Information Security Department
The Information Security Department develops and implements the Bank of Russia’s policy in the sphere of the regulatory framework for the information security of financial institutions, as well as control and supervision over its fulfilment. The Department also interacts with market participants on issues concerning information exchange about threats to information security, which are relevant to organisations supervised by the Bank of Russia.
The Department is involved in the preparation and inter-agency approval of federal laws, Bank of Russia regulations, as well as letters with recommendations, and other documents on the issues of information security, cyber resilience and the application of information technology with regard to financial institutions (excluding issues of ensuring the security of information constituting a state secret). This work is in part based on the analysis of financial, regulatory and supervisory technologies in terms of risks to information security. International practices concerning the standardisation and regulation of information security are also taken into consideration.
In the sphere of the regulatory framework, the key objective of the Department is the transition to the comprehensive organisation of information security and cyber resilience of credit and financial institutions. It is planned that the information security of financial institutions will be implemented at three technological levels: infrastructure, application software, and data processing technologies.
Another important objective of the Department is the regulation and control (supervision) of information security, cyber resilience and the application of information technologies in relation to financial institutions. To this end, the Bank of Russia is going to switch to a risk-based approach in its supervisory activities in the sphere of information security and obtain objective data showing the level and quality of cyber risk management at all credit and financial institutions. This will help make conclusions about their cyber resilience and operational viability, as well as about the impact of cyber risk on the level of financial stability in the Russian financial market in general. Moreover, information on consumers’ financial losses will help elaborate strategies and plan specific measures for the protection of their rights and legitimate interests.
Additionally, the Department participates in the implementation of Bank of Russia projects in the sphere of new financial, regulatory and supervisory technologies. The Department’s specialists analyse risks to the information security of technologies, and prepare solutions to mitigate these risks. They also formulate proposals on technological support for the regulatory framework and standardisation, and interact with key international platforms on the issues of information security and financial technologies.
Information exchange on current threats in the sphere of information security is also one of the objectives of the Information Security Department. For this purpose, in 2015, the Security Council of the Russian Federation made the decision to set up the Financial Sector Computer Emergency Response Team (FinCERT), which was subsequently included in the structure of the Department.
At present, FinCERT is building a single system to counter threats in collaboration with stakeholders among federal executive bodies, financial institutions, and Bank of Russia structural units, and it is also involved in the elaboration of the methodology for control and supervisory activities. The Centre organises and coordinates information exchange between the supervised entities and law enforcement authorities, monitors public resources on the Internet in order to identify and prevent information attacks, interacts with foreign computer emergency response teams, and conducts computer research. Information thus received forms the foundation for future recommendations and analytical materials on information protection in the course of money transfers.
FinCERT is also engaged in off-site control of the protection of information during money transfers, participates in Bank of Russia inspections, and organises measures to counter Internet-phishing and fraud with the use of social engineering targeting financial institutions’ clients.