Translated by
2019/11/07 13:45:54

The policy of the Central Bank in the field of data protection (cyber security)

.

Content

This article about the policy of the Central Bank of Russian Federation in the field of data protection. Main article of the top level: Information security in banks

2019

The Central Bank revealed in banks more than 700 violations in the field of data protection

As it became known on November 6, 2019, since the beginning of 2019 of the Central Bank of the Russian Federation performed 109 checks of banks regarding cyberstability during which more than 730 violations were revealed. About 80% from them are anyway connected with insufficient data protection in credit institution. The head of the Central Bank Elvira Nabiullina in the performance in the Federation Council told about it.

«
Let's strengthen further supervision, to stimulate banks carefully to approach questions of cyber security — the head of the Bank of Russia added.
»

«
Cyberstability is not just to deliver an anti-virus software on the computer, it is necessary to write requirements of cyberresistance to all business processes. It is crucial for the following dynamic development of technologies — Elvira Nabiullina added.[1]
»

The Central Bank will for the first time fine two banks for lack of the systems of an antifraud

The Central Bank will for the first time fine banks for lack of the systems of an antifraud, the first deputy director of department of information security of the Central Bank Artem Sychev told journalists. On October 10, 2019 the newspaper Vedomosti reported about it. The systems of an antifraud monitor transactions, atypical for the client, which the swindler can potentially make.

CENTRAL BANK
«
We prepare penalties for two banks that they did not pay attention that they should care for the clients, they have no antifraud. In principle the antifraud was not, – Sychev told.
»

What credit institutions will be punished, Sychev did not specify, having noted only that it is about two banks. The final decision on penalties is not made yet, documents prepare, he added. The absence facts in banks of the systems of recognition of fraudulent transactions were elicited during scheduled inspections.

The Central Bank explained three signs of unauthorized banking activity[2].

Amendments, binding banks to block the transactions similar to fraudulent became effective in September, 2018. Banks should reveal such operations on three signs. The first – coincidence of information on the receiver of transfer to data of Central Bank base on cases and attempts of plunders. The second sign – coincidence of parameters of the device from which transfer, with data from Central Bank base is made. The third sign – mismatch of character, parameter, volume, the place of operation or the device from which it is carried out, with data on transactions, normal for the client.

The Central Bank developed the plan for cyber security of a financial system

On September 16, 2019 the Central Bank of the Russian Federation submitted the report "The main directions of development of information security of the credit and financial sphere for 2019-2021".

The regulator already offered a part of the ideas, but there are also new provisions. So, regulation application of Big Data, artificial intelligence, robotization and Internet of Things in the credit and financial sphere is planned.

The Bank of Russia developed the plan of ensuring cyberstability of a financial system till 2021
The Bank of Russia developed the plan of ensuring cyberstability of a financial system till 2021

Besides, the Bank of Russia intends to be engaged in information processing using digital technologies, to implement mass use of cryptography in financial market and to participate actively in development of the import substitution program.

The Central Bank thought of training of specialists in the field of cybersecurity. Among other it wants to develop the educational prof standard, to enter employee assessment of financial institutions based on the Central Bank University and to train in bases of cyber security of school students and students

 Within the main directions the Central Bank sets the following tasks for itself  in the field of cybersecurity:

1)  Ensuring cyberstability:

  • ensuring readiness of the credit and financial sphere to guarantee financial stability and  operational reliability in  sales terms of the computer attacks,  including ensuring operational reliability and  continuity of providing financial and  banking services;
  • control of hazard rates of implementation of information threats;
  • control of level of the banking and  financial transactions made without the consent of clients; • monitoring, rapid response and  prevention of the computer attacks to  the organizations of the credit and financial sphere.

2) Consumer protection of financial services through monitoring of indicators of level of financial losses.

3) Assistance to development of the innovative financial technologies  regarding control of hazard rates of implementation of information threats and  ensuring necessary level of information security.[3]

The Central Bank will fine banks for weak cyber defense

On September 12, 2019 it became known that the Central Bank conducts new punishment for banks for bad cyber defense. Until the end of the year the regulator will start for credit institutions new characteristic — the claim profile for the level of information security.

This indicator as the first deputy director of department of information security of the Bank of Russia Artem Sychev told journalists, will reflect the calculated probability of emergence of problems at bank because of non-compliance with regulations of cyber security.

The Central Bank conducts new punishment for banks for bad cyber defense
The Central Bank conducts new punishment for banks for bad cyber defense

The risk profile will be created on the basis of four characteristics, including by shares of unauthorized operations with cards and readiness of bank to reflect the attack.

Also parameter will be considered in assessment of an economic situation of bank on an equal basis with the amount of the capital, profitability, liquidity, quality of management, etc.

Depending on risk profile on the level of cyber security of the Central Bank will make to banks recommendations, and for the lowest category penalties and gain of supervision can be provided. Calculation will allow to estimate risk profile as management of bank reacts to the arising cyberthreats, added to the Central Bank.

According to Sychev, reference to this or that group will not have an impact on the capital, but will render — on reservation according to transactions and terms for crediting on Mezhbank.

Sychev told that the risk profile in the field of cyber security will be considered also at assessment of an economic situation of bank. Them, according to assessment, will include in one of groups — from not experiencing difficulties to where violations pose real threat for the interests of investors and creditors.

«
Nobody before neither in the Russian Federation, nor in other countries defined such indicators on which the regulator can create opinion on a situation whether he achieves the goals of the regulation or not in terms of information security — he explained.[4]
»

The requirement for credit institutions for ensuring cyber security

On June 3, 2019 it became known what became effective the Provision of the Central Bank describing requirements for credit institutions for ensuring cyber security.

The purpose of the document is prevention of money transfer without the consent of the client with the help of both technical means, and methods of social engineering. According to provision, banks are obliged to provide protection of IT-systems and the applications used during the opening of deposits, issuance of credits, registration and account management of physical persons and legal entities.

In particular the analysis of vulnerabilities in software with involvement of the third-party specialists having a license for activities on technical confidential information protection obliges banks to post once a year. Also every two years conformity assessment to data protection level to requirements of state standard specification should be carried out.

According to Provision, all actions of employees and clients in remote servicing systems and also data on the devices used for performing transactions should be stored within five years.

«
Systemically the significant credit institutions, credit institutions performing functions of the operator of services of payment infrastructure of systemically significant payment systems, credit institutions are significant in the market of payment services, should implement the strengthened data protection level,

»

The Central Bank implements a pilot project on confirmation of e-mail of bank clients

On June 3, 2019 it became known that the Central Bank of the Russian Federation together with banks implements a pilot project on confirmation of e-mail of bank clients — individuals. The first deputy head of department of information security of the Bank of Russia Artem Sychev confirmed to the edition this information. He explained that banks often send to the client of the message by the SMS or e-mail, at the same time, if the address is not confirmed, the malefactor can get access to a bank secrecy.

Initially citizens, becoming clients of bank or making out some product, provide the e-mail address. But over time it can become outdated, be cracked or in case of corporate mail to pass to other person. Banks actually ignore these risks, without requesting data on change of the e-mail address, and clients quite often just forget what mailbox was specified when filling the questionnaire.

Meanwhile, credit institutions send to citizens by e-mail important personal information, such, for example, as account statements. Verification of phone numbers exists and will be strengthened through the bill on exchange of information on SIM cards.

«
However it is impossible to carry out similar verification with emails: different operators, mails different, own are systems. It is meanwhile important that information (the statement, the message about payments and so on) if goes on this channel, got to the one to whom belongs,

»

During a pilot project banks study options of confirmation of e-mail. Among participants of a pilot project — Tinkoff Bank, OTP Bank, VTB. Credit institutions do not deny participation, however do not want to open. In OTP Bank specified only that the procedure should be simple, but at the same time the verification providing sufficient level. Artem Sychev emphasized that it is necessary to verify mail both the new, and already acting clients.

According to the chairman of the board of Russian Standard bank Alexander Samokhvalov, Internet and mobile banks, the ATM (at introduction of the card and the PIN code) can become an available method of confirmation of mail for clients, the client can receive the offer to confirm email at an input to the remote canal of service. According to the CEO of Zecurion Alexey Rayevsky, for example, at confirmation through mobile bank to the client the code which besides should be entered in mobile bank can come to mail.

After emergence of the list of offers it is going to be discussed with all market. It is not solved yet, offers on verification of e-mail will be issued in the form of methodical recommendations or will become mandatory requirements by amending to provision 382-P. the Central Bank does not comment on this question.

Market participants in general support the regulator initiative, specifying that specific contents of future requirements or recommendations are important. According to the director of the department of client relationship of Promsvyazbank Daniil Tkach, confirmation of mail will allow to increase efficiency of communication, however for verification of the e-mail addresses additional automation can be required by banks.

«
It is important that the Central Bank gave time for implementation of requirements for verification, term of half a year can be reasonable,
commented Tkach Daniil, the director of the department of client relationship of Promsvyazbank
»

Besides, the regulator should define what can be sent by e-mail and that is not present.

