MKS Advogados

Menu
Menu
← Go Back

Cybersecurity Policy

This Policy establishes the principles, responsibilities, and minimum technical and procedural
standards that govern information security at MKS Law. It applies to all systems, data, users, and
third parties operating within or connected to the firm’s infrastructure. Its provisions are binding,
non-discretionary, and enforceable across all functions and levels without exemption.
Structure

This Policy is organized into sections covering governance, access controls, data protection,
incident response, network security, training, vulnerability management, and external standards
alignment. It is designed for operational use, internal audits, and institutional review. This Policy
applies in full across all areas and functions and is not subject to selective application.

Introduction and Objectives

Cybersecurity at MKS Law is treated as a governance and compliance obligation. This Policy
establishes binding standards for the protection of systems, networks, data, and credentials used in
the firm’s activities. The objective is to reduce the risk of unauthorized access, data compromise,
and operational disruption through defined controls and enforceable internal procedures. All
cybersecurity obligations under this Policy are applied consistently and are subject to internal audit
and review.

Scope and Definitions

This Policy applies to all individuals, devices, systems, and third-party services operating within or
connected to MKS Law’s infrastructure. Covered assets include hardware, software, networks,
communication systems, storage environments, and any platform used to process or transmit
company data. A security incident is defined as any event that compromises or may compromise
the confidentiality, integrity, or availability of the company’s information assets. Where the scope of
application is uncertain, the matter must be escalated for internal guidance rather than resolved
individually.

Governance and Responsibilities

Cybersecurity governance is a shared responsibility across all roles and levels. Company
leadership defines security priorities, approves controls, and retains authority over incident handling
and escalation decisions. Each professional is responsible for the proper use of systems and
credentials within their scope and for reporting any identified vulnerability, breach, or irregularity
without delay. Delegation of tasks does not transfer accountability for oversight or institutional
compliance. Failures in governance or supervision are treated as internal risk and escalated
accordingly.

Access Controls and Authentication

Access to company systems, networks, and data must be restricted to authorized individuals based
on role-defined permissions aligned with operational requirements. Multi-factor authentication is
required for access to sensitive systems and remote environments. Credentials must not be shared,
reused across platforms, or stored outside firm-approved systems. Access rights must be reviewed
at defined intervals and revoked immediately upon change of role or termination of engagement.
Unauthorized access attempts must be reported promptly through internal security channels.

Data Protection and Encryption

All company data classified as sensitive or confidential must be encrypted in transit and at rest
using standards consistent with recognized security frameworks. Storage, transmission, and
processing of such data must occur within firm-approved systems and environments. Data must not
be copied to personal devices, personal cloud accounts, or unauthorized external media. Where
encryption cannot be applied due to technical constraints, the matter must be escalated and
mitigating controls must be documented. Data handling must remain consistent with the company’s
obligations under applicable data protection requirements.

Incident Management and Response

Security incidents must be identified, contained, and escalated through defined internal procedures
without delay. Upon detection, affected systems or access points must be isolated to the extent
operationally feasible, and company leadership must be notified immediately. Incident handling
must include documentation of the event, actions taken, and assets or data affected. Where an
incident involves confidential documentation, financial records, or obligations under AML, CFT, or
sanctions frameworks, escalation must follow both security and compliance protocols concurrently.
Post-incident analysis must be conducted to identify root cause and prevent recurrence.

Network and Infrastructure Security

The company’s network infrastructure must be maintained under defined security standards,
including segmentation, monitoring, and access controls appropriate to operational risk. External
connections, including remote access and third-party integrations, must be configured with controls
sufficient to prevent unauthorized entry. Security patches and updates must be applied within
defined timeframes consistent with internal risk thresholds. Unauthorized devices must not be
connected to the company’s network without prior authorization. Infrastructure configurations must
be reviewed periodically and documented for audit purposes.

Training and Awareness

All professionals must complete mandatory cybersecurity training at onboarding and at defined
intervals thereafter, with participation recorded as a compliance requirement. Training must cover
access procedures, incident reporting, data handling obligations, and social engineering and
phishing risks. Updates to procedures or controls are communicated formally and become binding
upon issuance. Lack of awareness does not exempt any individual from responsibility under this
Policy. Each team is accountable for ensuring procedural alignment within its scope.
Audits and Vulnerability Testing

Internal and third-party audits of cybersecurity controls must be conducted at defined intervals and
upon material changes to systems or infrastructure. Vulnerability assessments and penetration
testing must be performed to identify and remediate technical exposure before it results in
operational or institutional impact. Findings must be documented, prioritized by risk level, and
addressed within defined remediation timeframes. Audit results are retained for institutional review
and compliance accountability. Non-compliance identified during audits must be escalated to firm
leadership for corrective handling.

Compliance with External Standards

Cybersecurity controls at MKS Law are maintained in alignment with recognized frameworks,
including the NIST Cybersecurity Framework and ISO/IEC 27001. Where institutional partners or
regulatory counterparties require specific security standards or documentation, the company must
assess and respond to such requirements through formal internal procedures. Third-party service
providers must demonstrate adequate security controls as a condition of engagement.
Security-related representations made to external parties must be accurate, substantiated, and
authorized by firm leadership.

Periodic Review

This Policy is reviewed at defined intervals and upon material changes in legal requirements,
operational structure, or threat environment. Reviews are led by company leadership and must
result in a documented, versioned update subject to formal approval. Updates take effect upon
communication and fully replace prior versions. Historical versions are retained for reference and
accountability. All professionals must ensure compliance with the version in force at the time of
application