The Central Bank has actually eliminated the problems of banking information security that arose due to the withdrawal of specialized foreign companies from the Russian market. The regulator simply requires certain “compensatory measures” from credit institutions, without specifying exactly what needs to be done. Bankers fear that in the current conditions it will be difficult for them to prove to the regulator the sufficiency of their efforts.
The regulator, in its letter dated March 28, asks to apply compensatory measures to ensure information security against the background of the sanctions imposed and the withdrawal of specialized foreign companies from the Russian market. Availability of updates and certification of hardware and software are also regulatory requirements. The Central Bank explained that the letter was issued “to support financial market participants” and that the regulator “decided to review the procedure for applying measures against banks for violations.”
According to the newspaper, market participants expected that the Central Bank would clarify its position and make changes to regulations that would allow them to search for analogues of the software and equipment used without the risk of prescriptions from the regulator. At the same time, they did not answer what exactly the banks should do and whether additional clarifications are being prepared. The regulator referred to GOST “Security of financial (banking) operations …”, but there is no clear description of the measures.
The source of the newspaper said that the Central Bank’s instructions regarding the payment system of the regulator and client payments: remote banking, mobile applications. It will also affect anti-fraud systems, perimeter protection, but has nothing to do with the indicators of the continuity of the SBP and the response to incidents of unauthorized payments.
Among other tasks of the bank is to prove to the Central Bank the correctness of the chosen decisions. According to Alexey Lukatsky, since in practice it is not easy for the inspectors from the regulator to prove the sufficiency of compensatory measures, such a letter will lead to the fact that specialists will have to deal more with “paper security” and write evidence for the regulator, rather than deal with real problems.