«
Mail was and remains the channel on which data are sent in open form, it is easy to intercept, change them. And therefore messages should not contain the critical information. If it is about a bank secrecy, then letters with its contents should be sent only with the consent of the client,
notes Alexey Lukatsky, the consultant for Internet security of Central Bank Cisco company[5]
»

The Central Bank of the Russian Federation expanded requirements to banks on data protection

The Bank of Russia toughened requirements to banks on protection of means of clients against cybercriminals, follows from new provision of the Central Bank. The document is approved by the management of the regulator, FSB and Federal Service for Technical and Export Control.

The document enters an obligation of banks to provide protection at attraction of deposits (both from physical, and from legal entities), placement of the raised funds and maintaining bank accounts of clients. Earlier credit institutions had to ensure information security only when carrying out transactions on money transfer.

"The maximum requirements will be imposed to systemically significant credit institutions, banks performing functions of the operator of services of payment infrastructure of systemically significant payment systems and also to credit institutions, significant in the market of payment services. Standard requirements will be imposed to all rest", -[6] is specified[7] in the message of the press service of the Central Bank.

In provision requirements for data protection for objects of information infrastructure, the application software, technology of processing of the protected information are designated.

Cybersecurity protection of small banks was suggested to be entrusted the new company under patronage of the Central Bank

The problem of information security support of small banks became one of the subjects which are brought up at the meeting of bankers with the head of the Central Bank of the Russian Federation Elvira Nabiullina which took place on February 18, 2019. It is offered to create the special autorsingovy company which under patronage of the Central Bank would be engaged in cyber defense of credit institutions with the small capital.

«
Such outsourcing institute would be quite good to be created as IT — a capital-intensive thing — the head of the State Duma Financial Market Committee Anatoly Aksakov told Kommersant.
»

Banks with the basic license will be helped by outsourcing, the head of the State Duma Financial Market Committee Anatoly Aksakov considers
Banks with the basic license will be helped by outsourcing, the head of the State Duma Financial Market Committee Anatoly Aksakov considers

According to him, small banks cannot independently provide the due security level, and  attraction on outsourcing of the key companies in this market manages too expensive — they at first involve banks in the digital architecture which it is difficult to refuse, and then press rates.

On the other hand the special institute working with small banks should cause trust in them. Not each bank is ready to provide the data to the competitor that, for example, keeps some from cooperation with Bi.zone company which belongs to Sberbank, the newspaper notes.

Anatoly Aksakov sees one of ways of solving the problem creation of institute based on already operating companies which are ready to offer the platform. The choice of such company should be performed according to the results of tender, and the company should be under patronage of the Central Bank, the official considers.

According to the development director of Informzashita company Mikhail Savelyev, creation of the specialized player will not do good. Such companies, as a rule, begin to look for promptly highly qualified specialists, and in the conditions of deadlines it should entice only employees at competitors, offering big salaries. The cost of such personnel is artificially excited that affects the final price of solutions and projects on all market, the expert explained.[8]

2018

The Central Bank entered to an antifraud system 10 thousand accounts of swindlers for withdrawal of money

According to the message of November 30, 2018 of record about more than 10 thousand accounts which are used by swindlers for withdrawal of money are entered to automated an antifraud system CENTRAL BANK RUSSIAN FEDERATION (database about operations on money transfer without the consent of the client).

«
Until recently all knew that banks communicated about accounts of those physical persons or legal entities through which withdrew stolen money. We legalized this exchange by introduction of amendments to the legislation. From April to August, 2018 we managed to start a system, and from August to November in this system there were more than 10 thousand records about accounts through which malefactors try to withdraw stolen money. Colleagues actively use this base and see how their clients are protected from that their money left into such accounts.
Artem Sychev, the first deputy director of the department of information security of the Central Bank
»

The base functions within the automated system of processing of incidents (ASPI) to which all Russian banks[9] are connected[10].

FINTSERT will protect the central banks of member states of EEU

The Bank of Russia signed agreements on interaction in the field of information security with several countries of the Eurasian Economic Union.

So, on November 15, 2018 the agreement on interaction in information security field is signed with National bank of the Kyrgyz Republic. Earlier similar documents were signed with finance regulators of the Republic of Kazakhstan, the Republic of Armenia and Republic of Belarus.

Bank of Russia. Photo: newsnn.ru

Within the signed agreements partners of the Bank of Russia in case of identification of threats of information security send the operational notifications containing key parameters of the computer attacks to FinCERT (FINTSERT) of the Bank of Russia. The staff of the center, in turn, assists them in carrying out researches of the malicious software and also advises on attacks on ATMs and a razdelegirovaniya of phishing resources. According to the results of the analysis of information of FINTSERT obtained within agreements also creates and directs to participants of information exchange the operational information mailings containing key parameters of the computer attacks and indicators of a compromise.

FinCERT (FINTSERT) — structural division of Department of information security of the Central Bank of the Russian Federation. The main task of the Center is counteraction to malefactors by mutual informing and the notification of participants of bank community on vulnerabilities, threats and risks which each of them should face. Initially this center had to ensure safety only of the Russian banking sector, however again signed agreements turn it into the international body of cyber security extending the protection to foreign financial institutions.

According to the first deputy director of the department of information security of the Bank of Russia Artem Sychev, formation of the total financial market EEU it is integrated to development of digital technologies that caused the necessity of creation of the general effective system of cyber security based on finance regulators of member countries of the union.

«
It is quite logical if within the economic union the general system of protection of financial information with the uniform center functions — Georgy Lagoda, the CEO of SEC Consult Services company believes. — Such approach will allow to unify and accelerate data exchange about cyber attacks between participants of the union that as of November, 2018 especially relevant as the credit and financial organizations of the countries of EEU most often face the same threats.
»

The Central Bank fixed formats of the direction of messages by banks in FINTSERT

On November 6, 2018 there was information that the Bank of Russia fixed formats of the direction of messages by banks in FINTSERT in the fifth standard on information security. The previous four standards were voluntary for accession, however in this case it will not be possible to avoid work on the standard technically.

The industry standard of the Central Bank which became effective since November 1, 2018 1.5 approved a form and an order of interaction of banks with FINTSERT (division of the Central Bank on fight against cyberthreats). An essential part of this document is devoted to a format of the direction of information to the ASOI platform (the platform for operational information exchange of the Central Bank with banks about incidents, etc., is started since July, 2018).

The fact that the Central Bank decided to enshrine the technical information in the standard surprised the market.

«
Before emergence of this standard existed four more, devoted to information security, and the bank could decide — to observe them or not — the interlocutor of the Kommersant newspaper from bank top-30 argues. — The decision on observance was made by the management of bank, the corresponding letter was sent to the Central Bank, then the bank underwent certification.
»

At the same time requirements to information security in these standards were more tough and expensive, and many banks did not wish to join them, the interlocutor of the newspaper specified.

At the same time, cannot evade from the direction of information in ASOI bank, formats are uniform for all, thus, banks cannot but actually observe the fifth standard. But to join one standard, without having accepted the others, it is impossible. As result, banks should observe all five standards now, the representative of the Russian bank concluded.[11]

The bill of data protection in not credit financial organizations

The Central Bank of the Russian Federation prepared the bill "About Establishment of Requirements to Ensuring Data Protection, Obligatory for Non-credit Financial Institutions, at Implementation of Activity in the field of Financial Markets". The text of the bill is published on September 4, 2018 on the website of the Government of the Russian Federation and, as of September 6, passes the independent anti-corruption examination.

Независимая антикоррупционная экспертиза продлится до 17 сентября 2018 года. Фото: <!--LINK 0:111-->/ Natalya Seliverstova
Независимая антикоррупционная экспертиза продлится до 17 сентября 2018 года. Фото: RIA Novosti/ Natalya Seliverstova

The bill sets requirements to ensuring data protection, obligatory for non-credit financial institutions — for the purpose of counteraction to illegal financial transactions.

Not credit institutions are offered to attract the organizations having licenses for activities on technical confidential information protection and/or on activities for development and production of means of protecting of such data.

The bill also lists specific categories of the protected information — any confidential information connected with implementation of financial transactions, given about clients and operators who perform them, and the technical systems used for such transactions falls under this determination. For the objects of information infrastructure and automated systems used for implementation of financial transactions "for the purpose of processing, transfer, storage of the protected information" non-credit financial institutions should provide three levels of protection: strengthened, standard and minimum. The strengthened level of protection is offered to implement only systemically to the significant infrastructure organizations of financial market, on condition of commission more than 3 million financial transactions a day.

The bill lists types of activity for the companies which can manage the minimum level of protection: microfinance institutions; credit consumer cooperatives; housing accumulative cooperatives; agricultural credit consumer cooperatives and pawnshops. The other organizations will need to provide the standard level of protection.

The organizations which are offered to have the strengthened and standard level of data protection at stages of creation and operation of objects of information infrastructure should use the application software of automated systems and applications for financial transactions, "certified in the system of certification of Federal Service for Technical and Export Control of Russia on compliance to requirements for security of information, including requirements for the analysis of vulnerabilities and control of lack of not declared opportunities, in accordance with the legislation of the Russian Federation or concerning which the analysis of vulnerabilities according to requirements to the estimated trust level not below than by OUD 4 according to requirements of the national standard of the Russian Federation GOST P ISO/IEC 15408-3-2013 is carried out", it is specified in the bill.

