On September 12, 2019, it became known that the Central Bank has a new punishment for banks for poor cyber defense. By the end of the year, the Central Bank will launch a new feature for credit institutions, it will be the risk profile on the level of information security.
This indicator, according to Artem Sychev, the first Deputy Director of the Information Security Department of the Bank of Russia, will show the likelihood of problems for the Bank due to non-compliance with cybersecurity standards.
The risk profile will be formed on the basis of four characteristics, including the share of unauthorised card transactions and the bank's readiness to repel an attack. In addition, the risk profile will be taken into account in assessing the economic situation of the bank along with the amount of capital, profitability, liquidity, quality of management, etc.
Depending on the risk profile on the level of cyber security, the Central Bank will give recommendations to banks.
The calculation of the risk profile will allow us to evaluate how the bank’s management responds to emerging cyber threats, the Central Bank added.
A financial institution that receives a low-risk profile will have consequences ranging from enhanced supervision to penalties. Moreover, this will affect the loan terms at the interbank market.
Sychev stressed that the Bank of Russia sees a connection between the way the Bank relates to information security issues and its financial stability.
Nobody before in the Russian Federation or in other countries has determined such indicators that help the regulator (the Central Bank) to form an opinion about the situation, whether it achieves the goals of the regulation or not from the point of view of information security,” Sychev explained.
It is worth noting that on September 12, the Bank of Russia recorded a “rather serious” cyber attack on Russian banks from Brazil, said Artem Sychev.
According to him, it was a BIN-attack, in which bank card numbers are generated using a special program.
Sychev noted that the direct interaction of each of the attacked banks separately with the representative of Brazil did not give results. The attacks stopped only after the interaction of the Central Bank with the Brazilian regulator.
