RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2024/03/25 15:15:49

Central Bank policy in the field of information protection (cybersecurity)

Content

This article is about the policy of the Central Bank of the Russian Federation in the field of information protection. Top-level main article: Information security in banks

2024

Central Bank of the Russian Federation issued safety standards for open APIs

The Bank of Russia approved new security standards for open program interfaces (APIs) developed by experts of the FinTech Association and InfoTeCS JSC with an orientation towards domestic cryptography. This became known in mid-December 2024. Read more here.

The Central Bank of the Russian Federation has developed a standard for the security of financial services when remotely confirming the identity of a client

The Central Bank of Russia has developed and published a standard on the security of financial services when remotely confirming the identity of a client. The corresponding document was published in the public domain in March 2024.

This standard, as the press service of the Central Bank clarifies, determines what information protection measures should be used by financial organizations when conducting remote identification and authentication of customers. These measures may differ depending on the type of operation and taking into account its criticality and risks, the regulator emphasizes.

The Central Bank of Russia has developed and published a standard on the security of financial services when remotely confirming the identity of a client

It follows from the document that in accordance with the risk-oriented approach, financial institutions must establish confidence levels in the internal documents in the context of ongoing financial transactions. Also, since the same financial transaction, depending on its nature and parameters, may have different criticality, financial organizations must establish in internal documents specific indicators of operational risk assessment, characterizing the belonging of a financial transaction to a specific level of trust, indicated in the materials of the Central Bank.

In addition, the results of identification and authentication, taking into account the selected level of trust, can be used within the risk management system to determine residual risk in order to counteract the implementation of financial services without the consent of the client.

The Bank of Russia notes that the document is designed to increase the protection of people from intruders who steal money using the personal and financial data of clients of organizations. It is specified that the standard is advisory in nature and will enter into force on July 1, 2024. By this time, financial organizations will be able to assess whether their existing business processes comply with the provisions of the standard, the Central Bank added.

SECURITY OF FINANCIAL (BANKING) OPERATIONS

Central Bank will collect data on illegal transfers from online services

The Central Bank of the Russian Federation has updated the procedure for informing about fraudulent transfers for operators of payment systems and operators of electronic platforms (OEP). It is established that CFA operators, as well as online services, from June 2024 will transmit information about financial transactions carried out "without coordination with customers," as well as about "attempts to make" such transfers on a par with banks and payment systems operators. This was reported on March 22, 2024 by the press service of the State Duma deputy RFAnton Nemkin with reference to Kommersant.

Thus, operators must inform the Bank of Russia about the incident no later than the next working day. In addition, it is planned to transfer data on attempts to perform illegal transactions on the client's account or cyber attacks on the OEP infrastructure.

The Central Bank reported that the list of measures to counter funds transfers without voluntary consent from the client has also been clarified: "The document also establishes the procedure for requesting and receiving information from banks from banks about transactions in respect of which information about illegal actions has been received from the Ministry of Internal Affairs."

File:Aquote1.png
A new anti-record has been set in the country. Making changes to the procedure for informing the Bank about illegal actions with financial assets of citizens is an extremely relevant measure, he believes.
File:Aquote2.png

File:Aquote1.png
OEP, together with digital financial asset operators, are the same as banks are not insured against fraud risks. Therefore, the introduction of this obligation, first of all, will create a more accurate picture of the scale of fraud. In the future, this will allow updating the available tools aimed at combating attackers, the deputy said.
File:Aquote2.png

File:Aquote1.png
I have repeatedly said that the full resolution of the problem depends on the degree of development of digital skills among the citizens of our country. Attackers actively use the human factor: they immerse the victim in a stressful state, talk in elevated tones and intimidate. Therefore, it is important to always follow several rules. First of all, recheck the received information before taking any action. Always contact your bank yourself. The second main point is to never report SMS the code to outsiders, as well as your cvc code, the bank card deputy recalled.
File:Aquote2.png

2023

Russian banks are switching to domestic IT security modules

On August 24, 2023, it became known that the Bank of Russia recommended that financial institutions test domestic hardware security modules (HSM). The use of such solutions is necessary within the framework of the import substitution program carried out in the current geopolitical situation.

According to the Kommersant newspaper, we are talking about the decisions of Crypto-Pro and Practical Security Systems, which meet the requirements of the National Payment Card System (NSPK). HSM products protect transactions, identities, and applications by preventing unauthorized access to cryptographic keys that encrypt information.

The Central Bank advised financial institutions to test domestic hardware security modules

The introduction of domestic HSM modules is associated with certain difficulties. Testing of such solutions involves a set of measures for migration, integration and testing of the solution. The module itself is a technically complex product, which can take a large amount of human resources and time to evaluate all functions.

There are also financial issues. It is noted that the credit institution requires at least two HSM modules - the main and reserve. But such products are quite expensive: for example, the price of the Crypto-Pro product can reach 3 million rubles. In addition, compatibility issues may occur. The fact is that interaction with HSM in the payment segment in banks is implemented either using proprietary software, or through the tools of one of several developers of processing solutions. But all such implementations were previously created, refined, tested and applied with HSM by foreign manufacturers. However, it is emphasized that compatibility with the CryptoPro module has already been confirmed for a wide range of systems[1]

Information security with a damaged reputation. Central Bank intends to strengthen personal responsibility for data leaks in banks

The Bank of Russia is working on an initiative to strengthen measures aimed at preventing leaks of information containing information protected by law in terms of the possibility of influencing the business reputation of the deputy head responsible for ensuring information security. This is stated in a letter from the Central Bank with answers to questions from industry participants sent to the Association of Russian Banks at the end of July 2023, which TAdviser got acquainted with.

We are talking about entering information about an official that does not meet the qualification requirements and (or) requirements for business reputation into the database, which is maintained under No. 86-FZ "On the Central Bank of the Russian Federation (Bank of Russia)."

It is also planned to use the existing mechanism for applying measures in accordance with Article 74 No. 86-FZ until the replacement of persons whose list of positions is checked by the Central Bank for compliance with qualification requirements and business reputation requirements.

File:Aquote1.png
The initiative was approved conceptually. At the moment, details are being worked out, in particular, the list of entities to which the initiative is planned to be extended is being specified, and the criteria for influencing the business reputation of deputy heads of organizations responsible for information security are being worked out, the Central Bank said in a July letter.
File:Aquote2.png

The Central Bank is working on an initiative to strengthen measures aimed at preventing leaks of information containing information protected by law, in terms of the possibility of influencing the business reputation of the deputy head responsible for information security "(photo: RIA Novosti/Maria Devakhina)"

The draft law is being prepared, which also takes into account the qualification requirements for the deputy heads responsible for information security in accordance with the requirements of the Decree of the President of the Russian Federation of 01.05.2022 No. 250 "On Additional Measures to Ensure Information Security of the Russian Federation."

In the answers of the Central Bank to the questions of market participants in terms of information security, other topics are also touched upon. Including, the work of the Central Bank in the field of regulation cyber security as a whole. Here, according to the regulator's response, work continues on bills related to:

  • improving the mechanism for countering theft of funds ("anti-fraud") - bill No. 197920-8;
  • regulation of IT outsourcing and cloud services.

As for outsourcing, in particular, credit institutions are interested in obtaining information on the planned timing of the development by the Bank of Russia of requirements for cloud services and outsourcing of information systems, including requirements for information security in such services. In its letter, the Central Bank reports that at present a draft Federal Law "On Amendments to Certain Legislative Acts of the Russian Federation" has been developed in order to ensure legal regulation of IT outsourcing and cloud services, which is under interdepartmental approval.

And in terms of general regulation in the field of cybersecurity in the banking sector, No. 243-FZ of the 13.06.2023 was also previously adopted, which determines the powers of the Bank of Russia in the field of ensuring technological sovereignty at significant objects of critical information infrastructure (CII) of credit and financial institutions.

This law, in particular, defines the powers of the Bank of Russia to agree on action plans for credit and non-bank financial institutions to switch to preferential use of Russian software, domestic electronic products and telecom equipment, including as part of PAC, at the significant objects of CII and procurement of foreign software belonging to them, electronic products and telecom equipment, including as part of PAC, as well as procurement of services required for their use at their significant CII facilities.

The letter also touched upon issues of technological sovereignty. The Central Bank explains that it considers issues of ensuring technological sovereignty in close connection with issues of ensuring operational reliability. In this regard, the Central Bank will apply measures against credit institutions in cases of detection of violations of operational reliability targets, in the absence of plans for such organizations to switch to the predominant use of Russian software and equipment that meet the actual needs of the credit institution.

Separately, the Central Bank in its letter clarified its position on measures of influence against credit institutions that did not comply with the requirements of regulatory legal regulation in terms of information security and data protection, for reasons related to the departure of foreign vendors from the Russian market.

If credit organizations for one reason or another do not comply with the requirements in the field of information security, the Central Bank will apply appropriate measures to such organizations.

File:Aquote1.png
At the same time, if individual credit institutions face serious risks in relation to their IT infrastructure due to the withdrawal from the Russian market of a number of large software and equipment suppliers, according to the Bank of Russia, such organizations should develop a risk response plan with a detailed study of measures aimed at reducing them and indicating the timing of implementation for each item. In this case, the Bank of Russia, based on the results of the consideration and analysis of such plans, will decide not to take measures in the current conditions, the Central Bank said in a letter.
File:Aquote2.png

The Central Bank will check the readiness of banks for cyber threats without warning

On August 10, 2023, it became known about the decision of the Central Bank of the Russian Federation to check the readiness of banks for cyber threats without warning. Previously, the regulator notified credit organizations about the exercises in advance.

According to Kommersant, the Central Bank asks banks to send it at least 30 email addresses of employees, giving priority to those who do not work in the information security service. Workers will receive emails with malware attached. After opening the file, there is "an outgoing connection of a compromised automated workplace with the control server," according to a letter from the regulator, which the newspaper got acquainted with.

File:Aquote1.png
The result of the exercise can be both opening a file with malicious software (with the subsequent analysis of the incident), and the refusal of a bank employee to open a suspicious file. This is an important metric, since the number of open letters can be used to judge the awareness of the organization's employees about the rules of cyber hygiene, "said Daria Verestnikova, commercial director of SafeTech.
File:Aquote2.png

Alexander Moiseev, a leading information security consultant at Aktiv Consulting, in a conversation with the publication, noted that the scripts are aimed at training to counter targeted (targeted) computer attacks, the methods and tools of which are rather poorly detected by conventional antivirus protection tools, since attackers use techniques to bypass them.

The source Kommersant warns that the letter sent to banks is not written, as a result of which it is actively discussed in professional chats and among specialists, which attackers can use. At the same time, banks will not be notified when a letter from the Central Bank comes and how it will look. But they will wait for him at specific addresses, which can be used by attackers who are aware of the exercises, the source said.[2]

The Central Bank of the Russian Federation approved the main directions of development of cyber security of the financial sector. Document

In mid-June 2023, the Bank of Russia published a strategic document on protecting the rights of consumers of financial services and increasing confidence in digital technologies. It lists the main directions for the development of information security in the credit and financial sector for 2023-2025:

  • protecting the rights of consumers of financial services and increasing confidence in digital technologies;
  • creating conditions for the safe introduction of digital and payment technologies and ensuring technological sovereignty;
  • ensuring control of information security risks, operational reliability for continuous provision of banking and financial services.

To counter fraudulent operations, the Central Bank of the Russian Federation is going to improve the mechanism for returning stolen money. It is planned to improve the quality of information about the payment details of cybercriminals in the information exchange between banks, to resist the so-called droppers with the help of economic barriers.

In addition, the regulator proposes to provide victims of malefactors with the opportunity to submit a statement to the police about embezzlement through the State Public services portal and online bank services. This will allow faster reporting of fraudsters to law enforcement agencies, and banks will be able to quickly take such information into account in their anti-fraud systems, the Central Bank expects. The scenario of attacks for cyber exercises, which the regulator conducts with banks annually since 2019, will be expanded and complicated.

Attention is paid to the transition of financial organizations to domestic information technologies, the regulator will control this process (the corresponding law was signed on June 13, 2023). The Bank of Russia will continue to form conditions for the safe introduction of digital and payment technologies through the development of regulation and other mechanisms, as well as the definition of information security standards, the Central Bank emphasized.

MAIN DIRECTIONS OF DEVELOPMENT OF INFORMATION SECURITY OF CREDIT AND FINANCIAL SPHERE FOR THE PERIOD 2023 − 2025

The Central Bank of the Russian Federation ordered banks to disclose to the regulator information about the use of VPN

Until June 2, 2023, Russian banks must transfer information to Roskomnadzor "on the use of VPN protocols to automate technological processes." This is stated in a letter from the Central Bank of the Russian Federation, which was sent to credit organizations. Kommersant cites excerpts from this document on May 12, 2023.

The regulator offers to transfer data in Excel format by e-mail. Moreover, the Central Bank does not need to send a response, indicated in the letter. The need to transfer information about the use of VPNs to Roskomnadzor to the Central Bank was explained by the need to "eliminate the risks of the functioning of industry information systems."

Russian banks must transfer information about the use of VPN to Roskomnadzor

According to representatives of the financial industry, the method of transmitting closed information over an unprotected channel carries certain risks. For example, the data in the file contains information about the IP address ranges used for external nodes or the specific IP addresses of VPN servers of banks. VPN networks are used in banks to connect to SWIFT and other financial systems, receive and exchange data through a network of ATMs, exchange offices and branches throughout the country.

