Director of IB "Moscow Exchange" Sergey Demidov - on the growth of cyber attacks and a new defense strategy in an interview with TAdviser

Sergey Demidov: I talk a lot about the Moscow Exchange. This is indeed a unique institution. We are the infrastructure of the financial market, huge volumes of money pass through us. For example, our trading result for March is 90 trillion rubles. At the same time, in peak days, the volume of trading reaches 4 trillion rubles. We have a partly humorous slide on which we compare this volume with other values ​ ​ and, for example, the amount of funding for the state space program for 5 years is 2.5 trillion rubles, and we have a daily volume of up to 4 trillion.

We help the state play a role in the work of the financial system. Through us, free money is placed, Federal Treasury Pension fund also receives income and helps to economy to work; of course Central bank , implements monetary credit policy. But at the same time, we are, in fact, a IT company. Now there are no people who stand and show with their hands the processes of purchase and sale. All this happens automatically on platforms. At the same time, we provide in this system, conditionally, a central link. We have a large machine around which infrastructure is formed, and not even ours, but a web of systems of bidders and their customers.

The market is two-tier: our direct clients are professional participants in the securities market, such as banks, brokers, and their clients are individuals, companies from the real sector of production. In 2021, we had a record - we have 12 million individuals. Accordingly, a large scattered web of systems where we are in the center is the Moscow Exchange.

Sergey Demidov: The criterion for the effectiveness of any financial organization, public organization is profitability. Our shares are traded on our own stock exchange, they can be bought and even earned on this. Our yield is good enough, and 2020 was just a record year for us. Probably, even from the very beginning of the existence of the exchange there was no such growth. This was also due to the fact that the 12 million citizens mentioned above came to this market. Indicators are furious: the stock market in trading volumes grew by 73%, the foreign exchange market - by 26%, which is atypical. The urgent market, the most attractive for physical citizens, grew by 80%. Therefore, for us as an organization, 2020 has become the best in terms of profitability.

But given the fact that we are going to the retail segment, we began to notice that, indeed, attackers were activated. We measured and saw that over the past three years, the number of targeted attacks using, among other things, social engineering tools against customers has grown constantly. Over 4 years, their number increased by 60%. As of April 2021, everything accelerated: it grew by 30-35% over the year. The more interesting the market is, the more focused it is on working with individuals, the more interested it is in cybercrime.

There is another group of attacks - these are all things related to sponsored attacks. Unfortunately, we, as part of the financial market infrastructure, are very exposed to them.

When the pandemic began, the vaccine race, when the US president said that they would respond to cyber attacks, we immediately felt that some people were also interested: our site and the entire perimeter of network addresses began to "feel" outside. Therefore, the situation is dual: incomes are growing, the interest of citizens in investments in organized tenders is increasing, but the interest of attackers in us is also growing, as to the platform that organizes these tenders.

Sergey Demidov: It is difficult to distinguish any one profile. We have a whole web of services, everything is at risk. But if we talk about 2020, then I would note the problems in order. First: when we started going to remote work, we were ready, since we had long implemented a continuity program, even certified according to the international standard, but the employees were unprepared. We trained them, there were also no problems with the infrastructure - during the week about 90% of the employees went to the remote site.

And then we noticed that at home employees are otherwise aware of the threats. At home, a person is in a slightly different reality, he has a different attitude. Letters with phishing grew many times literally in March and April. We realized that the matter is bad and began to change the approach: to talk to people about the dangers almost every week.

In general, we regularly check our employees: we send them letters of various contents, working out their ability to respond to phishing. For example, project teams receive a message from Sergey Demidov, that is, from me: "New IB requirements for the project," and all sorts of incorrect references are contained in it. And what do you think? Half is bought!

This struggle will be eternal. We teach a lot, but phishing does not stand still, it develops. There were good fakes in the letters, things affecting the covid or vaccines, especially while they were not yet. People began to catch on this hook.

But in the same story told above, there is a plus: the other half did not believe and wrote to us. We encourage employees to inform us and respond to this. Thanks to this, phishing attacks are better visible.

The second thing that was discovered in terms of atypical attacks precisely during the pandemic is the history of world exchanges. The story is cool, if you can put it that way, and fortunately, it did not happen to us. New Zealand Exchange went to the remote office, and they immediately took advantage of this, hackers who knew that the local legislation regarding remote work was very strict, and employees could not simply take and come to the office arbitrarily. The criminals began to attack the remote access infrastructure, and were able to stop the exchange for a week and a half. This is an unprecedented event in the global industry!

The New Zealand Exchange is a large part of the economy of all of New Zealand. The state was forced to intervene, armed forces were involved. But while they did not, the work stood, and the hackers demanded a ransom in bitcoins.

When we learned about this story, we began to learn through our channels from other exchanges how things were going. It turned out that this is a massive phenomenon. We immediately went on high alert, expecting that this will begin with us.

Sergey Demidov: The story itself is not new. When we created a comprehensive IB on the exchange earlier, then we had the first strategy, and this is the third. We not only approved it, but also began to implement it. The strategy is based on 4 pillars. The first thing that is taken into account is the business strategy of the company itself. The exchange for April 2021 captures three areas: the development of current markets and new instruments within them, the search for new customers - if while we work more with securities market professionals, then in the future we plan to develop work with corporate customers who also need new investment methods, and the third direction is retail.

