The Bank of Russia proposes to increase the personal responsibility of deputy heads of information security for data leakage.
A new draft law is being discussed in Russia, which introduces special requirements for the qualifications and business reputation of deputy chairmen of financial organizations responsible for information security (IS). The document prepared with the participation of the Bank of Russia is at the stage of interdepartmental approval, the Central Bank told Izvestia.
According to the draft law, it is planned to increase the level of personal responsibility of the bank's deputy head for information security for violations in information protection that lead to the leakage of personal data or bank secrecy. These changes will affect not only banks, but also insurance companies, pension funds, and microfinance organizations.
The bill introduces a ten-year term during which the deputy chairman for information security is prohibited from holding this position — if before that he worked in a financial organization in the same position during a period when there were violations of information security requirements (and during the year some measures were repeatedly applied to it).
The bill drew criticism from the National Financial Market Council (NSFM). Representatives of the NSFM expressed concerns that such measures could worsen the already difficult situation with a shortage of specialized specialists.
In addition, according to the NSFM, in the current version of the draft law there is no direct link between the activities of a particular person and his disqualification. For example, if the database was leaked by an insider subordinate, then their manager is automatically disqualified for 10 years, even if he is not involved in the incident in any way.
The NSFM's review also emphasizes that the proposed penalties are much tougher than the existing sanctions for official offenses provided for in criminal and administrative legislation. Thus, in the Criminal Code, the deprivation of the right to hold certain positions or engage in any activity is established for a period of one to five years. According to the Administrative Code, which regulates, among other things, violations in financial activities, the terms are even shorter — from six months to three years.
The National Financial Market Council proposes to reduce the period of disqualification from ten to three years.
Experts emphasize that information leaks are not always associated with incorrect management actions. Often, leaks are caused by end users or complex targeted attacks, where the influence of top managers is limited.
Izvestia sent requests to the largest Russian banks about their attitude to the bill, as well as to the Ministry of Digital Resources and the Ministry of Justice.
A new draft law is being discussed in Russia, which introduces special requirements for the qualifications and business reputation of deputy chairmen of financial organizations responsible for information security (IS). The document prepared with the participation of the Bank of Russia is at the stage of interdepartmental approval, the Central Bank told Izvestia.
According to the draft law, it is planned to increase the level of personal responsibility of the bank's deputy head for information security for violations in information protection that lead to the leakage of personal data or bank secrecy. These changes will affect not only banks, but also insurance companies, pension funds, and microfinance organizations.
The bill introduces a ten-year term during which the deputy chairman for information security is prohibited from holding this position — if before that he worked in a financial organization in the same position during a period when there were violations of information security requirements (and during the year some measures were repeatedly applied to it).
The bill drew criticism from the National Financial Market Council (NSFM). Representatives of the NSFM expressed concerns that such measures could worsen the already difficult situation with a shortage of specialized specialists.
In addition, according to the NSFM, in the current version of the draft law there is no direct link between the activities of a particular person and his disqualification. For example, if the database was leaked by an insider subordinate, then their manager is automatically disqualified for 10 years, even if he is not involved in the incident in any way.
The NSFM's review also emphasizes that the proposed penalties are much tougher than the existing sanctions for official offenses provided for in criminal and administrative legislation. Thus, in the Criminal Code, the deprivation of the right to hold certain positions or engage in any activity is established for a period of one to five years. According to the Administrative Code, which regulates, among other things, violations in financial activities, the terms are even shorter — from six months to three years.
The National Financial Market Council proposes to reduce the period of disqualification from ten to three years.
Experts emphasize that information leaks are not always associated with incorrect management actions. Often, leaks are caused by end users or complex targeted attacks, where the influence of top managers is limited.
Izvestia sent requests to the largest Russian banks about their attitude to the bill, as well as to the Ministry of Digital Resources and the Ministry of Justice.