Also they are obliged to hold annual testing for penetration and the analysis of vulnerabilities of information security of objects of information infrastructure. For this purpose it is also supposed to attract the third parties having licenses for carrying out of this sort works.

At upgrade of objects of information infrastructure an inspection on vulnerability also should be carried out, but it can be limited only to those components which directly underwent any changes. Financial institution can carry out such inspection independently or with involvement of third-party experts.

The bill also sets an order of distribution and protection of the client software (mobile applications) for implementation of transactions through Network. In the document makes a reservation that financial institution, in case of detection of counterfeit applications in repositories of mobile software, should inform both clients, and operators of a repository on counterfeits.

Also the data protection order in the electronic messages accompanying financial transactions is described — authentication and authorization of clients enter here; protection against false authorization; detection of counterfeited electronic messages and other attempts of malefactors to attack a communication channel. The order of response to cyberincidents and information storage about them is regulated.

The organizations which should provide the standard and strengthened protection levels are offered to create own Information Security Services (if they are not created yet) and to define their purposes and tasks in internal documentation.

Besides, non-credit financial institutions should inform the Bank of Russia on all revealed incidents connected with security violation of information and also on the plans for disclosure of information on these incidents — including on placement of information on the official sites of the Internet, release of press releases and holding press conferences — no later than one working day before holding an action.

Conformity assessment of data protection is performed according to the national standard of the Russian Federation GOST P 57580.2-2018 "Safety of financial (bank) transactions. Data protection of financial institutions. A conformity assessment technique", the approved order of Rosstandart of March 28, 2018 No. of 156 St "About the approval of the national standard" (M., Federal State Unitary Enterprise Standartinform, 2018).

«
As of September 6 it is only the bill — Oleg Galushkin, the Chief information security officer of SEC Consult Services company specified — and to final reading the document can exchange to unrecognizability. However at first sight the project imposes quite logical requirements and to a data protection order at implementation of financial transactions, and to an order of informing the Central Bank on incidents.
»

The complete text of the bill is available here. Independent anti-corruption examination will be carried out till September 17, 2018.

"Sandbox" for testing of third-party financial IT systems

On the test regulatory platform ("sandbox") of the Central Bank the first pilot project on testing of a product was performed. Testing was undergone by service of Sberbank for remote control powers on accounts of corporate clients which grant the right to make transactions in bank departments. Experts consider that "sandbox" will help banks to save on service of corporate clients, the Central Bank on the website[12] reports[13].

The pilot was implemented in cooperation with professional associations of players of financial market and state agencies. The Central Bank and expert advices organized in "sandbox" recommended service to implementation in the market, having made a number of remarks which at the same time need to be considered.

"According to the results of the carried-out piloting of service changes in regulations of the Bank of Russia that everyone participants of financial market could implement and use it as for increase in convenience at service of the clients, and for reduction of own costs are assumed", – the acting as the director of the department of financial technologies of the Central Bank Ivan Zimin noted.

The regulator reports that it at the moment received more than 20 applications for testing of products in a sandbox from financial institutions, the financial technical-companies and other enterprises. Among them there are projects in the field of digital assets and implementation of new financial technologies.

The test regulatory platform of the Central Bank — so-called "sandbox" — was created in April, 2018. "Sandbox" is a limited environment where the innovative financial technologies needing correct regulation are tested. Watches the Central Bank and also profile state agencies, associations and institutes of development the course of pilot projects which are performed in "sandbox".

The Bank of Russia will find "black creditors" using Big Data

Possibilities of Big Data use for protection of Russians on the Internet from "black creditors". The Central Bank develops the project which will allow to apply a new watchdog model: distinguish the websites of the companies having and not having the right to issue loans to consumers. About it it is told in documents of the regulator which Izvestia in July, 2018 studied. The machine much quicker and more effectively than the person will analyze huge information volumes in Network, experts explain[14].

The Ministry of Finance prepares the report for the president about development and implementation of a complex of the actions directed to identification and suppression of illegal activities for providing consumer loans. The Bank of Russia created the part of data for this report. It follows from the letter of the first deputy chairman of the Central Bank Sergey Shvetsov to the Ministry of Finance of May 11. In it it is told that the regulator works on a specialized watchdog model on the basis of Big Data.

It will allow to separate the websites into having and not having the right to issue of loans. Development of the project is performed in interaction with EU-Leasing company which is engaged in software development and ADP equipment. The IT company did not respond to the request of Izvestia.

The Central Bank obliged banks to notify on spam with harmful files

On July 17, 2018 it became known that the Central Bank of the Russian Federation obliged banks to report on all spam mailings with harmful files. In case of failure to meet requirement credit institutions can be punished for incomplete disclosure of data.

According to Kommersant, the relevant amendments to provision of the Central Bank No. 382-P became effective since July 1. From this day banks are obliged to inform FinCERT (FINTSERT) of the Bank of Russia on computer incidents. At the same time the specific list of the incidents which are subject to the report in the new edition of the document is not defined. It will be published by the separate document on the website of the Central Bank, however terms of the publication are unknown.

Banks are obliged to send to the regulator millions of messages about harmful mailings
Banks are obliged to send to the regulator millions of messages about harmful mailings

Sources in the banks polled by the edition told that the volume of undesirable letters which they receive every day is huge, but about spam mailings of the company report the Central Bank not in all cases.  The business consultant on security of Cisco Alexey Lukatsky specified in a conversation with the newspaper that in a total amount of e-mail spam makes 60–80% that, according to the expert, "does a problem of informing FINTSERTA difficult". In Sberbank in day more than 2 thousand phishing  letters and more than 100 attempts of delivery of the malware are fixed, told the edition in the press service of bank.

Lukatsky noted that theoretically failure from informing the Bank of Russia on all cases of receiving spam mailing with malicious codes can be considered violation. The press service of the regulator reported to Kommersant that commercial credit institutions bear "responsibility according to the federal law on the Central bank". However it will be rather difficult to define the fact of such violation if the bank announces though some spam mailings, Alexey Lukatsky is sure.[15]

The Central Bank obliged banks to announce the hacker attacks

On June 28, 2018 the Central Bank of the Russian Federation announced that since July 1 credit institutions will have to report to the regulator on the hacker attacks and their technical parameters. Earlier banks did it on a voluntary basis.

«
Now for quality improvement of protection against cyberthreats credit institutions should use for money transfer only the certified software and hold its periodic testing — said in the Bank of Russia.
»

Banks of the Russian Federation since July 1 will be obliged to inform the Central Bank on the hacker attacks
Banks of the Russian Federation since July 1 will be obliged to inform the Central Bank on the hacker attacks

It is noted that the detailed information exchange operating for several years was demanded both at credit institutions, and at law enforcement agencies. The Central Bank uses the data obtained from banks for development of recommendations about counteraction to the hacker attacks. The speech also goes about unauthorized transfer of means and access to devices of clients of banks, violations of rendering  payment services, malicious codes, a phishing, DDoS attacks.

The organizations having the license of the Federal Service for Technical and Export Control (FSTEC) will estimate compliance of level of protection now. Besides, there will be obligatory an estimation of fulfillment of requirements to ensuring data protection at money transfers the third parties involved in evaluating compliance.

Since January 1, 2020 the requirement of annual testing for  penetration and  the analysis of vulnerabilities of information security is introduced. For this purpose banks will need to attract the external auditor.

Also since  2020 the condition about  obligatory separation of software environments of preparation and  payment confirmation is implemented,  including when  using the systems of remote banking. It will help to protect clients of banks from  the hacker attacks, are sure of the Central Bank.[16]

The Central Bank obliged banks to check devices of clients at money transfer

The Bank of Russia obliged credit institutions to check devices of clients which they use at money transfer. These measures should help with anti-money laundering.  According to in Vedomosti in number of June 21, 2018, on new, April, versions of provision of the Central Bank, banks should  appropriate identifiers to devices of clients. If  identifiers at several clients will match, they will reckon as clients with the increased risk level.

By the end of June, 2018 use of IT characteristics for the analysis of activity of clients is recommended to the Central Bank and is already used by many banks, for example, credit institutions fix  the IP addresses of clients. But observance of new requirements of provision of the Central Bank will require IT completions, experts consider.

The Bank of Russia obliged credit institutions to check devices of clients which they use at money transfer
The Bank of Russia obliged credit institutions to check devices of clients which they use at money transfer

VTB reported to the edition that new requirements of the Central Bank only fixed the existing practice: innovations will not lead to any restrictions for clients, banks just pay more attention to "risky" transactions.

According to the managing director for IT "The absolute of bank" Natalya Pozdeeva, it is more difficult to reveal detailed data about the digital fingerprint of the gadget, and not all existing systems are capable to make it. The bank should request more often from some clients data and to update their questionnaires, she noted.