At the same time, RTM Group manager Yevgeny Tsarev does not see great risks in the use of e-mail by banks. This communication channel "is certainly unprotected and there is a risk of leakage, but it is hardly high," he is sure.

File:Aquote1.png
Attackers constantly scan the networks of financial organizations, find open ports and services, "says Daniil Bobryshev, owner of the Russian solution for protecting against DDoS attacks Servicepipe. - If attackers gain access to forwarded data, this will somewhat simplify their task of finding resources on the victim's network that are more vulnerable to a DDoS attack.
File:Aquote2.png

Alexey Pavlov, Business Development Director of the Solar JSOC Cyber ​ ​ Attack Counteraction Center at RTK-Solar, confirms that a more reliable option is to collect such data through specialized interaction systems such as FinCERT ACOI.[3]

Central Bank has developed uniform rules for collecting "digital prints" to combat fraudsters

On April 11, 2023, the Central Bank of the Russian Federation published uniform rules for credit institutions to form, store and use unique "digital fingerprints" to identify the user's device with which financial transactions are made. This initiative of the regulator has become another tool to combat fraud.

The standard establishes uniform rules for banks to form, store, use "digital fingerprints" of devices - a set of parameters that allow unambiguously identifying the user's device with which banking and other financial transactions are carried out, the Central Bank explained.

Building of the Central Bank of the Russian Federation
File:Aquote1.png
By standardizing the digital fingerprint collection algorithm, financial institutions can more effectively counteract transactions without customer consent. This will allow them to determine in advance the devices and intruders identified earlier during suspicious operations and suspend their commission in the future, the Central Bank said in a statement. The Standard was adopted and implemented by the Order of the Bank of Russia dated March 1, 2023. The provisions of the Bank of Russia standard are advisory in nature, delivered to the press service of the regulator.
File:Aquote2.png

According to the Bank of Russia, the volume of transactions without customer consent in 2022 increased by 4.3% to 14.16 billion rubles. Most of the funds were stolen through remote banking channels (9.2 billion rubles) and with online payment for goods and services (2.5 billion rubles).

In February 2023, the head of the Central Bank Elvira Nabiullina said that a decrease in the volume of stolen funds in the fight against fraud in the financial sector has not yet been observed, in large financial organizations this may happen in 2023, in the entire system - within three years.[4]

2022: The Central Bank of the Russian Federation decided to regulate the hiring of IT specialists by banks on an outsource

On December 1, 2022, it became known about the decision of the Central Bank of the Russian Federation to regulate the hiring by banks of IT specialists working under the outsourcing scheme. The regulator sees risks for banking secrecy, especially when using foreign solutions, so the initiative will help increase financial stability.

File:Aquote1.png
We need to take all measures so that the information with which potential IT companies work is protected, "said Vadim Uvarov, director of the information security department of the Central Bank.
File:Aquote2.png

The Central Bank of Russia decided to regulate the hiring of IT specialists by banks

Earlier, the State Duma Committee on the Financial Market proposed to allow banks to use outsourcing of IT and cloud services. This follows from the letter of the head of the committee Anatoly Aksakov to the head of the Ministry of Digital Science Maksut Shadayev, which he sent on August 30, 2022. As reported in the bill, financial organizations will be able to entrust outsourcing companies to store and process information received from them without the consent of the people to whom this information belongs. Banks and microfinance organizations, exchanges, brokers and dealers, non-state pension funds, credit rating agencies, pawnshops, as well as insurance and audit companies will receive this right.

The Central Bank admits that outsourcing is widespread in the financial sector. Most organizations request IT and cloud services for backup, data processing and storage, software development and maintenance, hardware and network infrastructure maintenance.

According to the conclusions of the regulator, IT outsourcing potentially increases the efficiency of the activities of a financial institution, including in the absence or lack of its own resources and competencies. At the same time, the Central Bank warns of the risks of outsource - for example, if banks hire foreign suppliers or Russian companies, which, in turn, also transfer the performance of certain functions to foreigners or depend on foreign technological and software solutions.[5]

2021

The Central Bank of the Russian Federation ordered banks to find a replacement for foreign information security solutions

At the end of March 2022, the Central Bank of the Russian Federation sent a letter to banks in which it announced the need to find a replacement for foreign cybersecurity software after foreign IT vendors stopped their activities in the Russian market.

As Kommersant writes with reference to this message from the regulator, he asks banks to introduce "compensating measures" to ensure information security in the context of the withdrawal from the Russian market of specialized foreign companies and international sanctions.

The Central Bank of the Russian Federation ordered banks to find a replacement for foreign information security solutions

The Bank of Russia told the publication that it had decided to "reconsider the procedure for taking measures against banks for violations," and the appeal was sent out in order to "support financial market participants." However, the regulator did not clarify its position and procedure for banks, the issue of changes to regulations that would allow banks to look for analogues of the software and equipment used without the risk of instructions from the Central Bank remained unspecified.

A newspaper source close to the Central Bank explained that the order concerns mainly the section of the regulator's payment system and client payments, including remote banking and mobile applications. It also applies to anti-fraud systems, perimeter protection (intrusion detection, antiviruses, protection against DDoS attacks, firewalls), but is not related to the continuity indicators of the Fast Payment System (FPS) and response to incidents for unauthorized payments.

According to Aleksey Lukatsky, an independent cybersecurity expert, since in practice it is not easy for inspectors from the Central Bank to prove the sufficiency of compensatory measures, this letter will lead to the fact that information security specialists will have to deal more with "paper security" and write evidence for the regulator, and not deal with real problems.[6]

The Central Bank is preparing large-scale cybersecurity checks of developing ecosystems of banks

In December 2021, it became known that it was CENTRAL BANK OF THE RUSSIAN FEDERATION preparing large-scale inspections cyber security of the developing ecosystems of banks.

File:Aquote1.png
An analysis of the risks taken by banks developing ecosystems, including strategic risk, risk of forced support and information security risk , as well as an assessment of the impact of these risks on the financial stability of such banks, will be carried out, the regulator says in a draft draft of the main directions for the digitalization of the financial market for the period 2022-2024.
File:Aquote2.png

As explained in the Central Bank, in relation to the regulation of banks' participation in ecosystems, the regulator considers as the main approach that gives credit institutions opportunities for the development of ecosystems with adequate coverage of risks by capital so that possible losses fall on the shoulders of shareholders, and not creditors and depositors.

According to the document, ecosystems, including those built on the basis of banks, can be a significant source of operational risk due to the need for coordination between participants, the bank's lack of sufficient control over partner actions, and the complex architecture of information technologies  and business processes.

The Central Bank noted that in the context of the large-scale digitalization of the economy and society , information security issues also come to the fore, as new threats associated with digital technologies appear. Privacy and data protection are paramount against the backdrop of growing payment fraud and cases of theft, imitation of behavior or biometric data of a person to gain access to his banking information.

By the end of 2021, the Bank of Russia is developing regulatory measures to promote the development of a competitive environment in the Russian market for both leading ecosystem business models and smaller platforms, while also maintaining opportunities for niche suppliers.

DRAFT GUIDELINES FOR FINANCIAL MARKET DIGITALIZATION FOR THE PERIOD 2022-2024

Central Bank will simplify the return of money to victims of cyber fraudsters

On May 11, 2021, it became known about the initiative of the Central Bank of the Russian Federation to simplify the return of money to victims of cybercriminals. The regulator proposes to automatically block the amount transferred to the fraudsters' account after the victim's appeal.

The fact that the Central Bank is developing a bill that should several times increase the share of the return of money stolen by fraudsters, told Izvestia the deputy head of the information security department of the Central Bank Artem Sychev. It is assumed that the document will simplify the judicial procedure for the return of the stolen amount.

File:Aquote1.png
We want a separate expedited judicial procedure for this part. That is, the money would be quickly frozen in the account, and then their ultimate fate would be decided in an accelerated court order, - explained Sychev.
File:Aquote2.png

The Central Bank of the Russian Federation plans to simplify the return of funds to victims of cyber fraudsters

By May 2021, Russian banks have no legal grounds to block funds credited to someone's account and cannot refuse to issue funds to account holders, even if there is reason to suspect them of fraudulent actions.

The publication says that in half of the cases, scammers withdraw stolen money within an hour of the transfer. In 47%, they cash out funds for two to three hours and only in 3% - during the day. Often, an intermediary participates in the scheme - the stolen amount is transferred to the account of a dummy so that the bank cannot block the funds credited to the account or refuse to issue them.

The head of the project of the All-Russian Popular Front "For the Rights of Borrowers" Evgenia Lazareva, in a conversation with the publication, noted that in order to return funds in a simplified court procedure, it is necessary to amend, among other things, the Civil and Civil Procedure Code. As practice shows, these are very complex processes that stretch greatly in time and meet stiff resistance to the "strengths of the contract," she said.[7]

Central Bank of the Russian Federation will allow Russians to close online access to accounts

On March 12, 2021, it became known about the plans of the Central Bank of the Russian Federation to oblige banks to close online access to accounts at the request of customers. Due to this measure, the regulator expects to reduce fraud in the banking sector.

The fact that the Central Bank is working to "ensure that the client has the right, and, accordingly, the bank has the obligation to restrict remote access to its accounts," said the first deputy head of the information security department of the Bank of Russia Artem Sychev at a meeting on countering unauthorized operations, which took place at the site of the Association of Russian Banks.

The Central Bank believes that this will help in the fight against fraudsters - so the client will not be able to transfer money to them. Sychev said that this would make it difficult for fraudsters to influence the client. But banks should have "certain technical improvements" to implement the service, he said.

Bank of Russia will allow Russians to close online access to accounts
File:Aquote1.png
The measure is effective in cases where a client of a financial organization is provoked to remotely perform actions with deposit accounts in favor of attackers, - said the representative of the Central Bank.
File:Aquote2.png

According to Sychev, work on the initiative requires amendments "not so much to the relevant laws that are within the competence of the Central Bank or the Ministry of Finance," but "to the legislation on the protection of consumer rights."

This innovation "if fully developed and implemented, can really affect the reduction in the level of fraud," said Mikhail Ivanov, director of the information security department at Rosbank. At the same time, according to him, it should be borne in mind that it is necessary to maintain a balance between client experience and the level of security. Any severe restrictions and strengthening of the security level can lead to a deterioration in the level of client service and vice versa - any client innovation potentially carries new risks, he added.[8]

Central Bank of the Russian Federation for the first time conducted remote anti-hacker exercises

On February 10, 2021, it became known about the first remote anti-hacker exercises conducted by the Central Bank of the Russian Federation. The report with the results of the events held at the end of 2020 was sent by the regulator to several large banks. The document assessed the readiness of financial organizations to reflect cyber threats and provided recommendations for improving the mechanisms for their detection and elimination.

As told To the businessman"" in the Central Bank of the Russian Federation, 22 supervised organizations voluntarily took part in cyber exercises. The regulator simulated several current scenarios for computer attacks in remote mode. On the one hand, the ability to resist these attacks of information security units information technology and banks was checked, on the other, the readiness to quickly interact and eliminate the problems that arose, the Central Bank explained.

Bank of Russia held remote anti-hacker exercises for the first time

According to the director of ICD Vyacheslav Kasimov the information security department, during the exercises, various situations of incident response were worked out and procedures for interaction with the Bank of Russia were tested.

File:Aquote1.png
The emphasis was placed on the prevention of theft of funds from bank correspondent accounts and virus attacks, as well as on the fastest response of information security units and the quality of interaction with FinCERT of the Bank of Russia, "he explained to the publication.
File:Aquote2.png

Earlier, the Central Bank conducted checks of cybersecurity systems of banks, according to the results of which organizations that do not meet the parameters of the effectiveness of cyber defense received a fine. In February 2021, it became known about 17 financial institutions that fell under penalties. Now, if bank violations are revealed during the exercises, the Central Bank will lower such an organization's risk profile (a summary assessment of the bank's risk protection).[9]

Central Bank fined 17 banks for violating information security requirements

According to the results of inspections conducted by the Bank of Russia, 17 credit institutions were identified in the country that violated cybersecurity requirements. This became known on February 9, 2021, according to the first deputy director of the information security department of the regulator Artem Sychev.

File:Aquote1.png
Recently, about 17 banks have received fines for non-compliance with information security requirements, "Sychev said during a speech in the State Duma.
File:Aquote2.png

Sychev added that the Central Bank is starting to move from checks to cyber exercises. According to him, this is a more effective form that allows organizations to quickly identify risks that may be exposed to banks financial. Accordingly, and it will be possible to respond to the detected problems in this way[10] faster[11] violating[12]

2020

Blocking 7680 fraudulent sites

The Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT) of the Bank of Russia in 2020 initiated the blocking of 7680 fraudulent sites. Most of them (6256) are resources masquerading as air/rail ticket sales and p2p transfers, exchangers.

A little more than 1 thousand sites posed as bank products, 45 - as websites of insurance organizations, which is twice as much as in 2019.

According to Interfax, citing a review by the Bank of Russia on the main types of computer attacks in the credit and financial sector in 2019-2020, 148 resources distributed malicious software, but this is 7.5 times less than a year earlier. 114 sites of fraudsters pretended to be those intended for professional participants in the securities market, and 83 disguised themselves as microfinance organizations.

File:Apple coder coding computer job laptop macbook programmer-918409.jpgd.jpg
In 2020, the Central Bank of the Russian Federation blocked 7680 fraudulent sites

The regulator noted an 88% increase in the number of attacks on bank customers in 2020. Over the two reporting years, in 84% of cases, attackers used telephone communications. About 16% of the incidents that occurred are related to the receipt by citizens of fraudulent SMS or messages in various instant messengers.

