The new requirements include several mandatory procedures, such as information security audits, penetration tests, certification requirements for software used among other requirements. Referring to software use, Alexei Lukatsky, Cisco Security Consultant told SC Media UK that very often software developers for banks have neglected certification. This resulted in the appearance of vulnerabilities in these programs, which are then exploited by hackers.
Lukatsky added that the Central Bank has repeatedly urged developers to address this problem, but to date this has failed to rectify the problem. Consequently the regulator has decided to ban the use of uncertified software in Russian banks.
The new requirements will also oblige Russian banks to conduct annual penetration tests of their systems, as well as complete an external cyber-security audit twice a year.
One of the most important innovations for banks and their customers will be the requirement for the implementation of "separate information and communication technologies" used when conducting payments via the Internet or using "bank-client" systems.
Under the current rules, a single payment request is created on the computer of an accountant, after which it is sent to the bank from the same computer, however, in under the new requirements, the creation of payment request and its sending to the bank will be carried out from different computers. The Central Bank said in an official statement that this will help reduce thre threat of cyber-attacks on banks at this stage.
Enforcement of this latter requirement is postponed until 1 January, 2020, giving banks and their customers time to prepare for implementation.
Finally, all Russian banks will be obliged to immediately respond to any cyber-attacks on their systems in real-time, informing the Central Bank in real time by sending relevant notifications of what is occurring. To date, many Russian banks have been reluctant to provide information to regulators about cyber-attacks conducted against them due to fear of loss of trust among their customers and any consequent outflow of funds from their accounts. However, it is possible that the situation will have changed by August this year as banks that refuse to provide the necessary data will be subject to "huge fines."
Unsurprisingly, the new rules have been criticised by representatives of some leading Russian banks who claim that their implementation will result in significant cost increases.