As the head of practice of financial investigations and anti-corruption of FBK of Grant Thornton Alexander Sotov explained, coincidence of identifiers of gadgets can demonstrate existence of "the financial dispatching center" in which swindlers from one computer transfer money through Internet banks of the companies under control of them. One similar center was revealed in 2010, but since then criminals became better to disappear through VPN and other means, he added.

Traditional banking systems of monitoring monitor transactions: a source of money where they leave also transaction parameters in general, the head of solutions of Kaspersky Lab on prevention of online fraud Alexander Ermakovich tells. It is the working and reliable technology, but there are also newer approaches, he tells: the analysis of the user behavior which covers also devices from which the user works with banking systems, and an environment, habits and its normal behavioural patterns.

According to Ermakovich, hundreds of parameters gather: and information on the device, and its characteristics in what environment it usually works, about features of use of the device, a customer behavior in a system bank – the client, communications with other users or devices. All these parameters integrate, and the machine reveals anomalies of behavior and violation of templates that allows to distinguish swindlers and "obnalshchik" from normal users.[17]

The Central Bank of the Russian Federation will oblige banks to disclose financial damage from cyber attacks

Since July 1, 2018 the Bank of Russia will change for banks - operators on money transfer and operators of services of payment infrastructure the form of the reporting on the events connected with security violation of information at money transfer, reported on the regulator website[18]. Data on technical characteristics of an incident (methods and origins of cyberthreat) will be excluded from the reporting, economic effects for operators and their clients[19] will be specified instead[20].

In particular, operators will announce in the Bank of Russia upon what amounts for the reporting period cybercriminals attempted and what amount of funds managed to be stolen. "The amount of the stolen means returned by the operator to the clients will be an important indicator", - notes the regulator.

This indicator will allow the Bank of Russia to estimate, how honesty operators fulfill the duty on compensation to the clients of the stolen money established by the law by the "On the National Payment System". Also the new form of the reporting includes indicators of continuity of rendering services in money transfer when carrying out the computer attack.

As consider in the Central Bank, change of a form of the reporting will allow to raise accuracy of the data about the events connected with security violation of information at implementation of money transfers more effectively to control risks of operators on money transfer and services of payment infrastructure. Besides, information provided by them will allow to estimate more precisely quality of risk management systems and the capital of credit institutions and banking groups.

Operators will have to report information on technical details of the attacks to FinCERT of the Bank of Russia (FINTSERT) – structural division of the Bank of Russia which is engaged in collecting and information analysis from financial institutions about cyber attacks.

Creation of department of information security

Main article: Department of information security of the Central Bank of Russia

In May, 2018 the Central Bank of Russian Federation creates new department which activity is entirely devoted to information security.

The Board of Directors of the Central Bank made the decision to separate Head department of security and data protection into two independent divisions - department of information security and department of security of the Bank of Russia.[21]

The Central Bank prepares the standard of providing Information Security for the financial organizations

The Central Bank of Russia published on May 3, 2018 the draft standard "Information security support of financial institutions of the Russian Federation. Technology of preparation, the direction and formats of electronic messages for information exchange with the Bank of Russia about the revealed incidents connected with violation of requirements to ensuring data protection at implementation of money transfers" (service station of BR IBFO-1.5-2018). As it is specified in the explanatory note to the document, the draft standard is developed for the purpose of increase in accuracy of the data about similar events. Read more here.

The Central Bank wants to receive powers of security officers

The government sent in April, 2018 to the State Duma the project on which the Central Bank is allocated with powers of easy access to premises of the companies and to their documents. – reports RBC. It is about fight against insider frauds.

Permission to similar activity contains in edition of the government bill of the March 30 sent to the State Duma for consideration in the second reading and making amendments to Article 14 of the law "About Counteraction to Unauthorized Use of the Insider Information".

Within insider checks, the staff of the Central Bank will get access to documents and information, including limited the federal law – says in the text of the bill. Also, employees will be able to copy originals of documents.

Today the Central Bank has powers only to request documentation from the organizations. During checks all Russian legal entities, foreign citizens and the organizations working in Russia will be obliged to provide access to acts, agreements, references, business correspondence and also "other documents and materials". The Central Bank will get access to a trade, official, bank secrecy, information on postal money transfers and "other secret protected by the law" (except for the state and tax secret) – RBC reports. As the initiator of the amendment in the government bill the Bank of Russia acted.

The bank explains need of privilege elevation with a possibility of fight against market manipulation. "High degree of danger, reserve of such crimes committed by "professionals" of financial market requires introduction of corresponding changes", reported in the document.

Easy access of the Central Bank in the company is "the general practice of prevention of illegal acts", specified RBC with reference to the press service of Bank. Checks with easy access of representatives of the Central Bank to premises of legal entities and other organizations will be performed only at serious reasons to believe that the law on the insider information is broken – the Deputy Minister of Finance Alexey Moiseeev reported. "Not just you went by and decided to come, there have to be suspicions. There the whole list of procedures of decision-making, everything will be approved by special body in the Central Bank" — he commented to Interfax. The bill of investment of the Central Bank with new powers was going to be submitted for consideration in the second reading on committee meeting of the State Duma on financial markets on April 5, but it was transferred.

The Central Bank offered the standard on information security

The Bank of Russia published in March the standard of rendering services in the field of information security for financial institutions. Observance of the standard will be voluntary, however in the Central Bank do not exclude that further the standard will become obligatory for all companies rendering to participants of the financial market of service in the field of information security[22].

Last year the Russian banking sector faced a wave kiberaktak. According to the international developer of the antivirus software and solutions in the field of a computer security of ESET, in a year the number of the similar attacks on the financial sector grew almost by one and a half times.

The standard is intended for banks, non-credit financial institutions, subjects of a national payment system and other participants of financial market, is explained in the message on the regulator website. According to the Central Bank, use of the standard will help to create and support at the acceptable level a system of information security support to the small and medium organizations which usually lack financial and personnel resources.

"The standard becomes effective since July 1, 2018. Its provisions have advisory nature. Further if necessary the question of their obligatory application can be considered", says the Central Bank.

The list of security risks for biometric data

On February 12, 2018 it became known that the Central Bank of Russian Federation defined the list of security risks when processing, collecting, storage and verification of biometric personal data in state bodies and also banks and other organizations. The draft of the corresponding regulation is published on the website of the Bank of Russia.[23]

The Central Bank defined threats for biometric data
The Central Bank defined threats for biometric data

The draft directive is developed for ensuring protection biometric granted and the rights of citizens during the work with such data during identification, said in the explanatory note of bank.[24]

The Central Bank believes that entry into force of this regulation will allow to create bases for establishment of requirements to the information technologies and technical means intended for processing of biometric data within identification writes Interfax. The instruction will have to become effective on June 30, 2018. Notes and offers on its maintenance are accepted from February 12 to February 25, 2018, i.e., within only two weeks.

Security risk of biometric data is understood as set of the conditions and factors creating danger unauthorized (including accidental) access to these data with the subsequent their destruction, change, blocking, copying, distribution, etc.

The State Duma in December, 2017 adopted the law allowing banks to open accounts to individuals without their personal presence only using the biometric passports and data uploaded on the Gosuslugi portal.[25] that the law on remote identification will become effective in the summer of 2018.

«
In principle, such law is quite relevant the present, and in this plan we even overtake the legislation of the EU — Oleg Galushkin, the information security expert of SEC Consult Services company said. — However it is necessary to understand that protection of biometric data requires the highest level of execution as without it an opportunity, for example, to open accounts to natural persons without their participation is the "generator of mass risks" which unclear who will undertake. It is known also that the Bank of Russia together with Federal Security Service prepares mobile application for remote identification of clients of credit institutions.
»

The center for fight against fraud in financial market is open

The Bank of Russia opened Competence Center on counteraction of illegal activity in financial market. Reported about it in the press service of the regulator. The center is open on February 2, 2018 in Krasnodar. In it information on illegal activity in financial market arriving from all regions of the country will accumulate.

"A key task of the Center – development of methodology on identification and suppression of similar the practician on the basis of the analysis of data retrieveds. Use the single database and methodology all structural divisions of the Bank of Russia working in the specified direction", said in the statement of the regulator will be able.

The Central Bank considers that creation of such Center will allow  to monitor migration of fraudulent schemes and to stop their distribution at early stages, to identify organizers of the similar companies, to promote building of more effective interaction with law enforcement agencies and the public.

The press service added that now the regulator develops more active work in regions and creates departments of counteraction of illegal activity in all head departments of the Bank of Russia.

"We are interested in high-quality growth of the Russian financial market and should save competitive environment from distortion. However if there is a lot of illegal business, it forces out legal. And it is the one-time business constructed on deception of the consumer. And the welfare of citizens is an ultimate goal of our economic policy" — noted, speaking at opening of the center, the First Deputy Chairman of the Bank of Russia Sergey Shvetsov.

2017

The offer of the Central Bank on inclusion responsible for cybersecurity and IT in Boards of Directors of the public companies

In November, 2017 the Central Bank of the Russian Federation announced plans to make the changes in the code of corporate governance connected with cyber security. The regulator will suggest the public companies to add to Boards of Directors of competence of information security

According to Kommersant with reference to the director of the department of the corporate relations of the Central Bank Elena Kuritsyna, the Bank of Russia considers it necessary to fix a strategic role of Board of Directors of the public joint stock companies (PJSC) in the organization of risk management system, connected with information technology development and cyber security.