In addition, in 2020, the Bank of Russia initiated the removal of 2510 domains from delegation in the .RU, .RF, .SU domain zones, and 5170 in the remaining zones.

According to the Central Bank, in 2020, the regulator identified and sent to block 26.4 thousand telephone numbers from which fraudsters called bank customers. This is almost twice (86%) more than a year earlier.

The growth of telephone fraud and the increase in the number of fraudulent sites of certain types in the Central Bank was associated primarily with the COVID-19 pandemic and the transition of economic activity online. The peak of the activity of attackers both in the number of unauthorized operations and in the amount of funds fell at the end of March - the beginning of April, that is, at the time of the most strict lockdown.[13]

A standard has been developed to ensure the security of financial services based on the OpenID protocol

On November 24, 2020, InfoTeCS announced that it had taken part in the development of the Bank of Russia standard "Security of Financial (Banking) Operations." Application programming interfaces for security of financial services based on the OpenID protocol "(STO BR FAPI.S.EK-1.6-2020). More details here.

Central Bank tightens information processing standards for BKI

At the end of October 2020, the Central Bank of the Russian Federation published a provision under which the regulator decided to tighten the requirements for information transmitted to credit histories. Read more here.

Central Bank introduces new requirements for cybersecurity brokers

On August 21, 2020, it became known that the Central Bank is introducing new information security requirements for brokers. They were not ready to incur additional costs.

The National Association of Stock Market Participants (NAUFOR), in connection with numerous appeals from professional securities market participants, management companies (MCs) and specialized depositories, sent a letter to the Bank of Russia with a request to amend Regulation No. 684-P "On Establishing Mandatory Requirements for Non-bank Financial Institutions to Ensure Information Protection...."

From 2021, the Central Bank will raise the threshold for classifying companies to the standard level of protection so that as many market participants as possible remain at the minimum level. The revision of the regulation for brokers in force by August 21, 2020 assumes the transition to the standard level of protection from the minimum, if the volume of client transactions for three months exceeds 100 million rubles. Market participants are asking to raise it to 200 million rubles.

Brokers are not ready to incur additional expenses on the new requirements of the Central Bank for cybersecurity

According to Kommersant, about 200 brokers or about 50% of companies that have received the corresponding license fall under the standard level of protection. According to Sergey Demidov, Director of the Department of Operational Risks, Information Security and Business Continuity of the Moscow Exchange, even those brokerage companies that do not have a large number of clients and work only for themselves, without creating a risk for customers who they simply do not have.

It is expected that compliance with the new standards will cost each small brokerage company about 10-30 million rubles a year. One of the interlocutors of the newspaper explained that for a broker not from the top 30 it is necessary:

  • invest in iron and protective equipment at the same time about 2-5 million rubles;
  • annual support of 20-30% of the cost;
  • external assessment of compliance with GOST 57580 at least 2 million rubles;
  • assessment of software trust by levels of trust (1.5-2 million rubles).[14]

Bank of Russia issues cybersecurity recommendations amid coronavirus pandemic

On March 24, 2020, it became known that Central Bank RUSSIAN FEDERATION he had developed and recommended financial measures for companies and organizations to provide cyber security employees in the context of coronavirus the infection pandemic (COVID-2019). These measures will help minimize the risks of errors during money transfers, transactions, bank maintaining accounts of individuals and legal entities, withdrawing cash from ATMs, etc.

It is proposed to carry out banking operations that are not related to opening and maintaining accounts and do not affect the continuity of transactions remotely. The Bank of Russia recommends the use of virtual private network technologies, multifactor authentication for security purposes, as well as monitoring and monitoring the actions of remote mobile access users.

Credit institutions are recommended to ensure the uninterrupted operation of money transfers, as well as the opening and maintenance of bank accounts of individuals and legal entities. To do this, it is necessary to identify employees and minimize the risks of violation of these operations.

Also, financial companies and organizations need to maintain operational information interaction with the Bank of Russia through the automated incident processing system of the computer attacks information security Bank of Russia Department's Credit and Financial Response Center in FinCERT accordance with the requirements provided for by Bank of Russia regulations[15]

Central Bank begins to fine banks for the lack of systems for recognizing fraudulent transactions

In early March 2020, the Central Bank of the Russian Federation announced that it was starting to fine banks for the lack of recognition systems for fraudulent transactions. We are talking about anti-fraud technologies that track transactions that are atypical for the client, which can potentially be performed by a fraudster.

File:Aquote1.png
We are preparing fines for two banks for not paying attention to the fact that they should take care of their customers, they do not have anti-fraud. In principle, there was no anti-fraud, "Artem Sychev, First Deputy Director of the Information Security Department of the Central Bank, told reporters (quoted by TASS Information Agency of Russia).
File:Aquote2.png

File:Tsb11.jpg
Central Bank will fine banks for the first time for lack of anti-fraud systems

He did not specify the names of the credit institutions that would be punished. Sychev said that documents on fines are being prepared, and acts of the absence of fraudulent transaction recognition systems in banks were revealed during scheduled inspections.

As Vedomosti reminds, by the beginning of March 2020, amendments are in force that oblige banks to block transactions similar to fraudulent ones. Financial institutions must identify such transactions on three main grounds:

  • matching information about the recipient of the transfer with the data of the Central Bank database on cases and attempts of theft;
  • matching the parameters of the device from which the transfer is made with the data from the Central Bank database;
  • the nature, parameter, volume, location of the transaction or the device from which it is carried out do not match the data on ordinary transactions for the client.

File:Aquote1.png
The law came into force, we gave time for banks to work out this topic. We will consistently ensure that anti-fraud systems work and work effectively for banks, "said Artem Sychev.
File:Aquote2.png

According to him, the lack of systems for recognizing fraudulent transactions can greatly affect the financial condition of the bank, and this is also a nuisance for the bank's management - "everyone is well aware that they are not fined just like that."[16]

2019

Banks approved requirements for the development and assessment of compliance with GOST software and mobile applications

On December 16, 2019, it became known that banks by a majority vote approved the requirements for the development and assessment of compliance with GOST software (software) and mobile applications, which were prepared within the framework of the working group with the participation of representatives of several large credit organizations, the Moscow Exchange and the National Settlement Depository.

At the meeting of the Technical Committee 122 with the participation financial of organizations, a CENTRAL BANK document was considered describing the requirements for the development and assessment of compliance with GOST software () ON mobile applications banks and non-bank financial organizations. The purpose of the document is to minimize and eliminate threats and risks. information security After two months of discussion, about 400 proposals for changes were made, but the most controversial norms against which bankers protested remained.

Among the shortcomings of the document was the requirement to assess compliance with GOST with the involvement of specialized laboratories, which work extremely slowly, as well as the fact that it is based on a standard adopted earlier than the practice of flexible methodology for developing mobile applications began to be applied. In addition, the meeting participants were not satisfied with the fact that the document retained its distribution to mobile devices, although the specifics of the requirements primarily apply to stationary PCs, so some of the requirements of the organization will not be able to comply purely technically.

The deputy head of the information security department of the Central Bank Artem Sychev promised that in the first year financial organizations will not be held accountable for non-compliance with the requirements. He also agreed to enable the working group to finalize[17] document in order to confirm the compliance of its own developments without third-party specialists[18]

The Central Bank revealed in banks more than 700 violations in the field of information protection

As it became known on November 6, 2019, since the beginning of 2019, the Central Bank of the Russian Federation has carried out 109 inspections of banks for cyber resistance, during which more than 730 violations were revealed. About 80% of them are somehow associated with insufficient protection of information within a credit institution. This was told by the head of the Central Bank Elvira Nabiullina in her speech at the Federation Council.

File:Aquote1.png
We will continue to strengthen supervision, stimulate banks to carefully approach cybersecurity issues, "added the head of the Bank of Russia.
File:Aquote2.png

File:Aquote1.png
Cyber ​ ​ resistance is not just to install an antivirus program on a computer, you need to write cyber resistance requirements for all business processes. This is critical for the next dynamic development of technologies, - added Elvira Nabiullina.[19]information[20]
File:Aquote2.png

Central Bank will fine two banks for the first time for the lack of anti-fraud systems

For the first time, the Central Bank will fine banks for the lack of anti-fraud systems, Artem Sychev, First Deputy Director of the Information Security Department of the Central Bank, told reporters. This was reported on October 10, 2019 by the Vedomosti newspaper. Anti-fraud systems track transactions that are atypical for the client, which can potentially be performed by a fraudster.

CENTRAL BANK
File:Aquote1.png
We are preparing fines for two banks for not paying attention to the fact that they should take care of their customers, they do not have anti-fraud. In principle, there was no anti-fraud, - said Sychev.
File:Aquote2.png

What credit organizations will be punished, Sychev did not specify, noting only that we are talking about two banks. The final decision on fines has not yet been made, the documents are being prepared, he added. The facts of the absence of fraudulent transaction recognition systems in banks were revealed during scheduled inspections.

The Central Bank explained three signs of an unauthorized banking operation. The[21].

Amendments requiring banks to block transactions similar to fraudulent ones took effect in September 2018. Banks must identify such transactions according to three characteristics. The first is a coincidence information about the recipient of the transfer with the data bases Central Bank about cases and attempts of theft. The second feature is the coincidence of the parameters of the device from which the transfer is made with the data from the Central Bank database. The third feature is the mismatch of the nature, parameter, volume, location of the transaction or the device from which it is carried out with the data on ordinary transactions for the client.

Central Bank has developed a plan for cybersecurity of the financial system

On September 16, 2019, the Central Bank of the Russian Federation presented a report "The main directions for the development of information security in the credit and financial sector for the period 2019-2021."

The regulator has already proposed some of the ideas, but there are also new provisions. Thus, it is planned to regulate the use of big data, artificial intelligence, robotization and the Internet of things in the credit and financial sector.

The Bank of Russia has developed a plan to ensure the cyber stability of the financial system until 2021

In addition, the Bank of Russia intends to engage in information processing using digital technologies, introduce mass use of cryptography in the financial market and actively participate in the development of the import substitution program.

The Central Bank thought about training specialists in the field of information security. Among other things, he wants to develop an educational professional standard, introduce certification of employees of financial organizations on the basis of the University of the Central Bank and teach the basics of cybersecurity to schoolchildren and students

 Within the framework of the main areas, the Central Bank sets itself the following tasks in the field of information security:

1) Ensuring cyber resistance:

  • ensuring the readiness of the credit and financial sector to guarantee financial stability and operational reliability in the context of computer attacks, including ensuring operational reliability and continuity of financial and banking services;
  • monitoring of risk indicators of implementation of information threats;
  • monitoring the level of banking and financial transactions performed without the consent of customers; • monitoring, prompt response and prevention of computer attacks on credit and financial institutions.

2) Protection of the rights of consumers of financial services through monitoring of indicators of the level of financial losses.

3) Promoting the development of innovative financial technologies in terms of controlling risk indicators for the implementation of information threats and ensuring the necessary level of information security.[22]

Central Bank will fine banks for weak cyber protection

On September 12, 2019, it became known that the Central Bank is conducting a new punishment for banks for poor cyber protection. By the end of the year, the regulator will launch a new characteristic for credit institutions - a lawsuit profile in terms of information security.

This indicator, as the first deputy director of the information security department of the Bank of Russia Artem Sychev told reporters, will reflect the calculated probability of the bank's problems due to non-compliance with cybersecurity standards.

Central Bank leads a new punishment for banks for poor cyber protection

The risk profile will be formed on the basis of four characteristics, including the share of unauthorized card transactions and the bank's readiness to repel the attack.

The parameter will also be taken into account in assessing the economic situation of the bank along with the size of capital, profitability, liquidity, quality of management, etc.

Depending on the risk profile in terms of cybersecurity, the Central Bank will give recommendations to banks, and fines and increased supervision may be provided for the lower category. Calculating the risk profile will allow assessing how the bank's management responds to emerging cyber threats, the Central Bank added.

According to Sychev, assignment to a particular group will not have an impact on capital, but will have an impact on reservation on transactions and lending conditions on the interbank market.

Sychev said that the risk profile in the field of cybersecurity will also be taken into account when assessing the economic situation of the bank. They, according to the assessment, will be included in one of the groups - from non-experiencing difficulties to those where violations pose a real threat to the interests of depositors and creditors.

File:Aquote1.png
No one has previously determined in the Russian Federation or in other countries such indicators by which the regulator can form an opinion about the situation, whether it achieves the goals of its regulation or not from the point of view of information security, "he explained.[23]
File:Aquote2.png

Requirement for credit institutions to ensure cybersecurity

On June 3, 2019, it became known that the Regulation of the Central Bank, describing the requirements for credit institutions to ensure cybersecurity, had entered into force.

The purpose of the document is to prevent the transfer of funds without the consent of the client using both technical means and social engineering methods. According to the regulation, banks are obliged to ensure the protection of IT systems and applications used in opening deposits, issuing loans, drawing up and maintaining accounts of individuals and legal entities.

In particular, the document obliges banks to analyze vulnerabilities in software once a year with the involvement of third-party specialists licensed to carry out activities for the technical protection of confidential information. Also, once every two years, an assessment of compliance with the level of information protection with the requirements of GOST should be carried out.

According to the Regulation, all actions of employees and customers in remote service systems, as well as data on devices used for operations, must be stored for five years.

