital risk governance around five core functions:
- Identify – assets, risks, dependencies, and threats.
- Protect – with policies, controls, and awareness programs.
- Detect – breaches through real-time monitoring.
- Respond – with predefined incident playbooks.
- Recover – ensuring business continuity and trust restoration.
These aren’t just IT procedures — they are strategic capabilities. And they demand coordination across legal, operational, HR, and executive leadership.
In our Harvard assignments, one challenge became obvious:
The biggest cybersecurity gap isn’t in technology — it’s in boardroom engagement.
⛔️ Delegating Cyber Risk Is No Longer Acceptable
In many companies, cybersecurity remains a siloed responsibility — often buried under IT, reporting sporadically, and struggling to secure funding.
When a crisis hits, those same professionals are blamed for issues they were never empowered to prevent.
But world-class organizations now treat cybersecurity like Brazils CIPA system for occupational safety : standardized kits, simulations and clear leadership accountability.
- With incident response kits across sites,
- Daily simulations,
- And clear accountability from top leadership.
Cyber resilience, like safety, is built through governance, not gadgets.
⚖️ Finding the Right Balance: Risk, Cost, and Resilience
No company can afford 100% protection. And that’s not the goal.
The real objective is to:
- Prioritize what matters most,
- Implement controls that match your exposure,
- Secure cyber insurance to transfer catastrophic risks,
- And maintain board-level visibility through real metrics.
In the Harvard course, we learned to design risk strategies with:
- Strategic goals;
- Operational objectives;
- Action plans with milestones;
- And KPIs to track maturity.
It’s not just about avoiding fines or headlines. It’s about preserving enterprise value in a world where trust — not tech — is the currency.
🧐 Final Thought: Emergency Response Is the Real Stress Test
Cybersecurity is not just about prevention — it’s about response under pressure.
When a breach happens, your technical team will act. They’ll isolate systems, check logs, call vendors, and try to stop the bleeding.
But here’s the strategic question:
What is your board doing in that moment?
Most directors assume it’s “under control” — until they realize they’re the ones expected to:
- Communicate with the market;
- Inform shareholders and regulators;
- Contain reputational damage;
- Make legally binding decisions under pressure.
A breach is not just an IT crisis — it’s a governance crisis.
In our Harvard training, we explored the legal consequences for boards that fail to act with due care. Depending on the jurisdiction, directors can be held liable for:
- Lack of a formal risk plan;
- Insufficient board oversight;
- Failure to disclose breaches transparently;
- And inadequate response measures that harm investors or consumers.
Do you have a crisis playbook?
- A hotline for coordinated incident response?
- A pre-approved press strategy?
- A clear chain of command?
- A legal briefing for fiduciary protection?
If not — you don’t have a plan. You have a hope.
Cyber resilience starts with executive maturity — but it is validated by board readiness.
The recent billion-dollar attack in Brazil reminds us:
The real test isn’t the breach. It’s your ability to lead through it.