The Central Bank of the Russian Federation will make the changes in the code of corporate governance connected with cyber security
The Central Bank of the Russian Federation will make the changes in the code of corporate governance connected with cyber security

Acting on a round table OECD — Russia on corporate management which took place on November 15, 2017, Kuritsyna noted that in the light of the increasing cyberrisks Boards of Directors should have necessary competence of questions IT and cyber security as they should claim the corresponding politicians of the companies and to control their execution from the management.

On the one hand, according to her, new technologies offer a huge number of new opportunities for business development, but on the other hand there are questions of cyber security. Cyberrisks are already implemented in the form of purposeful planned actions on attack on these or those industries or the companies. All this requires serious involvement of a corporate management system to reflect these threats properly, she added.

The Central Bank intends to state these innovations in  the code of corporate governance, they will be discussed until the end of 2017. At the same time to the middle of November performance of the code is not obligatory for the public companies, and recommended. At the same time execution of a part of basic provisions of the code is a condition of inclusion of stocks of the companies in the first and second level of the quoted list of the Moscow Exchange. So recommendations about transfer of strategic functions about management of questions in the field of IT and cyber security to Board of Directors of public joint stock company in the future can also appear in the listing rules, notes the edition.[26]

Certificates of specialists in cyber security in the financial sphere

In two years in Russia will begin to issue certificates of specialists in the field of cyber security in the financial sphere. On October 11 the deputy chief of head department of security and data protection of the Bank of Russia Artem Sychev reported about it to the Kommersant edition.

According to Sychev, qualification requirements and also the program for master specialty and for advanced training are developed. "Already qualification test will be the next stage. Because it is impossible to certify people, without having suggested them to train at first", – Sychev reported.

In the future it is also going to introduce the requirement about obligatory existence of certificates of new type for the specialists working in banks in the field of cyber security, however you should not expect it in the near future. Expansion of the list of the specialties which are subject to certification was declared by the first deputy chairman of the Bank of Russia Sergey Shvetsov in April, 2016. In addition to cyber security specialists, asset management and internal control experts will have to receive new certificates.

The urgent need in training and certification of bezopasnik is now felt, Sychev noted. If earlier all IT structure of banks just serviced their interests, then now someone can affect the technologies standing between bank and the client the third. With respect thereto the experts who are not simply protecting perimeter are necessary (such personnel is quite enough now). The personnel understanding the principle of work of technology and capable to define how it is possible to influence it from the outside is necessary and what to do in that case.

As Sychev explained, training of specialists will be provided in three most popular directions – methodology, technology and law in cyber security. However, who will train the new personnel and to issue certificates while it is unknown. Now 11 organizations which obtained accreditation of the Bank of Russia are engaged in certification of specialists of the financial sphere. Perhaps, will qualify experts in cyber security in the financial sphere of FSTEC, however this issue still is finally not resolved.

Return of the money stolen from bank accounts

At the end of September, 2017 the Bank of Russia and the Ministry of Finance of the Russian Federation expressed the intention to simplify return of money for clients of banks when money is already charged off an account and arrived on the bank account, but were not transferred to accounts of malefactors yet, Vedomosti tells.[27]

Amendments to the bill of counteraction to the plunder of money directed to the State Duma at the end of May, 2017 permitted bank clients not to prove the case in court. In the previous edition of the amendment provided that the court should determine the fact of write-off of means. In particular, to clients whose money was charged off without their consent and is blocked, it was offered to provide within 14 days to bank the relevant decision of arbitration court. Otherwise the bank had to register payment.

According to the representative the Bank of Russia offered the Central Bank and the Ministry of Finance the mechanism will affect, generally legal entities. In case of write-off of funds from the account of the company without its consent, the bank to which correspondent account money arrived can suspend their transfer into the account of the receiver for a period of up to five days. If the receiver does not provide the documents confirming justification of money transfer (copies of agreements, delivery notes, invoices, etc.), money will return into the account of the company.

As for natural persons, the procedure of compensation of the amounts which are illegally charged off an account is stated in the law on a national payment system, the representative of the Central Bank specified.

Nevertheless, still there is unresolved a problem of return of the money which is already transfered to account the receiver. Banks have no right to return or block these funds for long term without court's decision. However by the time of obtaining permission malefactors can display funds from the account safely.

Minimum amount of damage from cyber attacks to the reporting

The Bank of Russia will determine a minimum amount of damage from cyber attacks which banks are obliged  to reflect in the reporting. The innovation will appear in 2018 together with a new form of the reporting.

Since 2013 all financial institutions monthly hand over reports on the problems which arose at money transfer of clients in the Central Bank.  In the report all similar cases are fixed: thefts of data of the plastic card at payment of account at restaurant or skimming cases (when malefactors install special reader devices on ATMs, and then abduct money). Banks submit the report in the form of the table  in which are reflected the fact of an incident with method of causing damage, its date, the operator of a payment system, violation effect, activity undertakens on their elimination and also the fact of the appeal to law enforcement agencies. If there are no violations, in all corresponding graphs put down zero.

But since 2018 the Central Bank is going to change a form of this reporting, having obliged banks to open the economic indicators connected with cyber attacks. Thus, in a year banks will transfer to the regulator only the amounts upon which hackers attempted during reporting period, the volume of plunders from customer accounts and information on the means returned [28]

Toughening of requirements

On September 14, 2017 it became known of toughening by the Bank of Russia of requirements to the information security (IS) of credit institutions. The last will have to review interaction with the third-party companies employed for ensuring cyber defense.

According to Kommersant, in September, 2017 for public discussion hung out the draft document of the Bank of Russia "Risk management of violation of information security on outsourcing" in which the regulator indicates risks for information security of bank from involvement of outsourcers and makes demands for their minimization.

Central Bank building
Central Bank building

The Central Bank reports that risks from attraction of third parties that it is possible to select the supplier who does not have the necessary knowledge or resources and also that the bank can poorly control its actions. Emergence of vulnerability in the system of Informzashita of bank and even embezzlement of credit institution can become result of low-quality work of outsourcers, specifies the regulator. The standard will become effective since January 1, 2018.

The Bank of Russia requires from banks to develop policy of interaction with the outsourcer, i.e. to accurately define the list of services of the third-party company and the list of functions which are performed by bank and also it is necessary to separate and designate accurately spheres of banking liability and a third party.

By transfer of significant functions of the Central Bank requires from banks to carry out periodic monitoring of sales opportunity of risk of violation of information security and also severity of effects from implementation of risk of violation of information security (which directly depends on transaction amounts on money transfer, a remaining balance on corresponding accounts , etc.). The regulator recommends to the banks recognized by the Central Bank systemically significant about plans of transfer of certain functions for outsourcing to beforehand inform FinCert.[29]

Blocking of fraudulent websites

Bank of Russia and the Ministry of Telecom and Mass Communications work on changes in the law "About Information, Information Technologies and on Data Protection" which will allow to counteract fraudulent resources on the Internet more effectively.

The Bank of Russia power of decision about inclusion of resources in the unified register of the prohibited websites is supposed to give. Thus, in Runet there will be a new type of the prohibited information — information which is used for frauds in financial market. For example, in some cases financial institutions which lost the license continue to offer on the Internet "I will jam to salary".

The Bank of Russia on the basis of agreements with the competent organizations initiates blocking in the Russian segment of the Internet of the fraudulent resources relating to the sphere of financial markets and national payment system — confirmed in the press service of the Central Bank. — About 400 domains are at the moment removed from delegation.

The websites created for fraud in financial market will be blocked. Expertize of similar resources will be carried out by the Central Bank of Russia. It is said in the Strategy of state policy in the field of consumer protection.

You watch also the Phishing

Security requirements of payments on the Internet

The Bank of Russia suggested to expand in September, 2017  the requirements list to data protection at money transfer on the Internet. The corresponding draft of amendments in provision of the Central Bank is placed on the portal of disclosure of drafts of regulatory legal acts.

In particular, requirements need to be raised for operators on  money transfers which should ensure safety of performing transactions on the Internet.

"The operator on the basis of the statement of the client … determines restrictions on parameters of transactions which can be performed by the client using the system of Internet banking", the document says. by money transfer.

Operators need to increase security using certain technology measures which  provide identification of the client, authentication of his electronic messages at money transfer and an opportunity to control details.

Also amendments regulate a possibility of the operator to confirm the client's right to carrying out transaction or to set restrictions, among which: a maximum amount of transfer, the list of possible receivers of money, operation time, the geographic location of devices using which clients perform operations.

Operators should announce in the Central Bank cases of identification of incidents and also  "the planned actions for disclosure of information on incidents".

 

Besides, amendments set  need and an obligation of operators to annually test systems for penetration of threats of information security.

 No. 382-P "About requirements to ensuring data protection at implementation of money transfers and about a procedure the Bank of Russia of control of observance of requirements to ensuring data protection at implementation of money transfers" [30] is offered to make changes to provision of the Bank of Russia of June 9, 2012.