{{quote 'author = stated in the Regulation of[24]' Systemically important credit organizations, credit organizations that perform the functions of the operator of payment infrastructure services of systemically important payment systems, credit organizations that are significant in the payment services market, must implement an enhanced level of information protection, }}

The Central Bank is implementing a pilot project to confirm the email of bank clients

On June 3, 2019, it became known that the Central Bank of the Russian Federation, together with banks, is implementing a pilot project to confirm the e-mail of bank customers - individuals. First Deputy Head of the Information Security Department of the Bank of Russia Artem Sychev confirmed this information to the publication. He explained that banks often send messages to the client via SMS or e-mail, while if the address is not confirmed, an attacker can gain access to bank secrets.

Initially, citizens, becoming customers of the bank or issuing a product, themselves provide an email address. But over time, it can become outdated, be hacked, or in the case of corporate mail, go to another person. Banks actually ignore these risks without requesting data on changing the email address, and customers often simply forget which mailbox was indicated when filling out the questionnaire.

Meanwhile, credit institutions send citizens by e-mail important personal information, such as, for example, account statements. Verification of phone numbers exists and will be strengthened through a bill to exchange information on SIM cards.

[[:Шаблон:Quote 'author '= explained Sychev Artem, Deputy Head of the Information Security Department of the Central Bank']]

During the pilot project, banks are working on options for confirming email. Among the participants in the pilot project are Tinkoff Bank, OTP Bank, VTB. Credit institutions do not deny participation, but do not want to disclose. The PTA Bank only indicated that the procedure should be simple, but at the same time provide a sufficient level of verification. Artem Sychev stressed that it is necessary to verify the mail of both new and existing clients.

According to Alexander Samokhvalov, Chairman of the Board of Russian Standard Bank, Internet and mobile banks, an ATM (when introducing a card and PIN code) can become an affordable way to confirm mail for customers, the client can receive an offer to confirm an email when entering a remote service channel. According to the general director of Zecurion Alexei Rayevsky, for example, when confirmed through a mobile bank, a client may receive a code by mail, which again will need to be entered in a mobile bank.

After the list of proposals appears, it is planned to discuss it with the entire market. Until it is decided, proposals for e-mail verification will be issued in the form of methodological recommendations or will become mandatory requirements by amending the provision of the 382-P. The Central Bank does not comment on this issue.

Market participants in general support the initiative of the regulator, specifying that the specific content of future requirements or recommendations is important. According to Daniil Tkach, director of the customer relations department of Promsvyazbank, mail confirmation will increase the efficiency of communication, but banks may need additional automation to verify email addresses.

File:Aquote1.png
It is important that the Central Bank gives time for the implementation of verification requirements, a period of six months or more can be reasonable,
File:Aquote2.png

In addition, the regulator must determine what can be emailed and what not.

File:Aquote1.png
Mail was and remains a channel through which data is sent in clear text, it is easy to intercept them, replace them. And therefore, messages should not contain critical information. If we are talking about bank secrecy, then letters with its content should be sent only with the consent of the client,
File:Aquote2.png

The Central Bank of the Russian Federation has expanded the requirements for banks to protect information

The Bank of Russia has tightened requirements for banks to protect customer funds from cybercriminals, follows from the new provision of the Central Bank. The document is approved by the leadership of the regulator, the FSB and the Federal Service for Technical and Export Control.

The document introduces the obligation of banks to provide protection when attracting deposits (both from individuals and from legal entities), placing attracted funds and maintaining customer bank accounts. Previously, credit organizations were supposed to ensure information security only when conducting money transfer operations.

"The maximum requirements will be imposed on systemically important credit institutions, banks performing the functions of an operator of payment infrastructure services of systemically important payment systems, as well as on credit institutions significant in the payment services market. Standard requirements will be presented to everyone else, "the[25] a statement[26] press service.

The provision indicates the requirements for the protection of information in relation to information infrastructure objects, application software, technology for processing protected information.

Information security protection of small banks offered to entrust a new company under the patronage of the Central Bank

One of the topics raised at the meeting of bankers with the head of the Central Bank of the Russian Federation Nabiullina on February 18, 2019 was the problem of ensuring the information security of small banks. It is proposed to create a special approval company that, under the patronage of the Central Bank, would be engaged in cyber protection of credit institutions with little capital.

File:Aquote1.png
It would be nice to create such an outsourcing institution, since IT is a capital-intensive thing, "Anatoly Aksakov, head of the State Duma's financial market committee, told Kommersant.
File:Aquote2.png

Outsourcing will help banks with a basic license, says Anatoly Aksakov, head of the State Duma Committee on the Financial Market

According to him, small banks cannot independently ensure the proper level of security, and outsourcing key companies in this market is too expensive - they first involve banks in their digital architecture, which is difficult to abandon, and then press with tariffs.

On the other hand, a special institution working with small banks should inspire confidence in them. Not every bank is ready to provide its data to a competitor, which, for example, keeps some from cooperating with Bi.zone, which is owned by Sberbank, the newspaper notes.

Anatoly Aksakov sees one of the options for solving the problem of creating an institute on the basis of already operating companies that are ready to offer their platform. The choice of such a company should be carried out according to the results of the competition, and the company itself should be under the patronage of the Central Bank, the official said.

According to Mikhail Savelyev, Development Director of Informzaschita, the creation of a specialized player will not benefit. Such companies, as a rule, begin to rapidly look for highly qualified specialists, and in conditions of tight deadlines, it only has to lure employees from competitors, offering large salaries. The cost of such personnel is artificially inflated, which affects the final price of decisions and projects throughout the market, the expert explained[27]

2018

The Central Bank contributed 10 thousand fraudsters' accounts to the anti-fraud system to withdraw money

According to a report dated November 30, 2018, records of more than 10 thousand accounts that are used by fraudsters to withdraw money are entered into an automated anti-fraud system CENTRAL BANK RUSSIAN FEDERATION (on database transactions for transferring funds without the consent of the client).

File:Aquote1.png
author '= Artem Sychev, First Deputy Director of the Information Security Department of the CBR '
Until recently, everyone knew that banks exchanged information about the accounts of those individuals or legal entities through which they withdrew stolen money. We legalized this exchange by amending the legislation. From April to August 2018, we managed to launch the system itself, and from August to November, more than 10 thousand account records appeared in this system through which attackers try to withdraw stolen money. Colleagues actively use this base and see how their clients are protected from their money going to such accounts.
File:Aquote2.png

The base operates within the framework of the automated incident processing system (ACOI), to which all Russian banks of[28] are connected[29].

FinCERT will protect the central banks of the EAEU member states

The Bank of Russia has concluded agreements on cooperation in the field of information security with several countries of the Eurasian Economic Union.

So, on November 15, 2018, an agreement on cooperation in the field of information security was concluded with the National Bank of the Kyrgyz Republic. Earlier, similar documents were signed with the financial regulators of the Republic of Kazakhstan, the Republic of Armenia and the Republic of Belarus.

Bank of Russia. Photo: newsnn.ru

Within the framework of the concluded agreements, the Bank of Russia partners, in case of detection of information security threats, send to the Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere (FinCERT) of the Bank of Russia operational notifications containing the main parameters of computer attacks. Employees of the center, in turn, assist them in conducting research on malicious software, as well as advise on attacks on ATMs and sharing phishing resources. Based on the analysis of the information received within the framework of the agreements, FinCERT also generates and sends to the participants of the information exchange operational information mailings containing the main parameters of computer attacks and indicators of compromise.

The Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT) is a structural unit of the Information Security Department of the Central Bank of the Russian Federation. The main task of the Center is to counter attackers by mutual informing and notifying members of the banking community about vulnerabilities, threats and risks that each of them has to face. Initially, this center was supposed to ensure the security of only the Russian banking sector, but the newly concluded agreements turn it into an international cybersecurity body that extends its protection to foreign financial organizations.

According to Artem Sychev, First Deputy Director of the Information Security Department of the Bank of Russia, the formation of the common financial market of the EAEU is associated with the development of digital technologies, which necessitated the creation of a common effective cybersecurity system based on the financial regulators of the member countries of the Union.

File:Aquote1.png
It is quite logical if a common system for protecting financial information with a single center will function within the framework of the economic union, "said Georgy Lagoda, CEO of SEQ (formerly SEC Consult Services). - This approach will unify and speed up the exchange of data on cyber attacks between members of the union, which as of November 2018 is especially important, since credit and financial organizations of the EAEU countries most often face the same threats.
File:Aquote2.png

The Central Bank has fixed the formats for sending messages by banks to FinCERT

On November 6, 2018, information appeared that the Bank of Russia fixed the formats for sending messages by banks to FinCERT in the fifth standard on information security. The previous four standards were voluntary to join, but in this case it will not be technically possible to avoid working according to the standard.

The industry standard Central Bank 1.5, which entered into force on November 1, 2018, approved the form and procedure for banks to interact with FinCERT (the Central Bank's division for combating cyber threats). A significant part of this document is devoted to the format of sending information to the ACOI platform (the platform for the prompt exchange of information between the Central Bank and banks about incidents, etc., launched since July 2018).

The fact that the Central Bank decided to consolidate technical information in the standard surprised the market.

File:Aquote1.png
Before the appearance of this standard, there were four more dedicated to information security, and the bank could decide for itself whether to comply with them or not, says the source of the Kommersant newspaper from the top 30 bank. - The decision on compliance was made by the bank's management, the corresponding letter was sent to the Central Bank, then the bank was certified.
File:Aquote2.png

At the same time, the requirements for information security in these standards were more stringent and expensive, and many banks did not want to join them, the source said.

At the same time, the bank cannot evade sending information to ACOI, the formats are the same for everyone, thus banks cannot actually comply with the fifth standard. But you cannot join one standard without accepting the rest. As a result, banks will now have to comply with all five standards, the representative of the Russian bank concluded.[30]

Draft law on the protection of information in non-credit financial organizations

The Central Bank of the Russian Federation has prepared a bill "On the establishment of mandatory requirements for non-bank financial organizations to ensure the protection of information in the implementation of activities in the field of financial markets." The text of the bill was published on September 4, 2018 on the website of the Government of the Russian Federation and, as of September 6, is undergoing an independent anti-corruption examination.

Независимая антикоррупционная экспертиза продлится до 17 сентября 2018 года. Фото: RIA Novosti/ Natalia Seliverstova

The bill establishes mandatory requirements for non-bank financial institutions to ensure the protection of information in order to counter illegal financial transactions.

Non-bank organizations are invited to engage organizations that have licenses for the implementation of activities for the technical protection of confidential information and/or for the development and production of means for protecting such data.

The bill also lists specific categories of protected information - this definition includes any confidential information related to the implementation of financial transactions, data on customers and operators who carry them out, and technical systems used for such transactions. For information infrastructure facilities and automated systems used to carry out financial transactions "for the purposes of processing, transmitting, storing protected information," non-bank financial organizations must provide three levels of protection: enhanced, standard and minimum. The strengthened level of protection is prescribed to be implemented only by systemically important infrastructure organizations of the financial market, subject to more than 3 million financial transactions per day.

The bill lists activities for companies that can do with a minimum level of protection: microfinance organizations; credit consumer cooperatives; housing savings cooperatives; agricultural credit consumer cooperatives and pawnshops. Other organizations will need to provide a standard level of protection.

Organizations that are required to have an enhanced and standard level of information protection, at the stages of creation and operation of information infrastructure facilities should use application software of automated systems and applications for financial transactions, "certified in the certification system of the Federal Service for Technical and Export Control of the Russian Federation for compliance with the requirements for information security, including requirements for vulnerability analysis and control of the absence of undeclared capabilities, in accordance with the legislation of the Russian Federation or in respect of which vulnerability analysis was carried out on the requirements for the estimated level of trust not lower than OUD 4 in accordance with the requirements of the national standard of the Russian Federation GOST R ISO/IEC 15408-3-2013, "is indicated in the bill.

They are also required to conduct annual penetration testing and analysis of information security vulnerabilities of information infrastructure objects. For this, it is planned to involve third-party organizations with licenses to carry out this kind of work.

When upgrading information infrastructure objects, vulnerability checks should also be carried out, but it can be limited only to those components that have directly undergone any changes. The financial institution may conduct such an audit independently or with the involvement of third-party experts.

The bill also establishes the procedure for distributing and protecting client software (mobile applications) for performing operations over the Network. The document stipulates that a financial institution, in case of identifying fake applications in the repositories of mobile software, must inform both customers and repository operators about fakes.

The procedure for protecting data in electronic messages related to financial transactions is also described - this includes authentication and authorization of customers; protection against false authorization; identification of falsified electronic messages and other attempts by attackers to attack the communication channel. The procedure for responding to cyber incidents and storing information about them is regulated.

Organizations that must provide standard and enhanced levels of protection are required to form their own information security services (if they have not yet been created) and determine their goals and objectives in internal documentation.

In addition, non-bank financial institutions should inform the Bank of Russia about all identified incidents related to violation of information protection, as well as about their plans to disclose information about these incidents - including posting information on official Internet sites, issuing press releases and holding press conferences - no later than one business day before the event.

The compliance assessment of information protection is carried out in accordance with the national standard of the Russian Federation GOST R 57580.2-2018 "Security of financial (banking) transactions. Information protection of financial institutions. Methodology for assessing compliance, "approved by order of Rosstandart dated March 28, 2018 No. 156-st" On approval of the national standard "(M., FSUE" PCT - Russian Institute of Standardization (formerly Standardinform), "2018).

