Source: Central Bank of the Russian Federation in English
The Bank of Russia Board of Directors has approved the Guidelines for the Advancement of Information Security in the Financial Sector for 2019–2021. The document is intended to specify the regulator’s objectives as regards the efforts to ensure financial market stability and improvements in its information security. The Bank of Russia’s Information Security Department acts as the relevant competence centre.
The documents sets out that information security of credit and non-bank financial institutions must be provided at the infrastructure, applied software and application levels. Additionally, the focus should extend to the safety of action / transaction processing and recording technologies. The regulator’s strategic objectives also include financial consumer and investor protection: these efforts are set to be based on objective data on consumer and investor loss.
The strategy sets out metrics the regulator will use to assess information security risk in each supervised entity across the three levels; this assessment will help determine the maturity of information security in the overall financial sector.
The metrics include, among others, compliance with federal standards for information protection, sustainable operations, risk management and outsourcing. Applications will need to be certified to qualify as properly protected. Risk concentration points in financial companies’ technologies will be identified on a proactive basis through analysis of data defining the level of risk in financial transactions, enabled by Big Data. To counter-balance risks identified, the Bank of Russia will present a methodology for calculating minimum coverage against potential loss (e.g., credit institutions’ capital buffers, independent guarantees, insurance, etc.).
The strategy sees that a holistic view of individual financial sector companies will emerge by 2021, detailing their preparedness to counter cyber attacks (from cyber risk handling and coverage perspectives) and – the degree of their preparedness to counter cyber threats.
16 September 2019