We are one of the few exchanges in the world that have seriously moved into real retail. Since 2017, the Bank of Russia has been implementing Marketplaces project. Marketplace means the possibility of creating a completely remote platform where an individual can perform any operations: make a deposit, get insurance - in short, use any product of a financial institution.

At the same time, there were many difficulties. For example, physical identification. You cannot become a client of a bank without such identification. While it is bypassed with the help of couriers. And to become a client of several banks at once - there was no question of this. But in 2020, the corresponding law was adopted, and this allowed us to launch the first marketplace of this type in Russia. It is called "Financial Services," you can go to the site and make a deposit. There is one of the cheapest OSAGO in Russia, I recommend you to see. I myself use and save.

It must be understood that, going to retail, we get new risks and new options for the company. And starting to work with "corporations," we also face new challenges. For example, it turned out that they are more demanding on services, what is called user experience. In order to attract them, we must invent new reliable authentication services, but those that, moreover, are convenient for them and safe for us.

The second pillar is an IT strategy. ITshniki understand: if a business has three areas of development, then everyone needs to adapt and name. As a result, they decided to make "two-speed IT." The "first speed" implies that we ensure the reliability and availability of the key business. We cannot use flexible development methods here, otherwise we will lose reliability. It is impossible to use half-functional, it should be immediately complete. But, on the other hand, when you go to the retail segment, you need to constantly try new products. Therefore, the "second speed" implies experiments.

We split up. At one end, we have safe development, sung by FSTEC, standard practices are used within the framework of IT - waterfall. And at the other end, flexible methods are used.

The third pillar in our strategy is topical threats. For us, this is phishing and social engineering, targeted attacks. This is a struggle of shields and spears, while it is hard to say who wins.

Plus, the dynamics of IT change is important for us - this is also among the threats. We have the number of IT changes growing by 20-30% per year, we do not have free weekends, because changes are made every weekend. And changes can change the entire security landscape for once, just by clicking your fingers. This needs to be controlled, otherwise literally in a couple of weeks everything will change beyond recognition, and we will not keep track.

We invest a lot in the topic of artificial intelligence and in behavior analysis, because a person with his own eyes catches all these point continuous changes worse and worse, does not see small adhesions inside the noise of network traffic. Therefore, in the next four years, this will be an important area: we want to learn how to control a dynamic IT environment.

The fourth direction of the strategy is regulation. Where without him. Everyone understands that it really crushes. And the Bank of Russia, having received great powers to regulate IB, has noticeably intensified. As can be seen from media reports, it goes not only to the financial sector. In its advisory report, the Bank of Russia has already swung to regulate IT companies like Yandex or Mail.ru.

We must meet all these requirements. But we also have a special role. Being in the center of the web, we must help the market adapt to this regulation. Through IT committees, through working with bidders, we invest a lot in this process. We help to understand how to interpret a particular standard and are ready to arrange consultations with the Bank of Russia, create working groups for meetings with lawmakers and find a common language.

Sergey Demidov: The specifics of the exchange is that bidders should have the fastest possible access to the trading core of the exchange. At the same time, not only speed is important, but also the so-called jitter - the predictability of the signal passing through the communication channels. All this imposes very specific requirements on the communication channels used in the organization. And, at the same time, with the volumes that pass through the exchange, data security is very important. Therefore, a subsidiary "MB Information Protection" was created, which is a licensed telecom operator and which provides communication services to customers of the exchange and other companies of the Moscow Exchange group, while ensuring the protection of information.

In addition, Moscow Exchange, in its essence, is an IT company and develops its own software. Now that this year the requirements of the Bank of Russia for safe development have entered, and all products of the Exchange must be evaluated at the so-called "assessment level of trust" (OUD4) within the framework of GOST 15408, MB Information Protection also has licenses to conduct such an assessment. But first we focus on evaluating our software, although in the future we are likely to be able to provide such services to other companies.

Sergey Demidov: Yes, indeed, the Moscow Exchange is certified according to the international standard ISO 27001, and the main types of our activities - "bidding and clearing" - were included in the field of certification. We began the certification process when there were no clear requirements for the IB for the organizers of trades from the Bank of Russia, but even then we understood that we needed a reference point to be equal when building an information security system. Such a benchmark is important when demonstrating the correctness of the chosen path of building an IB both to the company's management and to investors and shareholders.

If we talk about the difference between compliance with international and Russian standards and requirements, then it is more likely in the conformity assessment methodology, that is, in how you are checked. In the Russian Federation, they look more at formal compliance and clear compliance with all points of requirements, while according to international standards and requirements, the principle of "observe or explain" often applies, which allows in some cases not to comply literally, explaining to the inspectors what compensating methods are used to fully achieve the goals of ensuring information security.

Recently, we have seen that regulators in the Russian Federation are also becoming more flexible. I hope that in the near future, as well as abroad, we will be able to build information security using more flexible methods, adjusting to current threats.