File:Aquote1.png
As of September 6, this is only a bill, - said Oleg Galushkin, director of information security at SEQ (formerly SEC Consult Services), - and by the final reading the document may change beyond recognition. However, at first glance, the project makes quite logical requirements for the procedure for protecting data when carrying out financial transactions, and for the procedure for informing the Central Bank about incidents.
File:Aquote2.png

The full bill is available# npa=83654 here. An independent anti-corruption examination will be carried out until September 17, 2018.

Sandbox for testing third-party financial IT systems

At the test regulatory site ("sandbox") of the Central Bank, the first pilot project for testing the product was carried out. The audit was carried out by the Sberbank service for remote management of powers on accounts of corporate clients, which give the right to perform transactions in bank branches. Experts believe that the "sandbox" will help banks save money on servicing corporate clients, the Central Bank reports on its website[31].

The pilot was implemented in collaboration with professional associations of financial market players and government agencies. The Central Bank and expert councils organized in the sandbox recommended the service for implementation on the market, making a number of comments that must be taken into account.

"Based on the results of the piloting of the service, changes are envisaged in the regulations of the Bank of Russia so that all interested participants in the financial market can implement it and use it both to increase convenience in servicing their customers and to reduce their own costs," said Ivan Zimin, Acting Director of the Financial Technologies Department of the Central Bank.

The regulator reports that so far it has received more than 20 applications for testing products in the sandbox from financial institutions, fintech companies and other enterprises. Among them are projects in the field of digital assets and the introduction of new financial technologies.

The test regulatory platform of the Central Bank - the so-called "sandbox" - was created in April 2018. "Sandbox" is a limited environment where innovative financial technologies are tested that need correct regulation. The Central Bank, as well as relevant government agencies, associations and development institutions, are monitoring the progress of pilot projects that are being carried out in the sandbox.

The Bank of Russia will calculate the "black creditors" with the help of Big Data

Big Data's capabilities are used to protect Russians on the Internet from "black creditors." The Central Bank is developing a project that will allow the application of a new model of supervision: to distinguish the sites of companies that have and do not have the right to issue loans to consumers. This is stated in the documents of the regulator, which Izvestia got acquainted with in July 2018. The machine will analyze huge amounts of information on the Web much faster and more efficiently than a person, experts explain[32].

The Ministry of Finance is preparing a report to the President on the development and implementation of a set of measures aimed at identifying and suppressing illegal activities to provide consumer loans. The Bank of Russia has formed its part of the data for this report. This follows from the letter of the first deputy chairman of the Central Bank Sergei Shvetsov to the Ministry of Finance dated May 11. It said the regulator was working on a specialist surveillance model based on Big Data.

It will allow you to divide sites into having and not having the right to issue loans. The development of the project is carried out in cooperation with the company "EU-Leasing," which is engaged in the development of software and computer equipment. The IT company did not respond to Izvestia's request.

Central Bank ordered banks to notify of spam with malicious files

On July 17, 2018, it became known that the Central Bank of the Russian Federation ordered banks to report on all spam mailings with malicious files. If the requirement is not met, credit institutions may be punished for incomplete disclosure of data.

According to Kommersant, the corresponding amendments to the regulation of the Central Bank No. 382-P entered into force on July 1. From this day on, banks are required to inform the Bank of Russia Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sphere (FinCERT) of computer incidents. At the same time, the specific list of incidents subject to the report is not defined in the new version of the document. It will be published as a separate document on the Central Bank website, but the timing of the publication is unknown.

Banks are required to send millions of messages about malicious mailings to the regulator

Sources in the banks surveyed by the publication said that the volume of unwanted letters that they receive every day is huge, but the Central Bank does not report spam mailings in all cases. Cisco security business consultant Alexei Lukatsky, in a conversation with the newspaper, indicated that in the total volume of e-mail spam is 60-80%, which, according to the expert, "makes the task of informing FinCERT difficult." More than 2 thousand phishing emails and more than 100 attempts to deliver malware are recorded at Sberbank per day, the bank's press service told the publication.

Lukatsky noted that theoretically, refusal to inform the Bank of Russia about all cases of receiving spam mailing with malicious codes could be considered a violation. The press service of the regulator told Kommersant that commercial credit institutions are "responsible in accordance with the federal law on the Central Bank." However, it will be quite difficult to determine the fact of such a violation if the bank reports at least some spam mailings, Alexey Lukatsky is sure.[33]

Central Bank ordered banks to report hacker attacks

On June 28, 2018, the Central Bank of the Russian Federation announced that from July 1, credit organizations will have to report to the regulator on hacker attacks and their technical parameters. Previously, banks did this on a voluntary basis.

File:Aquote1.png
Now, to improve the quality of protection against cyber threats, credit organizations must use only certified software to transfer funds and conduct its periodic testing, the Bank of Russia said.
File:Aquote2.png

From July 1, Russian banks will be required to inform the Central Bank about hacker attacks

It is noted that the detailed information exchange that had been in force for several years turned out to be in demand both among credit institutions and law enforcement agencies. The Central Bank uses the data received from banks to develop recommendations for countering hacker attacks. We are also talking about unauthorized transfer of funds and access to devices of bank customers, violations of the provision of payment services, malicious codes, phishing, DDoS attacks.

Now organizations licensed by the Federal Service for Technical and Export Control (FSTEC) will assess the compliance with the level of protection. In addition, it will become mandatory to assess the fulfillment of the requirements for ensuring the protection of information when transferring funds by third-party organizations involved in the conformity assessment.

From January 1, 2020, a requirement for annual penetration testing  and analysis of information security vulnerabilities is introduced. To do this, banks will need to involve an external auditor.

Also , since 2020, a condition has been introduced on the mandatory separation of software environments for preparing and confirming payments, including when using remote banking systems. This will help protect bank customers from hacker attacks, the Central Bank is sure.[34]

The Central Bank ordered banks to check customers' devices when transferring money

The Bank of Russia obliged credit institutions to check the devices of customers that they use when transferring funds. These measures should help in the fight against money laundering. As they write in Vedomosti in the issue of June 21, 2018, according to the new, April, version of the Central Bank's regulation, banks must assign identifiers to customers' devices. If the identifiers of several clients match, then they will be considered high-risk clients.

By the end of June 2018, the use of IT characteristics for analyzing customer activities was recommended by the Central Bank and is already used by many banks, for example, credit institutions record client IP addresses. But in order to comply with the new requirements of the Central Bank, IT improvements will be required, experts say.

The Bank of Russia obliged credit institutions to check the devices of customers that they use when transferring funds

VTB The publication was informed that the new requirements of the Central Bank only consolidated the existing practice: the innovations will not lead to any restrictions for customers, banks simply pay more attention to "risky" operations.

According to Natalya Pozdeeva, Managing Director for IT at Absolut Bank, it is more difficult to identify detailed data on the digital fingerprint of the gadget, and not all existing systems are able to do this. The bank will have to more often request data from some customers and update their questionnaires, she said.

As Alexander Sotov, head of the practice of financial investigations and anti-corruption at FBK Grant Thornton, explained, the coincidence of gadget identifiers may indicate the existence of a "financial dispatch center" in which fraudsters transfer money from one computer through the Internet banks of companies controlled by them. One such center was identified in 2010, but since then criminals have become better hiding using VPN and other means, he added.

Traditional banking monitoring systems track transactions themselves: the source of money where they go and the parameters of the operation as a whole, says Alexander Ermakovich, head of Kaspersky Lab's solutions for preventing online fraud. This is a working and reliable technology, but there are also newer approaches, he says: an analysis of user behavior, which covers both the devices from which the user works with banking systems, and the environment, habits and his usual behavioral patterns.

According to Ermakovich, hundreds of parameters are collected: information about the device itself, and its characteristics, in what environment it usually works, about the peculiarities of using the device, the behavior of the client in the bank-client system, connections with other users or devices. All these parameters are combined, and the machine detects anomalies in behavior and pattern violations, which allows you to distinguish fraudsters and "cashiers" from ordinary users.[35]

The Central Bank of the Russian Federation will oblige banks to disclose financial damage from cyber attacks

From July 1, 2018, the Bank of Russia will change for banks - operators for the transfer of funds and operators of payment infrastructure services the form of reporting on events related to violation of information protection when transferring funds, according to the regulator's website[36]. Data on the technical characteristics of the incident (methods and causes of cyber threats) will be excluded from the reporting, instead, economic consequences for operators and their clients will be indicated[37] Bank of the Russian[38].

In particular, operators will inform the Bank of Russia about what amounts cybercriminals attempted during the reporting period and how much funds were stolen. "An important indicator will be the amount of stolen funds returned by the operator to its customers," the regulator notes.

This indicator will allow the Bank of Russia to assess how conscientiously operators fulfill the obligation to reimburse their customers for stolen funds established by the Law "On the National Payment System." The new reporting form also includes indicators of the continuity of the provision of money transfer services during a computer attack.

According to the Central Bank, changing the reporting form will increase the reliability of data on events related to violation of information protection in the implementation of money transfers, and more effectively control the risks of operators for the transfer of funds and payment infrastructure services. In addition, the information provided by them will make it possible to more accurately assess the quality of risk and capital management systems of credit institutions and banking groups.

Operators will be required to submit information on the technical details of the attacks to the Bank of Russia Credit and Financial Sector Monitoring and Response Center (FinCERT), a structural division of the Bank of Russia that collects and analyzes information from financial institutions about cyber attacks.

Creation of Information Security Department

Main article: Information Security Department of the Central Bank of Russia

In May 2018, the Central Bank of the Russian Federation forms a new department, the activities of which are entirely devoted to information security.

The Board of Directors of the Central Bank decided to divide the Main Directorate for Security and Information Protection into two independent divisions - the Information Security Department and the Security Department of the Bank of Russia.[39]

The Central Bank is preparing a standard for information security for financial organizations

On May 3, 2018, the Central Bank of Russia published a draft standard "Ensuring information security of financial organizations of the Russian Federation. The technology of preparation, direction and formats of electronic messages for information exchange with the Bank of Russia on identified incidents related to violation of the requirements for ensuring the protection of information when making money transfers "(STO BR IBFO-1.5-2018). As indicated in the explanatory note to the document, the draft standard was developed in order to increase the reliability of data on such events. Read more here.

Central Bank wants to receive the powers of security officials

The government sent in April 2018 State Duma to the project, according to which the Central Bank is empowered with unhindered access to the premises of companies and to their documents. - reports. RBC It's about fighting insider fraud.

Permission for such activities is contained in the wording of the government bill of March 30, sent to the State Duma for consideration in the second reading and amending Art. 14 of the law "On countering the misuse of insider information."

As part of insider inspections, Central Bank employees will have access to documents and information, including limited by federal law, the text of the bill says. Also, employees will be able to copy the original documents.

Today, the Central Bank has the authority only to request documentation from organizations. During inspections, all Russian legal entities, foreign citizens and organizations working in Russia will be required to provide access to acts, contracts, certificates, business correspondence, as well as "other documents and materials." The Central Bank will have access to commercial, official, banking secrecy, information on postal money transfers and "other legally protected secrets" (with the exception of state and tax secrets) - reports the RBK. The initiator of the amendment to the government bill was the Bank of Russia.

The Bank explains the need to expand powers by the ability to combat market manipulation. "A high degree of danger, secrecy of such crimes committed by" professionals "of the financial market, requires appropriate changes," the document says.

Unhindered access of the Central Bank to the company is "a general practice of preventing illegal actions," RBC said with reference to the press service of the Bank. Checks with unhindered access of representatives of the Central Bank to the premises of legal entities and other organizations will be carried out only if there are serious grounds to believe that the law on insider information has been violated - said Deputy Finance Minister Alexei Moiseev. 'It wasn't just you walking past and deciding to come in, there should be suspicions. There is a whole list of decision-making procedures, everything will be approved by a special body within the Central Bank, "he commented to Interfax. The law on giving the Central Bank new powers was planned to be submitted for consideration in the second reading at a meeting of the State Duma Committee on Financial Markets on April 5, but it was postponed.

Central Bank proposed a standard on information security

The Bank of Russia published in March a standard for the provision of information security services for financial institutions. Compliance with the standard will be voluntary, but the Central Bank does not exclude that in the future the standard will become mandatory for all companies providing information security services to financial market participants, the[40] an[41].

Last year, the Russian banking sector faced a wave of cyber attacks. According to the international developer of antivirus software and computer security solutions, ESET over the year the number of such attacks on the financial sector has grown by almost one and a half times.

The standard is intended for banks, non-bank financial organizations, entities of the national payment system and other participants in the financial market, explained in a message on the regulator's website. According to the Central Bank, the use of the standard will help to form and maintain at an acceptable level an information security system for small and medium-sized organizations that usually lack financial and human resources.

"The standard comes into force on July 1, 2018. Its provisions are advisory in nature. In the future, if necessary, the issue of their mandatory application may be considered, "the Central Bank said in a statement
.

List of security threats to biometric data

On February 12, 2018, it became known that the Central Bank of the Russian Federation determined a list of security threats during the processing, collection, storage and verification of biometric personal data in state bodies, as well as banks and other organizations. The draft of the relevant regulatory act is published on the Bank of Russia website.[42]

Central Bank identified threats to biometric data

The draft directive was developed to ensure the protection of biometric data and the rights of citizens when working with such data during identification, the bank's explanatory note says.[43].. "

The Central Bank believes that the entry into force of this regulatory act will form the basis for establishing requirements for information technologies and technical means designed to process biometric data as part of identification, Interfax writes. The directive will have to come into force on June 30, 2018. Comments and proposals on its content are accepted from February 12 to 25, 2018, that is, for only two weeks.

