Contact us

External Circular No. 36 Supersolidaria

The Superintendency of Solidarity Economy of Colombia, through External Circular No. 36 of January 5, 2022, has issued specific instructions on the security and quality of information in the provision of financial services.

It was identified that digitization and interconnectivity have increased exposure to information security risks in credit unions. In response, instructions have been issued to mitigate these risks and strengthen member confidence.

Key Instructions

  1. Modification of SARO: Update of section 4.3.4 – Information Security Management in Chapter IV of SARO; the Basic Accounting and Financial Circular, as well as Annex 2 of Chapter IV, Title IV of the same Circular.
  2. New Annex: Inclusion of Annex 2 with guidelines on information security and quality.
  3. Implementation Schedule: Establishment of a schedule for the adoption of the new measures.

These measures seek to ensure that cooperatives implement preventive mechanisms that protect information and support digital transformation.

OPERATIONAL RISK MANAGEMENT SYSTEM – SARO

Organizations must adopt good practice policies on information security to identify and mitigate operational technological risks and potential security incidents that threaten the confidentiality, integrity, and availability of their information assets. These policies, being preventive, strengthen confidence in the solidarity sector. The instructions must be applied by savings and credit cooperatives, multi-active and comprehensive cooperatives, and may be adopted by other supervised solidarity organizations, adapting them according to their size, characteristics, and volume of operations.

The information security system must be an integral component of the organization's good governance, aimed at achieving strategic objectives and adequately managing related risks. The security strategy must be aligned with the relevant legal and regulatory requirements, and senior management, together with the board of directors, are responsible for approving and overseeing the implementation and updating of this policy. It is crucial to have a systematic process for managing risks, describing, reviewing, approving, and publishing security policies, and ensuring that all members of the organization are informed and trained. In addition, an adequate budget must be provided, the competence of those responsible must be ensured, and effective communication about security requirements must be maintained.

Technological Media Requirements and Information Security

Entities in the cooperative and solidarity sector must comply with these minimum requirements to ensure information and services:

  1. Technological Media and Information Security:
    • Use secure hardware, software, and telecommunications equipment.
    • Manage information security under a specific model.
    • Adopt security standards such as PCI-DSS with cardholders.
    • Send confidential information encrypted by email.
    • Register and manage secure IP addresses and phone numbers.
    • Use secure connections such as VPNs for third-party applications.
  2. Cryptographic Controls:
    • Use secure websites with digital certificates.
    • Encrypt communications with third parties and store sensitive information securely.
  3. Protection against Malicious Code:
    • Keep antivirus software up to date.
    • Restrict the use of unsecured removable devices.
    • Control access to the organization's equipment.
  4. Information Exchange:
    • Do not exchange information without confidentiality agreements.
    • Protect sensitive information sent by email.
    • Use secure channels for the exchange of critical information.
  5. Information Backup:
    • Perform regular backups of data and systems.
    • Physically protect backup media.
    • Regularly test the integrity of backups.
  6. Clock Synchronization:
    • Synchronize all devices with Colombian legal time.
  7. Access Controls:
    • Restrict access to critical facilities and areas.
    • Use biometric access control systems or cards.
    • Implement surveillance mechanisms such as CCTV.
  8. Teleworking:
    • Authorize remote access to servers only with approval.
    • Comply with security policies and controls in remote work areas.
  9. Access to WiFi Networks:
    • Authenticate access to wireless networks with a username and password.
    • Separate corporate WiFi networks from those used by visitors.
  10. Prohibited Aspects:
    • Prohibit the transmission of inappropriate or fraudulent content.
    • Prevent unauthorized access and the sending of spam or malware.
  11. Provision of Services by Third Parties:
    • Sign confidentiality agreements and specify conditions in service contracts.
    • Audit the security of information provided by third parties.
  12. Security Incident Management:
    • Categorize and report security incidents, including unauthorized access, malicious code, and denial of service.
  13. Disclosure of Information:
    • Inform partners and users about the risks of using media and channels.
  14. Asset Inventory:
    • Maintain an up-to-date inventory of information assets and their security.
  15. Automated Teller Machines (ATMs):
    • Implement video recording and encryption systems for transactions.
    • Physically protect ATMs.
  16. POS and PIN Pad:
    • Comply with PCI-DSS standards and ensure device authentication.
  17. Call Center:
    • Control access to and use of equipment in care centers, ensuring data protection.
  18. Internet transactions:
    • Implement controls for secure communications and perform regular vulnerability testing.
  19. Vulnerability Analysis:
    • Use up-to-date vulnerability analysis systems and generate regular reports.
  20. Physical and Environmental Security:
    • Protect facilities and equipment against unauthorized access and damage.
  21. Facilities and Supplies:
    • Have redundant electrical backup and air conditioning systems.
  22. Continuity of Information Security:
    • Establish plans and procedures for security continuity in adverse situations and conduct regular tests.

BASIC ACCOUNTING AND FINANCIAL CIRCULAR

Instructions on information security and quality for the provision of financial services added to the basic accounting and financial circular:

4.3.4. Information security management

A process must be established to manage information security tailored to the organization's technological structure, size, and data handling. This process will include:

  • Define the information security policy.
  • Identify information assets.
  • Assess security risks.
  • Implement and test a security risk management plan.

Detailed instructions on security and information quality for financial services can be found in Annex 2 of this chapter.

3.1. Monitoring

The organization must periodically monitor its operational risk profile and exposure to losses, at least every six months. This involves:

  • Execute the planned actions to manage the SARO.
  • Evaluate the effectiveness of SARO implementation to quickly correct deficiencies.
  • Continuously review to ensure that controls are working effectively.
  • Identify operational risks using descriptive or forward-looking indicators.
  • Ensure that residual risk is within the levels accepted by the organization.
  • Update the identification, measurement, and control stages according to changes in the operating environment.

Review the technical documents on the Supersolidaria website.

Legal

We

Follow us

Facebook icon X-twitter Instagram icon Icon-youtube-v Icon-tiktok LinkedIn

Copyright © 2025 Red Expertos SAS