In recent years information security issues have become extremely important for companies in Russia and around the world. For example, in 2015, almost 300 million U.S. dollars were stolen from more than 100 banks and other financial institutions throughout the world. By the middle of 2016, FinCERT, the Russian system of monitoring of cybersecurity incidents in the financial sphere, had registered 21 targeted attacks aimed at thievery of approximately 2.87 billion rubles (approx. USD 48 million). In addition, during 2016, major Russian banks such as Sberbank, Otkritie, Alfa-Bank, VTB, and Rosbank suffered massive DDoS attacks.
These incidents attracted the attention of the state, and as a result Russia has prepared several high-level documents on information security. These documents include the draft Convention on International Information Security and the draft Concept of Cybersecurity Strategy of the Russian Federation. More specifically, the Bank of Russia, in response to cyberattacks on banks, announced its intention to apply enforcement measures to banks with a low level of information security.
However, despite the acts of the regulator and the losses caused by breaches of information security, many companies still pay little attention to information security and take action only after an information security incident has occurred.
In Russia each company is free to establish the key elements of its information security system. Accordingly, a company will assess its risks with consideration for its business strategy and goals and then match these risks with the legislative or contractual provisions applicable to the company’s business to determine the principles, purposes, and requirements applicable to its information processing. The general standards and guidelines adopted by the Federal Agency for Technical Regulation and Metrology and specific CBR standards applicable to banks provide that an effective information security system includes, among other things, adoption of an information security policy and implementation of an information security compliance system.
The information security policy is crucial for a company that wishes to comply with best compliance practices. It can be adopted either as part of a general security policy or as a separate document. It should be approved by a company’s chief executive officer and communicated to its employees and counterparties. The information security policy must cover both general issues (like defining information security and its purposes) and specific issues (like the rights and duties of a company’s employees in the sphere of information security and liability for information security violations). A company should review its information security policy on a regular basis and update it, if necessary – for example, if it intends to launch a new business line. In addition, regular training on its substance and processes should be organized.
In line with the information security policy a company should adopt some additional documentation on the topic and amend its existing standard forms of agreements. A company should have procedures for information sharing about the risks of security breaches, for example, for how to take action in response to information security incidents, investigation of information security incidents, and how to collect relevant evidence. Job instructions for employees as well as employment agreements should contain provisions on information security compliance, including post-termination undertakings. Similar obligations should be imposed on counterparties.
An effective information security compliance system includes regular checks on the status of information security and review by independent specialists who are not involved in maintaining the company’s information security. A company should ensure that information security requirements are observed by their employees and their counterparties and recognize that possible breaches may create serious reputational risks.
A company’s information security compliance system may be further reviewed by the regulator. In 2017 the Bank of Russia has announced that it will check the safety of and introduce compulsory regulation and certification of remote banking services intended for both individuals and legal entities. Particular measures and requirements are still under development.