A threat to the security of biometric data means a set of conditions and factors that create the danger of unauthorized (including accidental) access to this data with its subsequent destruction, change, blocking, copying, distribution, etc.

The State Duma in December 2017 adopted a law allowing banks to open accounts for individuals without their personal presence, only using biometric passports and data uploaded to the Public services[44] It is planned that the law on remote identification will enter into force in the summer of 2018.

File:Aquote1.png
In principle, such a law is quite relevant to our time, and in this regard we are even overtaking EU legislation, "said Oleg Galushkin, an information security expert at SEQ (formerly SEC Consult Services). - However, it is necessary to understand that the protection of biometric data requires the highest level of execution, since without it it is possible, for example, to open accounts for individuals without their participation - this is a "generator of massive risks" that it is not clear who will take on themselves. It is also known that the Bank of Russia, together with the Federal Security Service, is preparing a mobile application for remote identification of clients of credit institutions.
File:Aquote2.png

Financial Market Fraud Centre opened

The Bank of Russia has opened a Competence Center for countering illegal activities in the financial market. This was reported in the press service of the regulator. The center was opened on February 2, 2018 in Krasnodar. It will accumulate information on illegal activities in the financial market, coming from all regions of the country.

"The key task of the Center is to develop a methodology for identifying and suppressing such practices based on the analysis of the data obtained. All structural divisions of the Bank of Russia operating in this direction will be able to use a single database and methodology, "the regulator said in a statement
.

The Central Bank believes that the creation of such a Center will allow tracking the migration of fraudulent schemes and stopping their spread in the early stages, identifying the organizers of such companies, and helping to build more effective interaction with law enforcement agencies and the public.

The press service added that at present the regulator is deploying more active work in the regions and is creating departments for countering illegal activities in all main departments of the Bank of Russia.

"We are interested in the qualitative growth of the Russian financial market and must protect the competitive environment from distortion. However, if there is a lot of illegal business, it displaces legal. Moreover, this is a one-time business built on consumer deception. And the welfare of citizens is the ultimate goal of our economic policy, "said Sergei Shvetsov, First Deputy Governor of the Bank of Russia, speaking at the opening of the center
.

2017

Proposal of the Central Bank on the inclusion of those responsible for information security and IT on the boards of directors of public companies

In November 2017, the Central Bank of the Russian Federation announced plans to amend the corporate governance code related to cybersecurity. The regulator will invite public companies to add information security competencies to the boards of directors. 

According to Kommersant, citing Elena Kuritsyna, director of the corporate relations department of the Central Bank, the Bank of Russia considers it necessary to consolidate the strategic role of the board of directors of public joint-stock companies (PJSCs) in organizing a risk management system related to the development of information technologies and cybersecurity.

The Central Bank of the Russian Federation will amend the corporate governance code related to cybersecurity

Speaking at the OECD round table Russia on corporate governance, which took place on November 15, 2017, Kuritsyna noted that in the light of increasing cyber risks, boards of directors should have the necessary competence in IT and cybersecurity issues, since they will have to approve the relevant policies of companies and monitor their implementation by management.

On the one hand, she said, new technologies offer a huge number of new opportunities for business development, but on the other hand, cybersecurity issues arise. Cyber ​ ​ risks are already being implemented in the form of targeted planned actions to attack certain industries or companies. All this requires the serious involvement of the corporate governance system in order to reflect these threats properly, she added.

The Central Bank intends to register these innovations in the corporate governance code, they will be discussed by the end of 2017. At the same time, by mid-November, the execution of the code is not mandatory for public companies, but recommended. At the same time, the implementation of part of the main provisions of the code is a condition for including shares of companies in the first and second levels of the quotation list of the Moscow Exchange. So recommendations for the transfer of strategic functions for managing issues in the field of IT and cybersecurity to the board of directors of PJSC in the future may also be in the listing rules, the newspaper notes.[45]

Certificates of cybersecurity specialists in the financial sector

In two years, Russia will begin to issue certificates of specialists in the field of cybersecurity in the financial sector. This was announced on October 11 to Kommersant by the deputy head of the main department of security and information protection of the Bank of Russia Artem Sychev.

According to Sychev, qualification requirements have been developed, as well as a program for a master's degree and advanced training. "The next stage will be the qualification test. Because you cannot certify people without offering to train them first, "Sychev said.

In the future, it is also planned to introduce a requirement on the mandatory availability of certificates of a new type for cybersecurity specialists working in banks, but this should not be expected in the near future. Sergei Shvetsov, First Deputy Chairman of the Bank of Russia, announced the expansion of the list of specialties subject to certification in April 2016. In addition to cybersecurity specialists, new certificates will have to be obtained by experts in asset management and internal control.

Now there is an urgent need for training and certification of security personnel, Sychev noted. If earlier the entire IT structure of banks simply served their interests, now someone else can influence the technologies between the bank and the client. In this regard, we need experts who do not just protect the perimeter (such personnel are currently quite enough). We need personnel who understand the very principle of the technology and are able to determine how it can be influenced from the outside and what to do in this case.

As Sychev explained, training of specialists will be carried out in the three most popular areas - methodology, technology and jurisprudence in cybersecurity. True, who will train new personnel and issue certificates is still unknown. Currently, 11 organizations that have received Bank of Russia accreditation are engaged in certification of financial specialists. Perhaps it will be possible to qualify cybersecurity experts in the financial sector, FSTEC but this issue has not yet been finally resolved.

Return of funds stolen from bank accounts

At the end of September 2017, the Bank of Russia and the Ministry of Finance of the Russian Federation announced their intention to simplify the return of funds for bank customers in cases where money has already been debited from the account and entered the bank's account, but has not yet been transferred to the accounts of cybercriminals, Vedomosti reports. [46]

Amendments to the bill on countering theft of funds sent to the State Duma at the end of May 2017 allowed bank clients not to prove their case in court. In the previous version, the amendments provided that the fact of the write-off of funds should be established by the court. In particular, customers whose funds were debited without their consent and blocked were invited to provide the bank with an appropriate decision of the arbitration court within 14 days. Otherwise, the bank had to post the payment.

According to the representative of the Bank of Russia, the mechanism proposed by the Central Bank and the Ministry of Finance will mainly affect legal entities. If the funds are debited from the company's account without its consent, the bank to which the money has been received may suspend their crediting to the recipient's account for up to five days. If the recipient does not provide documents confirming the validity of the transfer of funds (copies of contracts, invoices, invoices, etc.), the money will be returned to the company's account.

As for individuals, the procedure for reimbursing amounts illegally debited from the account is spelled out in the law on the national payment system, the representative of the Central Bank said.

However, there is still an unresolved issue of returning funds that have already been transferred to the recipient's account. Banks have no right to return or block these funds for a long time without a court decision. However, by the time you get permission, attackers can safely withdraw funds from the account.

Minimum amount of damage from cyber attacks for reporting

The Bank of Russia will establish a minimum amount of damage from cyber attacks, which banks are obliged to reflect in their statements. The innovation will appear in 2018 along with a new reporting form.

Since 2013, all financial organizations submit monthly reports to the Central Bank on problems that arose when transferring customer money. The report records all such cases: theft of plastic card data when paying a bill in a restaurant or cases of skimming (when attackers install special readers on ATMs and then steal money). Banks submit a report in the form of a table that reflects the very fact of the incident with the method of damage, its date, the payment system operator, the consequences of the violation, the actions taken to eliminate them, as well as the fact of contacting law enforcement agencies. If there are no violations, all relevant graphs are zeroed.

But since 2018, the Central Bank plans to change the form of these reports, obliging banks to disclose economic indicators related to cyber attacks. Thus, in a year, banks will transfer to the regulator only the amounts that hackers attempted during the reporting period, the amount of theft from customer accounts and information about funds returned to [47]

Tightening requirements

September 14, 2017 it became known about the tightening by the Bank of Russia of information security requirements (information security) of credit institutions. The latter will have to reconsider interaction with third-party companies hired to provide cyber defense.

According to Kommersant, in September 2017, a draft document of the Bank of Russia "Management of Information Security Violation Risk in Outsourcing" was posted for public discussion, in which the regulator points out the risks to the bank's information security from attracting outsourcers and puts forward requirements to minimize them.

Building of the Central Bank

The Central Bank reports that the risks from attracting third-party organizations are that you can choose a supplier that does not have the necessary knowledge or resources, as well as that the bank itself may have little control over its actions. The result of poor-quality work of outsourcers may be the emergence of a vulnerability in the bank's information protection system and even theft of funds from a credit institution, the regulator points out. The standard will enter into force on January 1, 2018.

The Bank of Russia requires banks to develop a policy of interaction with the outsourcer, that is, to clearly determine the list of services of a third-party company and the list of functions that the bank itself performs, and it is also necessary to clearly separate and identify the areas of responsibility of the bank and the third-party organization.

When transferring significant functions, the Central Bank requires banks to periodically monitor the possibility of realizing the risk of violation of information security, as well as the severity of the consequences of realizing the risk of violation of information security (which directly depends on the amounts of money transfer operations, balances on correspondent accounts , etc.). Banks recognized by the Central Bank as systemically significant, the regulator recommends that FinCert be informed in advance about plans to transfer certain functions to outsourcing.[48]

Blocking fraudulent sites

The Bank of Russia and the Ministry of Communications are working on amendments to the law "On Information, Information Technologies and Information Protection," which will make it possible to counteract fraudulent resources on the Internet more effectively.

It is planned to give the Bank of Russia the right to decide on the inclusion of resources in the unified register of prohibited sites. Thus, a new type of prohibited information will appear on Runet - information used for fraud in the financial market. For example, in some cases, financial organizations that have lost their licenses continue to offer a "payday loan" via the Internet.

The Bank of Russia, on the basis of agreements with competent organizations, initiates blocking fraudulent resources in the Russian segment of the Internet related to the financial markets and the national payment system, the Central Bank's press service confirmed. - At the moment, about 400 domains have been removed from delegation.

Sites created for fraud in the financial market will be blocked. The Central Bank of Russia will conduct an examination of such resources. This is stated in the Strategy of State Policy in the field of consumer protection.

See also Phishing

Online Payment Security Requirements

The Bank of Russia proposed in September 2017 to expand the list of requirements for the protection of information when transferring funds on the Internet. The corresponding draft amendments to the regulation of the Central Bank are posted on the portal for the disclosure of draft regulatory legal acts.

In particular, the requirements must be increased for operators for money transfers, which should ensure the safety of operations on the Internet.

"The
money transfer operator based on the client's application... defines restrictions on the parameters of transactions that can be carried out by the client using the Internet banking system, "the document says
.

Operators need to improve security with certain technological measures that ensure the identification of the client, the authentication of his electronic messages when transferring funds and the ability to control the details.

The amendments also regulate the operator's ability to confirm the client's right to conduct an operation or set restrictions, including: the maximum amount of the transfer, the list of possible recipients of funds, the time of the operation, the geographical location of the devices with which customers carry out operations.

Operators must report incidents to the Central Bank, as well as "on planned measures to disclose information about incidents."

 

In addition, the amendments establish the need and obligation of operators to annually test systems for the penetration of information security threats.

It is proposed to amend Bank of Russia Regulation No. 382-P, dated 9 June 2012, "On Requirements for Ensuring the Protection of Information in Money Transfers and on the Procedure for the Bank of Russia to Monitor Compliance with the Requirements for Ensuring the Protection [49] Information in Money Transfers."

Cybersecurity outsourcing standards

The Bank of Russia has developed standards for outsourcing cybersecurity. According to them, banks, in the absence of the potential necessary for self-development and upgrade of cybersecurity systems, must transfer these functions to a third-party company specializing in combating hackers, that is, outsourcing.

The attracted company can help the bank build a cybersecurity system within up to six weeks, and then constantly monitor hacker attacks, monitor protection around the clock and train staff.

Earlier , Artem Sychev, deputy head of the Central Bank's main security and information protection department, said that "for small and medium-sized banks, issues related to cybersecurity and IT in general are very cheap and difficult," so it is necessary to develop information security outsourcing. Now such services on the market are provided by 30 companies.

As follows from the Central Bank standard, banks can choose three models of interaction with outsourcers: long-term, medium-term and short-term cooperation. In the first case, a third-party company monitors and responds to cyber attacks on the bank. In the second, the outsourcer is involved in the bank to carry out an information security project for him - for example, to build his own center for monitoring and responding to cyber threats. The third model implies that the bank attracts the company for a time when the level of cyber risks increases.

Outsourcing services can be basic, extended and premium. In the first case, the company operates in 8x5 mode, in the second and third - 24x7. The time to detect critically dangerous cyber attacks within the base package is up to 30 minutes, within the expanded package - up to 20 minutes, within the premium package - up to 10 minutes. The analysis of the situation will take 45 minutes, 30 minutes and 20 minutes, respectively, and the time for issuing recommendations to eliminate the incident is 2 hours, 1.5 hours and 45 minutes.

Ekaterina Surtukova, head of outsourcing at the information security center of Jet Infosystems, noted that compared to the base package, the cost of an expanded one is 1.2-1.5 times higher, and the cost of a premium one is 1.5-1.7 times higher. For the basic package, small banks will have to pay 250 thousand rubles a month, and large - up to 2.5 [50] to [51]

Bank Customer Biometric Database

Main article Unified biometric identification system

Cyber Attack Information Exchange System for Banks

The Central Bank continues to strengthen measures to combat cybercrime, acting as a coordinator of this activity in the credit and financial industry. The development of measures is implemented through a working group, which includes representatives of the Central Bank, the FSB, FSTEC, the Ministry of Communications, the Ministry of Finance and Rosfinmonitoring. The technical tasks in the framework of this activity are assigned to FinSert. Another task was to develop a platform for automating and accelerating information exchange between interested government agencies and the banking system in order to increase the level of cybersecurity, the Kommersant newspaper reported in July 2017.

