2PSECURE
← Back to Learn
Diagnostics June 8, 2026 8 min read Mario Egoavil

SBS Resolution 504-2021: how to get ready without panic

504-2021 doesn't ask for miracles. It asks for governance, documented controls and evidence. Here's what being ready actually looks like.

Peru’s SBS Resolution 504-2021 reset information-security expectations for entities supervised by the Superintendencia de Banca, Seguros y AFP. Three years after publication, we still see credit unions, finance companies and insurers walk into the first meeting with the same question:

“Are we ready for the SBS?”

The short answer: it depends less on buying new technology and more on having written —and alive— what’s already being done. This article explains what being ready looks like and, more importantly, the signals that typically give away an institution that isn’t.

What the SBS actually asks for

At an architectural level, 504-2021 moves in four large dimensions:

  1. Information-security governance — a defined body, with clear responsibilities, that reports to the board. “We have a CISO” is not the same as “the board receives monthly documented reports on the state of security.”
  2. Cybersecurity risk management — identify, assess, treat and continuously monitor risk. This includes a current asset inventory, a living risk matrix (not a 2022 spreadsheet), and a treatment plan with owners and dates.
  3. Technical and operational controls — controls auditors can verify with evidence: identity management, cryptographic-key handling, continuous monitoring, sensitive-data protection, vulnerability management, hardening, network segregation.
  4. Operational resilience — continuity and incident-response plans that have been tested, not just drafted. A BCP no one has ever executed is not a BCP, it’s a Word document.

Each dimension is measured on a horizon: where the institution is today, where it should be by the end of the current cycle, where by the end of the next.

Five signals you’re not ready

In maturity assessments we see the same five symptoms over and over:

1. The risk matrix hasn’t been updated this year

If the matrix says “last revision: March 2024” and we’re in 2026, it’s not a risk matrix, it’s a decorative chart. Regulators expect evidence of periodic review with documented changes.

2. The asset inventory is a falling-apart spreadsheet

“Critical assets” should be a living list connected to CMDB, SIEM, change processes. If it’s a spreadsheet three people maintain “more or less,” compliance falls apart with it.

3. There’s no evidence of plan execution

Having an Incident Response Plan is necessary. But the SBS expects evidence of drills, postmortems, applied improvements. A plan that was never executed is indistinguishable from not having one.

4. Cryptographic keys lack signed procedures

If the HSM exists but loading, rotation and custody ceremonies aren’t documented with signed records, this is almost an automatic finding. The SBS doesn’t need to audit your HSM in detail — it’s enough to ask for the records and find they don’t exist.

5. The board doesn’t understand what it approves

The board signs the budget and the policies. If at a meeting you ask what level of risk they assumed by approving the last investment, they should be able to answer in terms of the institution’s framework. If they reply vaguely or look at the CISO hoping he answers, there’s a governance gap no technical control covers.

What being ready when the inspection arrives looks like

Effective preparation isn’t a project, it’s a continuous practice. But there’s a reasonable order to get there:

  1. Be honest about the state — an honest Maturity Assessment against the resolution’s domains. Not to impress, to have a real starting point.
  2. Close critical gaps in 0-3 months — typically the most visible: missing policies, outdated matrix, absence of execution evidence.
  3. Reinforce technical controls in 3-12 months — key handling, monitoring, vulnerability management.
  4. Mature governance in 12-24 months — board reporting, living metrics, integration with operational risk.

The common mistake is investing the entire budget in layer 3 (technology) without having worked layer 1 (real state). It ends up as budget buried in tools no one knows how to interpret.

What to do if the inspection is in six months

If you have less than a year, the order changes:

  • Month 1-2: update the obvious. Expired policies, risk matrix, asset inventory. It doesn’t have to be perfect, it has to exist and be dated.
  • Month 3-4: execute at least one incident simulation and one continuity test. Document the postmortem.
  • Month 5-6: review evidence with a critical external peer — someone who knows how the SBS audits and tells you where they would find holes.

It’s not about passing the inspection at the last minute. It’s about being able to show consistent evidence of a system that works.

At 2PSECURE we run maturity assessments against SBS 504-2021, PCI DSS v4.0.1 and ISO 27001:2022 with executable deliverables and a three-horizon roadmap. If your institution faces an inspection or wants to know where it stands before the regulator asks, let’s talk about your case.

Let's talk

If your organization is in a similar situation, let's talk.

A 30-minute technical conversation, no commitment, to understand if your case fits what we do.

Contact us