Russian c-bank outlines new requirements about reporting the consequences of cyber incidents
The banks and payment services providers will have to provide information about the amount of money affected during cyber attacks and the amount returned to clients.
The Central Bank of Russia will change the reporting requirements for banks and operators of payment infrastructure, effective July 1, 2018. The new rules concern the reports about cyber incidents. The companies will have to submit more detailed information regarding the economic consequences of these incidents for the operators and their clients.
In particular, the operators will have to report to the central bank about the amounts of money that were targeted by hackers and the amounts of money that were actually stolen during a given period. The regulator will require the banks and operators to report the precise sum that they returned to their clients affected by a breach.
The companies will also have to submit information about the quality of their money transfer services during such incidents.
The new information will allow the Central Bank to see how the firms it regulates comply with existing laws, especially the law “On the National Payment System”. In addition, the regulator will be able to gauge the level of risk management at banks and payment transfer operators. Furthermore, the Central Bank hopes that the new requirements will enhance the credibility of information that firms submit about data breaches that occur during money transfers.
The statement by the Bank of Russia is issued shortly after Lyndon Nelson, Deputy CEO of the Bank of England’s Prudential Regulation Authority (PRA), indicated that the BoE will require banks to have measures in place to deliver services resilient to cyber incidents.
According to Lyndon Nelson, firms will be expected to set their own tolerances for key business services. These tolerances will have to be in the form of clear metrics indicating when a disruption would represent a threat to a firm, to consumers or to financial stability. The Bank expects firms to test their tolerances and demonstrate to their supervisors that they have concrete measures in place to deliver resilient services.
In addition, firms will need to clearly define and regularly test their approaches to incident management. These should also include good communication plans both internally and externally.
Furthermore, firms need to be able to recover from an operational incident. This requires viable, tested contingency plans for the resumption of critical functions.