The platform is an online resource that will allow system participants to exchange information through personal accounts in a new format.

File:Aquote1.png
Now we are giving mailings, in fact, a text file with certain indicators, - explained Artem Sychev, deputy head of the Central Bank's Main Directorate for Security and Information Protection. - We want to enter a new exchange format that will allow credit institutions to load these signs of compromise into their detection systems in an automated mode.
File:Aquote2.png

According to him, in fact, we are talking about an analogue of the international service Virus Total (allows you to check files for malware "using a large number of antivirus engines"). In addition, the platform will contain services for analyzing critical situations.

The technical design of the system will begin in August 2017, and the launch of the platform is scheduled for the end of 2017. By mid-2018, it is expected to be fully operational.

Financial organizations will transfer a report on the amounts stolen by hackers, the amount of theft from customer accounts, as well as the amount of funds returned to citizens to the Central Bank. As the regulator notes, technical data was also excluded from the reports, because of which this or that incident arose. It is expected that with the help of the innovation, the reliability of the information provided about cyber attacks will increase, as well as credit organizations will pay more attention to ensuring information security.

Annual Banking Software Pentests

The Bank of Russia has developed a draft directive on amending the Regulation "On Requirements for Ensuring Information Protection when Making Money Transfers and on the Procedure for the Bank of Russia to Monitor Compliance with the Requirements for Ensuring Information Protection when Making Money Transfers."

According to the document, money transfer operators will be required to use software certified for compliance with information security requirements. That is, banks and payment systems will be able to use only programs that have been tested for vulnerabilities and undeclared capabilities in accordance with the requirements of the Federal Service for Technical and Export Control or requirements for an estimated level of trust not lower than OUD 4 in accordance with GOST R ISO/IEC 15408-3-2013.

What is ISO/IEC 15408-1 Confidence Certificate 2.4 trust:

  • Perform appropriate actions or procedures to ensure that the subject meets its safety objectives.
  • The basis for confidence that the entity meets its security goals.

2.16 assurance evidence: Documented results presented by the data obtained in the analysis of trust in the assessed object, including reports (justifications) in support of the trust statement.


The analysis of vulnerabilities in the software should be carried out by organizations licensed to carry out activities for the technical protection of confidential information. Penetration testing and vulnerability analysis should be conducted annually. The directive comes into force on July 1, 2018.

Gosstandard of Information Protection for Banks GOST R 57580.1-2017

  • GOST R 57580.1-2017 "Security of Financial (Banking) Operations. Information protection of financial institutions.

Basic set of organizational and technical measures "approved by 08.08.2017

  • Applies to Banks, non-bank financial institutions, other NPS entities

What is fundamentally new

  • Information Protection Levels
    • Level 3 - minimum (corresponds to the fourth CD of PD)
    • Level 2 - standard (corresponds to the second and third CD of PD)
    • Level 1 - enhanced (corresponds to the first CD of PD)

  • The level of information protection is established for a specific security circuit (an information system that implements business processes of a single degree of criticality, for which a single information protection mode is used)
  • Example: Payment and information technology processes can form different security loops
  • One or more safety loops are formed
  • The level of protection for the safety loop is established by Bank of Russia regulations on the basis of:
  • Types of activities, scope of services provided, business processes within the security loop

    • Scope of financial transactions
    • Organization size
    • Financial Market and NPS Implications

Comparison with STO BR IBBS-1.0-2014


In Russia, GOST R 57580.1-2017 "Security of Financial (Banking) Operations" was approved in August 2017. Information protection of financial institutions. Basic set of organizational and technical measures. " The national standard will be introduced from January 1, 2018 in accordance with the order of Rosstandart of August 8, 2017.

According to the document, the planning, implementation, control and improvement of the data protection process in banks must be approached comprehensively. The standard describes the requirements for organizing all major information protection processes, including measures to prevent leaks and violations of the integrity of the information infrastructure, as well as to protect against attacks using malware.

Instructions for the protection of information when performing operations through mobile devices are indicated in a separate paragraph. In addition, the standard describes the requirements for ensuring data security at all stages of the life cycle of automated systems and applications used in financial organizations.

According to Kommersant, the new GOST introduces mandatory certification of information protection tools for all companies in the financial market. Market participants believe that the requirement of total certification is impossible due to its high cost and the peculiarities of the Russian IT industry[52].

The main requirement of GOST - all technical measures of information protection must have a certificate of compliance with the standards of the Federal Service for Technical and Export Control FSTEC (). Thus, financial organizations that are assigned a minimum, third level of information protection will need to ensure the availability ON of a certified not lower than the 6th class (an indicator of protection against unauthorized access to information), second-level companies should use solutions not lower than the 5th class, and first-level organizations should work with system developments not lower than the 4th class.

A differentiated approach is also introduced when determining the level of information protection that the Bank of Russia will assign for each supervised organization. There will be three levels in total - minimum, standard and reinforced. They will be assigned depending on the type of activity, the composition of the implemented business and technological processes, the volume of financial transactions and other factors.

Standard structure

  • Section 6. Application Methodology and Definition of Protection Levels
  • Section 7. Information Security System (RSI) Requirements
    • Access Control (IDM)
    • Network Protection (IDS/IPS, NGFW)
    • Integrity Scanner
    • Protection against malicious code (AV)
    • Leak Prevention (DLP)
    • Incident Management (SIEM)
    • Environment Protection virtualizations (MPS for Virtual Environments)
    • Mobile Information Protection (MDM)

  • Section 8. Requirements for Information Security Management System (SOIB/SMIB)

    • Protection System Process Planning
    • Implementation
    • Control
    • Improvement

  • Section 9. Requirements for DP at the stages of AS LC and applications

    • Appendix A. Basic Threat and Intruder Model
    • Appendix B. Org measures related to PD processing
    • Appendix B. List of DP events potentially related to incidents

Dmitry Skobelkin appointed curator of information security at the Central Bank of the Russian Federation

In July 2017, the Central Bank of the Russian Federation announced that Dmitry Skobelkin would oversee the Department of Financial Monitoring and Currency Control, the Main Directorate for Security and Information Protection, and the Bank's Interregional Security Center.

Prior to Skobelkin, the work of the Main Directorate for Security and Information Protection of the Central Bank was coordinated and supervised by the First Deputy Chairman of the Bank Georgy Luntovsky. According to the Central Bank, he decided to leave his post and leaves September 2017 of his own free will.

Security control in the financial sector

In 2017, the Central Bank of the Russian Federation will conduct more than 100 inspections of remote banking systems (RBS), as well as approve cybersecurity standards for exchange market participants and create a security center for medium and small banks. Tightening information security ( IS) requirements should be based on threat analysis, otherwise it could lead to less convenient banking services.

The Central Bank of Russia intends to strengthen control over the security of payment transactions in Russian banks. To this end, in 2017, he organizes more than 100 inspections of remote banking systems (RBS), RBC reports with reference to Artem Sychev, deputy head of the main department for security and information protection of the Central Bank of the Russian Federation. According to him, the first checks were already carried out in February 2017.

Banks whose audit results are unsatisfactory will have to either increase capital or add reserves to the existing operating risk in the amount of the average daily balance of the correspondent account. Accurate information on which of these measures will be adopted should appear in mid-2017[53].


The document management system in banks consists of two parts - the automated banking system (ABS) and the automated workplace of the Bank of Russia client (AWS KBR). The ABS processes customer payment orders and generates payment registers. Incoming registers are encrypted and sent to the Central Bank of the Russian Federation. Since both the ABS and the CS AWS are reliably protected (at least in theory), the only vulnerability of the system is the data transmission channel between the ABS and the CS AWS.

According to banks, strict adherence to the instructions (namely, the use for the exchange of information not of corporate servers, but of secure removable media) does not leave hackers loopholes to replace real data with fictitious ones. For its part, the Central Bank of the Russian Federation believes that in this state of affairs, the efforts of cybercriminals will be focused on trying to hack ABS. If their attempts are successful, then it is not possible to track the substitution of this data with fictitious ones at the ABS level. And encrypting bank data that hackers will gain access to with the help of a more advanced analogue of the WannaCry virus can completely paralyze the work of a particular credit institution.

Unified Bank Information Security Strategy

The Association of Russian Banks (ARB) in February 2017 appealed to the Central Bank of the Russian Federation with a request to develop a unified strategy for the development of information security of credit and financial organizations. The head of the ARB Garegin Tosunyan spoke about this at the IX Ural Forum "Information Security of the Financial Sphere."

He noted that the responsibility of information security units of banks is regulated by about 130 documents, including about 50 federal laws, 20 presidential decrees and government decrees, 15 acts of federal executive bodies, 25 Bank of Russia regulations, 20 standards and regulatory documents of international and Russian payment systems.

The head of the ARB believes that there is a need to streamline these documents and create a single industry document on information security, which allows credit and financial institutions to quickly respond to constantly emerging new challenges.

File:Aquote1.png
All these documents are not very compatible with each other, this creates a problem. The creation of a single document will reduce the likelihood of collisions, - said Garegin Tosunyan.
File:Aquote2.png

Garegin Tosunyan from ARB believes that there is a need for a single document on the development of information security in the banking sector

For the most effective use of the potential of the banking community in the preparation of the strategy, it is necessary to involve all interested organizations and invite the Bank of Russia to lead this process as an interdepartmental coordinator, the ARB believes.

Tosunyan recalled that at least a dozen more information security regulations of the Central Bank will come into force in 2017-2018.

Artem Sychev, Deputy Head of the Main Directorate for Security and Information Protection of the Bank of Russia, said at the same forum that the number of cyber attacks on commercial banks and citizens in Russia is increasing every year, but the effectiveness of these attacks is decreasing[54].

File:Aquote1.png
There is a trend towards an increase in the number of attacks, it remains and continues, unfortunately, to increase. On the other hand, there is good news. The good news is that the performance of such attacks is not always positive, "he said.
File:Aquote2.png

Sychev noted that in 2016 the number of DDoS attacks almost doubled. The number of mailings containing malicious software is increasing almost every month, a representative of the Bank of Russia said. At the same time, DDoS attacks recorded in late 2016 - early 2017 did not cause significant damage to banks: they caused trouble, but were not critical in nature and did not violate any service. The regulator also notes an exponential increase in the number of mailings of fraudulent SMS messages.

Artem Sychev added that the market has recently faced a new type of attack when the Internet of Things is used.

File:Aquote1.png
For security. this means that at one point the mass of TVs that are installed in citizens' homes will unexpectedly collapse on our network, and we will not be able to do anything about it, "Sychev said.
File:Aquote2.png

Changing the Way Payments Are Made to Fight Hackers

According to Kommersant, the Central Bank of the Russian Federation sent a letter to the heads of the IT departments of banks, in which it asked until February 10 to assess how long they could introduce encryption of payments sent to the payment system of the regulator, at the level of the automated banking system (ABS)[55]

ABS of the bank, the newspaper explains, is a hardware and software complex that consists of many computers combined into a single secure circuit, where payment orders are processed and payment registers are formed. The registers formed in the ABS go to the AWS of the CBD (automated workplace of the Bank of Russia client) - a special computer in the bank in a separate secure circuit from which payments to the Central Bank go.

The introduction of encryption systems in the bank's ABS, the press service of the Central Bank explained to the newspaper, will protect data at an earlier stage, "complicate attack conditions for attackers and reduce the level of theft." The measure, as noted in the regulator, is proposed on the basis of an analysis of the facts of theft from commercial banks and takes into account world experience and modern trends. "It is this practice that is used in almost all large payment systems," the press service of the Bank of Russia emphasized.

The Central Bank's measure is designed to introduce encryption of payments at an earlier stage. As the analyst of the center for monitoring and countering cyber attacks Solar JSOCAlexey Pavlov explained, banks violate the recommendations of the Central Bank regarding the complete isolation of the CBD AWS from the rest of the bank's network and the transfer of data using secure removable media. When sending registers, an intermediate folder is often used on the file server of the bank's corporate network, and it is in this place that hackers replace the file with registers, as a result of which partially or completely fictitious data comes to the AWS of the CBD, which is encrypted and goes to the Central Bank. It is impossible to identify a fictitious payment in encrypted form, however, if you encrypt the registers immediately in the ABS, then it will be impossible to replace them on the way to the AWS of the CBD.

banks Kommersant They said that they estimate the timing and possible cost of introducing innovation. Pavlov said that the bank will have to carry out a large-scale update in technical terms. Turnkey solutions do not meet all the requirements of crypto protection legislation, it is necessary to connect specialists with a special license FSB and at least a year of implementation time, said a crypto protection specialist in one of the large companies. As a result, the innovation will cost the bank several million. rubles The Central Bank is discussing with market participants the timing of the introduction of encryption systems "in order to determine a comfortable transition period," the regulator noted.