Standards on outsourcing of cyber security

The Bank of Russia developed standards on outsourcing of cyber security. According to them banks in the absence of the potential necessary  for independent development and upgrade of the systems of cyber security, should  transfer these functions to the third-party company specializing in fight against hackers i.e. on outsourcing.

The attracted company can help to build till six weeks to bank the system of cyber security, and then on a permanent basis to monitor the attacks of hackers, to control protection in the round-the-clock mode and to train personnel.

Before  the deputy chief of head department of security and data protection of the Central Bank Artem Sychev said that  "for small and mid-sized banks the questions connected with cyber security and IT in general, very expensive and difficult" therefore it is necessary to develop information security outsourcing. Now similar services in the market are rendered by 30 companies.

As it appears from the standard of the Central Bank, banks can select three models of interaction with outsourcers: long-term, medium-term and short-term cooperation. In the first case the third-party company is engaged in monitoring of cyber attacks to bank and response to them. In the second the outsourcer is attracted by bank to execute for it the project on information security — for example, to construct own center of monitoring and response to cyberthreats. The third model means that the bank attracts the company for a while when the level of cyberrisks increases.

Services of the outsourcing companies can be basic, expanded and bonus.  In the first case the company works in mode 8х5, in the second and third — 24х7. Time of detection of critically dangerous cyber attacks within a basic packet is up to 30 minutes, within expanded — up to 20 minutes, within bonus — up to 10 minutes. The analysis of a situation will take 45 minutes, 30 minutes and 20 minutes respectively, and time of issue of recommendations about elimination of an incident — 2 hours, 1.5 hours and 45 minutes.

The area manager of outsourcing of cybersecurity of the center of information security of Jet Infosystems company Ekaterina Syurtukova noted that in comparison with a basic packet cost expanded 1.2-1.5 times above, and the cost of bonus – by 1.5-1.7 times.  Small banks should pay 250 thousand rubles a month for a basic packet, and large — up to 2.5 [31].

Base of biometric these clients of banks

Main article Single biometric system of identification

The system of information exchange about cyber attacks to banks

The central bank continues to strengthen measures for fight against cyber crime, acting as the coordinator of this activity in the credit and financial industry. Development of measures is implemented through the working group into which representatives of the Central Bank, FSB, FSTEC, Ministry of Telecom and Mass Communications, Ministry of Finance and Rosfinmonitoring enter. Technical tasks within this activity are assigned on Finsert. Development of the platform for automation and acceleration of information exchange between the interested state structures and a banking system for the purpose of increase in level of cyber security became an immediate task, the Kommersant newspaper in July, 2017 reported.

The platform represents an online resource which will allow participants of a system to communicate through personal accounts in a new format.

«
Now we give mailings, actually text the file with certain indicators — the deputy chief of Head department of security and data protection of the Central Bank Artem Sychev explained. — we Want to come to the new interchange format which will allow credit institutions these signs of a compromise in the automated mode to load in the detection systems
»

According to him, actually it is about an analog of the international service Virus Total (allows to check files for availability of the malware "using a large number of anti-virus engines"). Besides, the platform will support services for analysis of critical situations.

Engineering design of a system will begin in August, 2017, and start of the platform is planned for the end of 2017. To the middle of 2018, as expected, it will earn in full.

The report on the amounts stolen by hackers, the volume of plunders from customer accounts and also the amount of funds returned to citizens will transfer financial institutions to the Central Bank. As notes the regulator, also excluded technical data because of which there was this or that incident from reports. It is expected that using an innovation the reliability of the provided information on cyber attacks will increase and also credit institutions will pay more attention to information security support.

Annual pentests of banking software

The Bank of Russia developed the draft directive about making changes in the Provision "About Requirements to Ensuring Data Protection at Implementation of Money Transfers and about a Procedure the Bank of Russia of Control of Observance of Requirements to Ensuring Data Protection at Implementation of Money Transfers".

According to the document, operators on money transfer will be obliged to use software, certified on compliance to requirements for security of information. So banks and payment systems will be able to use only the programs which underwent testing for existence of vulnerabilities and not declared opportunities according to requirements of the Federal Service for Technical and Export Control or requirements to the estimated trust level not below than OUD 4 according to GOST P ISO/IEC 15408-3-2013.

What is the evidence of trust of the ISO/IEC 15408-1 2.4 trust (assurance):

  • Accomplishment of the corresponding actions or procedures for ensuring confidence that the estimated object answers the purpose of security.
  • The basis for confidence that the entity answers the purposes of security.

2.16 evidence of trust (assurance evidence): The documentary results provided by the data obtained in the analysis of trust to the estimated object including reports (justifications) in support of a statement about trust.


The organizations having a license for activities on technical confidential information protection should carry out the analysis of vulnerabilities in software. Testing for penetration and the analysis of vulnerabilities should be carried out annually. The instruction becomes effective since July 1, 2018.

Data protection Gosstandart for GOST P 57580.1-2017 banks

  • GOST P 57580.1-2017 "Safety of financial (bank) transactions. Data protection of financial institutions.

Basic set of organizational and technical measures" utv. 8/8/2017

  • Extends to Banks, non-credit financial institutions, other subjects of NPS

That essentially new

  • Data protection levels
    • Level 3 – minimum (corresponds to the fourth UZ of PDN)
    • Level 2 – standard (corresponds to the second and third UZ of PDN)
    • Level 1 – strengthened (corresponds to the first UZ of PDN)

  • Level of data protection is established for a specific circuit of security (the information system implementing business processes of uniform degree of criticality to which the uniform mode of data protection is applied)
  • Example: Payment and information technology processes can make different circuits of security
  • One or several circuits of security form
  • Protection level for a circuit of security is established by regulations of the Bank of Russia on a basis:
  • Type of activity, structure of the provided services, business processes within security circuit

    • Volume of financial transactions
    • Organization size
    • the Importance for financial market and NPS


In Russia GOST P 57580.1-2017 "Safety of financial (bank) transactions is approved in August, 2017. Data protection of financial institutions. Basic set of organizational and technical measures". The national standard will be entered since January 1, 2018 according to the order of Rosstandart of August 8, 2017.

According to the document, in banks it is necessary to approach planning, implementation, control and improvement of process of data protection in a complex. The standard describes requirements to the organization of all basic processes of data protection, including a measure for prevention of leaks and violation of integrity of information infrastructure and also on protection against the attacks using the malware.

Instructions on data protection at implementation of transactions via mobile devices are specified by separate point. Besides, the standard describes safety requirements of data at all stages of lifecycle used in the financial organizations of automated systems and applications.

According to Kommersant, is entered by new state standard specification obligatory certification of information security tools for all companies of financial market. Market participants consider that the requirement of total certification is impracticable because of its high cost and features of the Russian IT industry[32].

The main requirement of state standard specification – all technical measures of protection of information should have the certificate of conformity to standards of the Federal Service for Technical and Export Control (FSTEC). So, financial institutions to which the minimum, third level of data protection is appropriated will need to provide existence of software certified not below the 6th class (a security indicator from unauthorized access to information), at the companies of the second level solutions not below the 5th class should be applied, and the organizations of the first level should work with system developments not below the 4th class.

Also the differentiated approach at determination of level of data protection which the Bank of Russia will appropriate for each subsupervising organization is entered. In total levels will be three — minimum, standard and strengthened. They will be appropriated depending on a type of activity, structure of implementable business and technology processes, volume of financial transactions and other factors.

Structure of the standard

  • Section 6. Methodology of application of requirements and determination of levels of protection
  • Section 7. Requirements to an information security system (SIB)
    • Access control (IDM)
    • Protection of networks (IDS/IPS, NGFW)
    • Control of integrity and security of infrastructure (Vulnerability Scanner)
    • Protection against a malicious code (AV)
    • Prevention of leaks (DLP)
    • Incident management (SIEM)
    • Protection of the environment of virtualization (the information security facility for virtual environments)
    • Data protection when using mobile devices (MDM)

  • Section 8. Requirements to a system to management of data protection (SOIB / SMIB)

    • Planning of process of a system of protection

  • Implementation

    • Control
    • Improvement

  • Section 9. Requirements to ZI at stages ZhTs EXPERTS and applications

    • Appendix A. Basic model of threats and violator
    • The B. Org application of a measure, PDN connected with processing
    • Application B. The list of events of ZI which are potentially connected with incidents

Dmitry Skobelkin is appointed the curator of cybersecurity in the Central Bank of the Russian Federation

In July, 2017 the Central Bank of the Russian Federation reported that Dmitry Skobelkin will supervise Department of financial monitoring and currency exchange control, Head department of security and data protection, the Interregional center of security of bank.

To Skobelkin work of Head department of security and data protection of the Central Bank was coordinated and supervised by the first deputy chairman of bank Georgy Luntovsky. According to the Central Bank, it made the decision to leave the post and leaves since September, 2017 at own will.

