Photo: Ekaterina Kuzmina / RBC
The Bank of Russia EN masse will check the banks are protected from hacking. Organizations with vulnerable systems protection from hackers will have to increase capital or to bear the costs of redundancy of these risks, insist to the Central Bank
The Bank of Russia in 2017 will hold over a hundred inspections of credit institutions for quality protection systems of remote banking services (RBS), said the Deputy head of the main Directorate of security and information protection of the Central Bank Artem Sychev in an interview with RBC. The regulator therefore wants to know about the real security status of mobile and online banking from hacking, and security of the payment transactions by customers of banks.
“This year the traditional topics of inspections of credit institutions included questions status of information security systems when making payment transactions. The aim is the examination of the actual state in the field of application by banks of information security technologies,” said Sychev. The first check, he said, began in February.
Thus, the Central Bank had switched from intent to conduct a total audit of banks on the subject of protection from cyber threats, which RBC reported in December of last year, to practical action.
There will be sanctions
For banks, the results of the audit are unsatisfactory, the Bank of Russia intends to take action. Now the Central Bank is considering two options: either to require them to increase capital or to oblige them to assess additional reserves to the value of the existing operational risk (including the risk of fraud. — RBC). Reserves will be obliged to form in the amount of average daily balance on correspondent account, explained Sychev. Which of these measures will be adopted is not yet resolved, the Central Bank should decide on the matter in mid-year.
“So consider that for the Bank to be more profitable: either to freeze the money or to spend more than a reasonable amount still directly at increasing the protection of client money”, — said Sychev.
The Central Bank has the ability to set individual Supplement to the standards (namely the capital adequacy ratio), say the bankers. “The regulator may do so in the process of checking the quality of Bank risk management systems. If the risk is underestimated and equity under them nedorazvitia, minimum requirements for capital adequacy (8%) can be increased. The size of the individual allowances can be up to 3 percentage points (to 11%),” — says the head of the risk management of the Bank “URALSIB” Natalia Tutova.
Read more about cyber attacks on Russian banks and the measures to prevent them, see the interview with Deputy head of the main Directorate of security and information protection, Bank of Russia Artem Sychev RBC
Expensive, but it is important
Respondents RBC bankers fear are any tougher capital requirements. To comment on the forthcoming tightening of RBC surveyed market participants agreed only informally.
For example, an employee of the IT Department of the Bank of top-30 by assets believes that both options can be used except as a punishment for inadequate information security. “Measures being considered is likely to “thin out” the banks, causing the market exit of some players — he said. — They can hit the pocket”.
However, some bankers believe that the Central Bank has grounds for tightening it. The head of the Bank of the top 100 in terms of assets implies that the measure providing for an increase of capital adequacy ratio, or the hedging reserves, may be a response to the reluctance of banks to comply with the requirements of the Central Bank on the security of their systems and listen to the recommendations accordingly. “At the time the Central Bank has developed several distinct methodologies to ensure security. Not all banks are, to put it mildly, took them on Board, particularly small, because it is very expensive. And more and more expensive. If the Bank has many branches — speech can go about hundreds millions roubles” — he explains the problem.
In his words, formed the following picture: on the one hand, the Central Bank cites examples of hacker attacks and makes recommendations, on the other hand, despite those recommendations, the attacks still happen, because the recommendations are not implemented. “In fact, the tightening of Bank capital requirements or reserve — is clear and is a powerful instrument of pressure on all banks”, — says the interlocutor of RBC.
The growth of attacks and checks
In Russia, cyber attacks on banks increased in 2013, and this is a growing trend, experts say the Russian company Group-IB (investigates cybercrimes and fraud with the use of high technology. — RBC), in its study published in October last year. If from July 2014 to June 2015, the hackers withdrew from Russian banks RUB 638 million, from July 2015 to June 2016 to 2.5 billion rubles, the study said.
According to the latest data of the Bank of Russia (presented 8 February the Centre for monitoring and responding to cyber attacks in the financial sector (FinCERT), from October 2015 to March 2016, the hackers stole from banks 1.3 billion rubles (theft of $ 1.6 billion was averted, and RUB 0.6 billion. hackers were trying to steal from the correspondent accounts).
According to the top Manager of the Bank from the top 50, official statistics do not reflect the real picture, and feeling that the situation “in life” is much worse, the Central Bank decided to tighten measures.