According to the newspaper, bankers have a negative attitude towards the idea of ​ ​ the Central Bank and do not want to officially comment on it. ABSs are hundreds of computers that will need additional protection, says the head of the bank's IT department from the top 100. An IT specialist from the bank from the top 50 adds that the possibility of additional control will be lost: now the bank can check the registers uploaded to the ABS with those that have fallen into the AWS of the CBD and identify a fictitious one, and when encrypted to the ABS, such an opportunity will not be. The representative of a large bank stressed that the Central Bank has already demanded that banks by June 30 of this year strengthen security measures at the AWS CBD site, which is associated with costs, but now it is changing its approach.

2016

Blocking sites with malicious content

Internet sites with malicious content related to the financial markets and the national payment system will be blocked based on data received from the Central Bank. This was reported by TASS The Russian Information Agency of the [56].

Such actions are provided for in the agreement between the Bank of Russia and the Coordination Center for the National Internet Domain - the administrator of the national top-level domains. "rf" and ".ru."

The Central Bank received the status of a competent organization with the right to identify violating sites that distribute malware, resources with illegal content, phishing sites, and provide this information to the coordination center and accredited domain name registrars to block such resources.

In addition, the Bank of Russia urged citizens to inform the regulator about unscrupulous sites located in the domestic domain space.

Internet Banking Control

In December 2016, it became known that the Bank of Russia will conduct a large-scale security check of online banking. The regulator will check the degree of protection of online payment services and mobile applications from cyber threats. After checking, the Central Bank intends to take control of this area and certify remote services for compliance with information security requirements.

Read more: Secure RBS system

Bank Cyber Security Laboratory

On October 31, 2016, it became known about the plans of the Central Bank to create a laboratory to protect banks from cyber threats. The laboratory is supposed to be created in the structure of the Central Bank itself - on the basis of the Center for Monitoring and Responding to Computer Attacks in the Credit and Financial Sector (FinCERT).

The regulator is going to equip credit organizations with technologies to prevent cyber threats. The Central Bank plans to create a laboratory that studies technologies and the consequences of computer attacks.

The laboratory is supposed to be created in the structure of the Central Bank itself - on the basis of FINCERT. The prototype of the research center may be the [57], operating in Malaysia[57]. Law enforcement agencies and credit organizations[58] can take part in the implementation[58].

Network operations center, (2016)

Laboratory specialists will study the methods and consequences of computer threats, including attacks on ATMs, POS terminals and self-service devices. Employees of the Central Bank will analyze fraudulent Internet resources, mobile devices. This structure will help credit and financial institutions correctly remove and seal objects transferred for research. The Central Bank, for its part, will prepare a description of the means and methods of attacks on self-service devices, recommendations for countering attacks on self-service devices.

The exact timing of the creation of the laboratory, like its names, has not been announced. According to Izvestia, the Bank of Russia is developing a plan for launching a laboratory and a roadmap, the approval of which is scheduled for the end of 2016.

Bank of Russia Recommendations on Information Leakage Protection

In April 2016, the Bank of Russia published recommendations for the banking system organizations to ensure information security ( information security) in terms of preventing information leaks. The document (download PDF) comes into force on June 1, 2016. The Bank of Russia notes that such recommendations are being introduced for the first time. Their banking organizations can apply on a voluntary basis, the document says.

The recommendations cover only cases of information leakage as a result of the actions of employees of a banking organization or persons with legal access to information or to premises where information is processed. At the same time outsourcing , the recommendations do not apply to organizations of the banking system that process information using cloud technologies or transfer it to a third-party organization.

The Bank of Russia explains that the implementation of the presented recommendations ensures a reduction in the risks of information leakage by monitoring and controlling information flows. At the same time, the document does not consider recommendations, the implementation of which indirectly affects the reduction of information leakage risks: for example, to ensure protection against the effects of malicious code, firewall shielding and separation of computer networks, to conduct information security audits, to organize logical access.

Recommendations for banks to combat information leaks through employees of the Central Bank issued for the first time

Among the measures that contribute to reducing the risks of information leakage, the Bank of Russia invites financial institutions to establish and document the classification of the information processed. It is recommended to distinguish at least two classes - "confidential information" and "open information." Classification is recommended to be carried out on the basis of assessing the severity of the consequences for the organization from possible confidential information leaks, the document says.

Organizations are also encouraged to document and ensure that all confidential information assets and information asset environment objects are identified and recorded. This paragraph describes in detail the composition of the rules for identifying and accounting for information assets and objects of the information asset environment, the types of information assets and objects to be identified and accounted for, the set of credentials that must be stored, etc. It is recommended to use automation tools to record and identify information assets and computer equipment.

The Bank of Russia recommends determining the categories of possible internal violators and potential channels of information leakage, the composition of their monitoring and control processes, and ensuring the implementation of information security management processes, etc.

One of the sub-paragraphs of the recommendations, quite extensive, covers the automation of monitoring and control processes for potential information leakage channels of the organization. There are no tips for choosing specific technical solutions, with the exception of the clause on centralized management and monitoring of mobile device use by employees of the organization. Here, an example is given of possible solutions for use, such as XenMobile, MobileIron, SAP Afaria, IBM Endpoint Manager.

2014: Information Security Standard in Banks

On June 1, 2014, a new standard for ensuring information security in banks, recommended by the Bank of Russia, came into force. According to the standard, the Bank of Russia recommends that Russian banks implement Data Loss Prevention (DLP) systems to prevent leakage of customer data. With their help, credit organizations will be able to analyze the correspondence of employees, as well as find out which Internet sites they use.

The new standard, which came into force on June 1, replaced the old one, which had been in force since 2010. The document for the first time refers to a "data breach" and spelled out measures to prevent it. To do this, the Central Bank of Russia allowed banks to use DLP (Data Loss Prevention - a system to prevent leaks). This type of software is installed on employee computers and corporate servers and allows you to track all their actions on the Internet, as well as correspondence and exchange of information.

The use of DLP obliges banks to archive email so that in the event of a leak of information, its source can be traced. In addition, the security standard implies the use of secure network protocols. According to the text of the document submitted to the Duma, the company is planned to be endowed with the opportunity to obtain the remote consent of a citizen to the processing of his personal data. Currently, this can only be done with the personal presence of a person.

2013

16 Online Payment Security Recommendations

On August 5, 2013, Bank of Russia Letter No. 146-T was published, containing a number of recommendations to credit institutions to improve the security of the provision of retail payment services on the Internet.

The Internet payments market, along with the e-commerce market, existed a few years ago in a "parallel reality" regarding the Russian financial market, the Central Bank and changes in Russian legislation. However, the annual growth of the e-commerce market by more than a quarter and the increasing interest of Russians in cashless payments on the Internet and the use of bank cards have generally changed the situation.

In Letter No. 146-T, a number of items describe the standard functions of the fraud monitoring system of an organization engaged in ensuring payment security. It is recommended to update the mechanisms of the fraud monitoring system at least once every two years, and when new risk factors appear and major changes are made to the system, information protection is recommended to promptly and promptly adapt the risk analysis system for them.

Multi-factor payer authentication is recommended to improve the security of online payments and reduce the risk of fraudulent transactions. As the compilers of the Letter explain, authentication factors include "possession of an object or device (for example, a personal identifier), knowledge of certain information (for example, a password), possession of certain permanent inherent properties (for example, fingerprints)."

For the same purpose, it is recommended to use dynamic client authentication - authentication, in which one of the steps uses a password with a limited validity period and a limit on the number of uses. Recommendations for confirming payment transactions using one-time passwords delivered to the client via an alternative communication channel correspond to the format of the XML protocol 3-D Secure (3D-Secure) and the practice of international payment systems: Verified by Visa, MasterCard SecureCode and J/Secure. Attention is also paid to the importance of using payment monitoring mechanisms, including for risk analysis. The monitoring criteria are the frequency, amount, place of payment and the recipient of the payment.

All recommendations for ensuring the security of retail payments should be taken into account both when transferring the functions of a money transfer operator to outsourcing, and when drawing up contracts with subagents providing electronic means of payment that allow you to receive retail payment services via the Internet.

And, of course, significant attention in the Letter is paid to measures to improve the literacy of individuals - payers. It is recommended that retail funds transfer operators inform customers about the possible suspension of receiving services, about unsuccessful attempts to gain access to them, about the possibility of managing limits for making payments via the Internet. These recommendations are aimed at increasing the level of trust of the population in non-cash forms of funds and motivation for their active use. One of the tools for popularizing non-cash cash transactions among the population is the possibility of insurance of payer risks.

Thus, Letter No. 146-T is a collection of basic recommendations to improve the level of security in the provision of retail payment services via the Internet, aimed both at developing risk management systems and information protection on the part of money transfer operators, and at increasing literacy and awareness of users of retail payment services on the Internet.

2004

IMF: Statistics on the Causes of Downtime payment systems 1996-2004

To the formation of requirements for the security of the infrastructure of the payment system of the Central Bank of the Russian Federation

Strategic sustainability

  • The life cycle of infrastructure components must be at least 15 years.

Availability:

  • Downtime per year/Availability factor
  • 8.8 hours/0.999
  • 53 min/0.9999
  • 5 min/0.99999

Integrity, Confidentiality - require further research regarding the impact of implementation overhead on availability.

Disaster tolerance is the ability to maintain availability in force majeure circumstances. If the server/clients/personnel are destroyed, the process must be restored to another remote (outside the disaster radius) location within the specified time. The distance between the centers at the request of world financial regulators is ≥300 km.

Manageability - Centralized Management and Maintenance (Unavailable Infrastructure to Personnel)

See also

Notes

  1. Banks did not appreciate Russian security
  2. Bankers will be sent to exercises
  3. Send VPN mail
  4. Central Bank published uniform rules for processing "digital prints" of customers
  5. The Central Bank decided to regulate the hiring of IT specialists by banks on an outsource
  6. Central Bank demanded compensation
  7. Reverse order: the Central Bank intends to simplify the return of money to victims of cyber fraudsters
  8. Central Bank will oblige banks to close online access to accounts at the request of customers Will this measure help fight fraudsters from the "security services"
  9. The enemy will be defeated, the victory will be for the bank. Central Bank for the first time conducted remote anti-hacker exercises
  10. [https://www.securitylab.ru/news/516334.php , the Central Bank fined 17 banks
  11. for
  12. information security requirements.]
  13. The Bank of Russia for the year initiated the blocking of 7680 fraudulent sites
  14. Information security is expensive. Brokers are not ready to incur additional expenses
  15. , the Bank of Russia issued recommendations on cybersecurity in the context of the coronavirus.
  16. For the first time, the Central Bank will fine banks for the lack of systems for recognizing fraudulent transactions
  17. [https://www.plusworld.ru/daily/cat-security-and-id/banki-soglasilis-na-trebovanija-cb-po-bezopasnosti/?utm_campaign=plas-daily-1612019&utm_source=sendpulse&utm_medium=email the
  18. . Banks agreed to the Central Bank's security requirements.]
  19. campaign=plas-daily-0612019 & utm source=sendpulse & utm medium=email Central Bank identified more than 700 violations in the field of
  20. protection in banks
  21. Central Bank explained three signs of an unauthorized banking operation
  22. The main directions for the development of information security of the credit and financial sector for the period 2019-2021.
  23. Central Bank will introduce a new punishment for banks for poor protection against cyber attacks
  24. the Central Bank of the Russian Federation obliged banks to ensure the cybersecurity of deposits
  25. Bank of Russia said in
  26. to the Central Bank's
  27. Cybersecurity went to base
  28. [https://www.plusworld.ru/daily/cat-security-and-id/tsb-vnes-bolee-10-tys-moshennicheskih-schetov-v-svoyu-bazu/ the Central Bank
  29. , has contributed more than 10 thousand fraudulent accounts to its base]
  30. The Central Bank has fixed the formats for sending messages by banks to FinCERT
  31. The Central Bank has earned a "sandbox" for testing third-party financial IT systems
  32. the Bank of Russia will calculate "black creditors" using Big Data
  33. Central Bank subscribed to spam
  34. Credit institutions will be obliged to inform the Bank of Russia about hacker attacks
  35. The Central Bank ordered banks to check the devices from which customers transfer money
  36. Banks and operators of payment infrastructure services will be required to report to the Bank of Russia on the economic consequences of hacker attacks
  37. [https://www.securitylab.ru/news/493943.php by the Central
  38. Federation will oblige banks to disclose financial damage from cyber attacks]
  39. The Bank of Russia has created an information security department
  40. [https://www.plusworld.ru/daily/cat-news_regulators/tsb-predlozhil-standarty-po-informatsionnoj-bezopasnosti-2/ Central Bank proposed
  41. information security standard]
  42. The Central Bank has identified a list of security threats when working with biometric data
  43. CheckedItem "Draft Directive of the Bank of Russia" On Determining the List of Security Threats to Biometric Personal Data.
  44. portal. Portal Public services
  45. Cybersecurity Directors
  46. The Central Bank of the Russian Federation and the Ministry of Finance will simplify the return of funds stolen from customers of banks
  47. citizens. According to the Izvestia newspaper with reference to the press service of the Central Bank, "questions regarding the new form of reporting are under study.."
  48. Central Bank sees risk on the side
  49. of
  50. million. According
  51. the materials of the Izvestia newspaper.
  52. Financial protection according to GOST
  53. , the Bank of Russia will strengthen control over security in the financial sector
  54. The Central Bank told about the increase in the number of cyber attacks on banks and citizens
  55. , the Central Bank is encrypted from hackers.
  56. Central Bank will help block sites with malicious content
  57. 57,0 57,1 analogue of Adroit Data Recovery Center (ADRC), a data recovery center in Southeast Asia
  58. 58,0 58,1 [http://izvestia.ru/news/641479 of the Central Bank