Control of security in the financial sector

In 2017 CENTRAL BANK OF THE RUSSIAN FEDERATION will carry out more than 100 inspections of systems remote banking (RBS) and also will approve standards cyber security for participants of stock exchange market and will create the center of security for mid-sized and small banks. Toughening of requirements in the field of information security (cybersecurity) should be based on the analysis of threats, otherwise it can lead to the fact that bank services will become less convenient.

The Central Bank of Russia intends to strengthen control of safety of commission of payment transactions in the Russian banks. For this purpose in 2017 he will organize more than 100 checks of the systems of the remote banking (RB), RBC with reference to the deputy chief of head department of security and data protection of the Central Bank of the Russian Federation Artem Sychev reports. According to him, the first inspections were already carried out in February, 2017.

Banks which results of check will be unsatisfactory will have to either increase the capital, or additionally accrue reserves on the value of the existing operational risk in the amount of an average daily balance on the correspondent account. Exact information on what of these measures will be accepted should appear in the middle of 2017[33].


The workflow system in banks consists of two parts - the automated banking system (ABS) and the automated workplace of the client of the Bank of Russia (the automated workplace of KBR). In the core banking system payment orders of clients are processed and registers of payments form. In the automated workplace of KBR the arriving registers are ciphered and go to the Central Bank of the Russian Federation. As both the core banking system, and the automated workplace KTsB are reliably protected (at least, in the theory), the only weak spot of a system is a data transmission channel between the core banking system and the automated workplace KTsB.

According to banks, strict following of the instruction (namely use for information exchange not of corporate servers, and the protected removable mediums) does not leave to hackers of backdoor ways for substitution of these data dummy. In return the Central Bank of the Russian Federation believes that at such situation of effort of cybercriminals will be concentrated on attempts to crack the core banking system. If their attempts are crowned with success, then it is not possible to monitor substitution of these data dummy at the level of the core banking system. And enciphering of banking data to which hackers will get access using more perfect analog of the WannaCry virus can paralyze work of specific credit institution completely.

Uniform strategy of information security of banks

The Association of Russian Banks (ARB) in February, 2017 appealed to the Central Bank of the Russian Federation to develop the uniform strategy of development for information security of the credit and financial organizations. The head of ARB Garegin Tosunyan told about it at the IX Ural forum "Information Security of the Financial Sphere".

He noted that responsibility of divisions of information security of banks is regulated by about 130 documents including about 50 federal laws, 20 decrees of the president and government decrees, 15 acts of federal executive authorities, 25 regulations of the Bank of Russia, 20 standards and regulating documents of the international and Russian payment systems.

The head of ARB considers that need for streamlining of these documents and for creation of the uniform industry document on information security allowing the credit and financial organizations to react quickly to constantly arising new calls ripened.

«
All these documents are not really integrated with each other, it creates a problem. Creation of the uniform document will reduce the probability of emergence of collisions, - Garegin Tosunyan said.
»

Garegin Tosunyan from ARB considers that need for the uniform document on development of information security in banking sector ripened
Garegin Tosunyan from ARB considers that need for the uniform document on development of information security in banking sector ripened

For the most effective use of capacity of bank community by preparation of strategy it is necessary to recruit all interested organizations and to suggest the Bank of Russia to head this process as the interdepartmental coordinator, believe in ARB.

Tosunyan reminded that not less than ten more regulations of the Central Bank on information security will become effective in 2017-2018.

The deputy chief of head department of security and data protection of the Bank of Russia Artem Sychev at the same forum told that the number of cyber attacks to commercial banks and citizens in Russia increases every year, but the effectiveness of these attacks decreases[34].

«
The trend on increase in number of the attacks is, it remains and continues to be increased, unfortunately. On the other hand, there is good news. Good news is that the effectiveness of such attacks not always is positive, - he told.
»

Sychev noted that in 2016 the number of DDoS attacks increased almost twice. The number of the mailings containing the malicious software increases practically every month, the bank representative of Russia said. At the same time recorded at the end of 2016 - the beginning of 2017 of DDoS attack of essential damage to banks did not bring: they caused troubles, but had no critical character and did not break any service. The regulator notes also growth in geometrical progression of number of mailings of fraudulent SMS messages.

Artem Sychev added that the market faced recently a new type of the attacks when Internet of Things is used.

«
For bezopasnik. it means that once the mass of TVs which are installed in houses of citizens will unexpectedly fall upon our network, and we with it will be able to make nothing, - Sychev noted.
»

Changes of approach to carrying out payments for fight against hackers

According to "Kommersant", CENTRAL BANK OF THE RUSSIAN FEDERATION sent to heads of IT departments of banks the letter in which asked to estimate till February 10 in what terms they can implement enciphering the payments directed to a payment system of the regulator at the level the automated banking system (CORE BANKING SYSTEM)[35].

The core banking system of bank, the newspaper explains, is a hardware-software complex which consists of a set of the computers united in the uniform protected circuit where payment orders are processed and registers of payments form. The registers created in the core banking system come to the automated workplace of KBR (the automated workplace of the client of the Bank of Russia) — the special computer in bank in the separate protected circuit from which payments go to the Central Bank.

Implementation of encryption systems in the core banking system of bank, was explained in the press service of the Central Bank to the newspaper, will allow to protect data at earlier stage, "will complicate for malefactors of a condition of the attacks and will reduce the level of plunders". The measure, as noted in the regulator, is offered on the basis of the analysis of the facts of plunders at commercial banks and considers world experience and current trends. "Such practice is applied almost in all large payment systems" — the press service of the Bank of Russia emphasized.

The measure of the Central Bank is designed to enter enciphering of payments at earlier stage. As the analyst of the center of monitoring and counteraction to Solar JSOC cyber attacks Alexey Pavlov explained, banks violate the recommendations of the Central Bank concerning complete isolation of an automated workplace of KBR from other network of bank and data transfer using the protected removable mediums. When sending registers the intermediate folder on a file server of corporate network of bank is often used, and in this place hackers substitute the file with registers therefore dummy data which are ciphered come to the automated workplace of KBR already in parts or in full and go to the Central Bank. The dummy payment in encrypted form cannot be revealed, however if to cipher registers at once in the core banking system, then it will be impossible to change them on the way to an automated workplace of KBR.

In banks Kommersant was told that estimate terms and possible implementation cost of an innovation. Pavlov reported that the bank should carry out large-scale updating technically. Turnkey solutions do not conform to all requirements of the legislation on cryptoprotection, it is necessary to connect the specialists having the special license of FSB and at least a year of time for implementation, the cryptoprotection specialist in one of major companies noted. As a result the innovation will cost bank several million rubles. The Central Bank discusses with market participants an implementation time of encryption systems "for the purpose of determination of a comfortable transient period", noted in the regulator.

According to the newspaper, bankers are negative to the idea of the Central Bank and officially do not want to comment on it. Core banking systems are hundreds of computers which will need additional protection, the head of IT department of bank from TOP 100 says. The IT professional from bank from top-50 adds that the possibility of additional control will be lost: now the bank can verify the registers unloaded in the core banking system with included in the automated workplace of KBR and to reveal dummy, and when enciphering in the core banking system such opportunity will not be. The representative of large bank emphasized that the Central Bank already demanded from banks by June 30 of the current year to strengthen security measures on section of an automated workplace of KBR that is integrated to expenses, however now changes approach.

2016

Blocking of the websites with harmful content

The websites with the harmful content relating to the sphere of financial markets and national payment system will be blocked on the basis of the data obtained from the Central Bank. Reported about it to TASS[36].

Such actions are provided in the agreement between the Bank of Russia and the Coordination center of the national domain of the Internet – the administrator of national top-level domains ".рф" and ".ru".

The Central Bank received the status of the competent organization given the right to reveal the websites violators which distribute malware, resources with the illegal contents, phishing sites, and to provide this information to the coordination center and the accredited registrars of domain names for blocking of such resources.

Besides, the Bank of Russia urged citizens to inform the regulator on the unfair websites which are in domestic domain space.

Internet banking control

In December, 2016 it became known that the Bank of Russia will carry out a large-scale inspection of safety of online banking. The regulator will check degree of security of payment online services and mobile applications from cyberthreats. After check of the Central Bank it intends to take this sphere under control and to certify remote services on compliance to requirements of information security.

Learn more: DBO safe system

Laboratory of cyber defense of banks

On October 31, 2016 it became known of plans of the Central Bank to create laboratory for protection of banks against cyberthreats. The laboratory is supposed to be created in structure of the Central Bank — based on FinCERT (FinCERT).

The regulator is going to equip credit institutions with technologies for prevention of cyberthreats. The Central Bank is going to create the laboratory studying technologies and effects of the computer attacks.

The laboratory is supposed to be created in structure of the Central Bank — based on FinCERT. [37] operating in Malaysia [37] can become a prototype of the research center[37]. Law enforcement agencies and credit institutions[38] can take part in implementation[38].

Network operations center, (2016)
Network operations center, (2016)

Specialists of laboratory will begin to study methods and effects of computer threats, including attacks on ATMs, POS terminals and devices of self-service. The staff of the Central Bank will analyze fraudulent Internet resources, mobile devices. This structure will help the credit and financial organizations to remove and seal up the objects transferred to a research correctly. The Central Bank in return will be engaged in preparation of the description of means and methods of the attacks on devices of self-service, recommendations about counteraction to the attacks on self-service devices.

