Credit institutions are to inform the Bank of Russia about hacker attacks

Starting 1 July 2018, banks and payment infrastructures are obliged to inform the Financial Sector Computer Emergency Response Team (FinCERT) of the Bank of Russia about hacker attacks and their technical parameters. Up till now, this information was provided on a voluntary basis.

During several years, such information exchange was actively used both by financial institutions and law enforcement agencies. Bank of Russia Ordinance No. 4793-U has made this information exchange mandatory for banks. The regulator will use information received from banks to elaborate recommendations for financial market participants to counter identified cyber threats. These include unauthorised funds transfers, disruptions in the smooth provision of payment services, including unauthorised access to devices, exploit, malware, DDoS attack, password attack, phishing, etc.

Now, to ensure a higher quality of protection against cyber threats credit institutions shall use only certified software to make funds transfers and shall test such software on a regular basis. Security adequacy will be assessed by organisations duly licensed by the Federal Service for Technical and Export Control (FSTEC). Another mandatory innovation will be to involve third parties to assess the compliance with the requirement on ensuring information protection during funds transfers.

The document also lays the legal foundations for the import substitution in the important payment infrastructures with Russian certified data encryption tools complying with the requirements, as officially confirmed by the Federal Security Service.

Additionally, the Bank of Russia’s document introduces a requirement on a mandatory separation of SW used to prepare and to confirm payment orders, including in remote banking servicing. This will help to protect bank customers against hacker attacks.