Exact terms of creation of laboratory, as well as its name, it is not stated. According to Izvestia, in the Bank of Russia there is plan development of start of laboratory and "road map" which approval is planned for the end of 2016.

Recommendations of the Bank of Russia about protection against information leaks

In April, 2016 the Bank of Russia published for the organizations of a banking system of the recommendation about information security support (cybersecurity) regarding information loss prevention. The document (to download PDF) becomes effective since June 1, 2016. The Bank of Russia notes that such recommendations are introduced for the first time. Can apply their banking organizations on a voluntary basis, it is specified in the document.

Recommendations cover only information leak cases as a result of the action of employees of banking organization or persons having a legal information access or to premises where information processing is performed. At the same time on the organizations of a banking system which are performing information processing using cloud computing or transferred her to outsourcing of a third party, recommendations do not extend.

The Bank of Russia explains that accomplishment of the provided recommendations provides reduction of risk of information leak by monitoring and control of information flows. At the same time, in the document recommendations which accomplishment indirectly influences reduction of risk of information leak are not considered: for example, on ensuring protection against influence of a malicious code, firewalling and separation of computer networks, to carrying out audits of cybersecurity, to the organization of logical access.

The Central Bank issued recommendations for banks about fight against information leaks through employees for the first time
The Central Bank issued recommendations for banks about fight against information leaks through employees for the first time

Among the measures promoting reduction of risk of information leak, the Bank of Russia suggests financial institutions to set and document classification of the processed information. At least two classes - "information of confidential character" and "open information" are recommended to select. Classification is recommended to be carried out on the basis of estimation of severity of effects for the organization from possible information leaks of confidential character, the document says.

The organizations are also recommended to document and provide accomplishment of identification and accounting of all data assets of information of confidential character and objects of the environment of data assets. In this point the structure of rules of identification and accounting of data assets and objects of the environment of data assets, types of the data assets and objects which are subject to identification and accounting, a set of credentials which need to be stored, etc. in detail is considered. For accounting and identification of data assets and computer aids it is recommended to use the automation equipment.

The Bank of Russia recommends to define categories of possible internal violators and potential channels of information leak, structure of processes of their monitoring and control, to provide implementation of processes of an information security management system, etc.

One of subparagraphs of recommendations, rather extensive, covers process automation of monitoring and control of potential channels of information leak of the organization. Councils for the choice of specific technical solutions do not contain here, except for point on centralized operation and monitoring of use of mobile devices by the staff of the organization. Here solutions, possible to use, such as XenMobile,MobileIron,SAP Afaria,IBM Endpoint Manager are cited as an example.

2013

16 recommendations about safety of online payments

On August 5, 2013 the letter of the Bank of Russia No. 146-T containing a number of recommendations to credit institutions on increase in safety of providing retail payment services in the Internet was published.

The market the Internet of payments along with the e-commerce market existed in "parallel reality" of rather Russian financial market, the Central Bank and changes of the Russian legislation several years ago. However the annual growth of the e-commerce market more than on the Internet and to use of bank cards in general changed a situation to a quarter and the increasing interest of Russians in cashless payments.

In Letter No. 146-T a number of points describes fixed functions of a system of fraud-monitoring of the organization which is engaged in security of payments. It is recommended to update mechanisms of a system of fraud-monitoring at least, than every two years, and at emergence of new risk factors and entering of cardinal changes into a system data protection – timely and quickly to adapt for them an analysis system of risks.

For increasing the level of security of payments on the Internet and reduction of risk of emergence of fraudulent transactions it is recommended to use multifactor authentication of the payer. As authors of the Letter explain, possession of a subject or the device (for example, the personal identifier), knowledge of a certain information (for example, the password), possession of the defined permanent integral properties (for example, fingerprints)" belong to authentication factors ".

In the same purposes it is recommended to use dynamic client authentication - authentication at which at one of stages the password with limited validity period and restriction for number of uses is used. Recommendations about confirmation of payment transactions using the one-time passwords delivered to the client on an alternative communication channel correspond to a format of work of XML-protocol 3-D Secure (3D-Secure) and practice of international payment systems: Verified by Visa, MasterCard SecureCode and J/Secure. Also attention is paid to importance of use of mechanisms of monitoring of payments, including for the purpose of risk analysis. As criteria of monitoring the frequency, the amount, the place of commission and the receiver of payment are specified.

All recommendations about security of providing retail payments should be considered as at transfer of function of the operator on money transfer to outsourcing, and by drawing up agreements with the subagents providing the electronic payment instruments allowing to receive retail payment services via the Internet.

And, of course, considerable attention in the Letter is paid to measures of increase in literacy of individuals – payers. Operators on transfer of retail means are recommended to inform clients on possible suspension of receiving services, on unsuccessful attempts of gaining access to them, on an ability to manage limits on making payments via the Internet. These recommendations are submitted on increase in the trust level of the population to non-cash forms of money and motivation to their active use. One of instruments of promoting of non-cash cash transactions among the population is a possibility of risks insurance of the payer.

Thus, Letter No. 146-T is a collection of basic recommendations about increased security when providing the retail payment services via the Internet submitted as on development of risk management systems and data protection on the party of operators on money transfer, and on increase in literacy and knowledge of users of retail payment services on the Internet.

2004

IMF: Statistics of the reasons of idle times of payment systems 1996-2004

To formation of requirements for security of infrastructure of Central Bank of the Russian Federation payment system

Strategic stability

  • Lifecycle of components of infrastructure should be not less than 15 years.

Availability:

  • Downtime in year / Availability quotient
  • 8.8 hours / 0.999
  • 53 min. / 0.9999
  • 5 min. / 0.99999

The integrity, confidentiality – require further researches regarding influence of overhead costs on implementation of availability.

Disaster tolerance – property of preserving of availability in force majeur circumstances. At extermination of server/clients/personnel process should be recovered in another deleted (outside accident radius) the place for preset time. Distance between centers upon the demand of world finance regulators of ≥300 km.

Controllability – centralized operation and service (unavailability of infrastructure to personnel)

See Also

See Also





Notes

  1. campaign=plas-daily-0612019&utm source=sendpulse&utm medium=email of the Central Bank revealed in banks more than 700 violations in the field of data protection
  2. of the Central Bank explained three signs of unauthorized banking activity
  3. The main directions of development of information security of the credit and financial sphere  for 2019-2021.
  4. The Central Bank will enter new punishment for banks for bad protection against cyber attacks
  5. is going to enter verification of e-mail of natural persons
  6. [https://www.cbr.ru/Press/event/?id=2630 the Bank of Russia
  7. expanded requirements for data protection for credit institutions]
  8. The cyber security left on base
  9. [https://www.plusworld.ru/daily/cat-security-and-id/tsb-vnes-bolee-10-tys-moshennicheskih-schetov-v-svoyu-bazu/ of the Central Bank
  10. entered more than 10 thousand fraudulent accounts to the base]
  11. The Central Bank fixed formats of the direction of messages by banks in FINTSERT
  12. [http://www.cnews.ru/news/top/2018-08-17_sberbank_protestiroval_pervyj_proekt_v_itpesochnitse In the Central Bank
  13. "sandbox" for testing of third-party financial IT systems earned]
  14. the Bank of Russia will find "black creditors" using Big Data
  15. The Central Bank subscribed for spam
  16. Credit institutions will be obliged to inform the Bank of Russia on the hacker attacks
  17. The Central Bank obliged banks to check devices from which clients transfer money
  18. Banks and operators of services of payment infrastructure will be is obliged to announce in the Bank of Russia economic effects of the hacker attacks
  19. [https://www.securitylab.ru/news/493943.php of the Central Bank of the Russian Federation
  20. will oblige banks to disclose financial damage from cyber attacks]
  21. The Bank of Russia created department of information security
  22. of the Central Bank offered the standard on information security
  23. The Central Bank defined the list of security risks during the work with biometric data
  24. "The draft directive of the Bank of Russia "About determination of the list of security risks of biometric personal data …"
  25. [1] The Gosuslugi Planiruyetsya portal
  26. Directors of cyber security
  27. The Central Bank of the Russian Federation and the Ministry of Finance will simplify return of the banks of means stolen from clients
  28. grazhdanamkak is reported by the Izvestia newspaper with reference to the press service of the Central Bank, "the questions concerning a new form of the reporting are in a study stage".
  29. The Central Bank sees risk on the party
  30. Software to materials of the Bank of Russia, RNS
  31. mlnpo to materials of the Izvestia newspaper
  32. Financial protection in accordance with GOST
  33. the Bank of Russia will strengthen control of security in the financial sector
  34. In the Central Bank told about growth of number of cyber attacks to banks and citizens
  35. the Central Bank is ciphered from hackers
  36. of the Central Bank will help to block the websites with harmful content
  37. 37,0 37,1 37,2 Data Recovery Centre (ADRC)
  38. 38,0 38,1 [http://izvestia.ru/news/641479 of the Central Bank