Cybersecurity audits may become annual

Large Russian IT companies, telecom operators and banks have agreed to conduct an annual audit of their security systems. This is documented in the industry data protection standard prepared by the Big Data Association (BDA, which includes “Yandex“, VK, “Sber”, Gazprombankbank “Tinkoff“, Rosselkhozbank“Megaphone“, “Rostelecom“, “Beeline“, MTS, VTB“Avito” and etc.). Vedomosti has reviewed the document. The rules provide the basic criteria for a reliable data storage and protection system to increase the security of their circulation.

It is expected that compliance with this standard will reduce the size of the turnover fine for data leaks from companies. The bill on such fines has been discussed since the spring of 2022. In the summer of 2023, the government prepared a response to the bill; it should be submitted to the State Duma in the near future.

Now the Code of Administrative Offenses provides for fines for leakage of personal data (PD) for legal entities in the amount of 60,000 to 100,000 rubles, for a repeated offense – up to 500,000 rubles. The new bill provides for a fine of 1% of the annual turnover of the company that allowed the leak. The fine will increase to 3% if the company tried to hide the problem, but may be less if the company certifies its infrastructure in accordance with security requirements.

The DBA document provides a scoring system based on metrics that allow one to draw a conclusion about the effectiveness of organizational and management processes for ensuring the protection of information of PD operators.

A company that stores more than 500,000 records in databases or has a critical risk profile, that is, “due to its geopolitical location, industry sector or specific profile, the enterprise operates in an environment with a heightened level of threats,” can receive 18 points if a number of conditions are met.

In particular, the company should provide for managing user accounts and quickly changing access to various systems of the organization, for example, in the event of an employee moving to another position. Also, organizations should introduce two-factor authentication and create a list of the use of available and prohibited names of software and firmware. Another requirement may be the creation of an information security unit within organizations.

In the event of an information security (IS) incident, a time interval of 36 hours for response should also be determined, and an action plan should be developed in the event of operational failures (failures), provided that personnel must understand what actions should be taken in such a situation.

The document is an important initiative of key players in the IT industry, says Irina Levova, director of strategic projects at the Big Data Association. The proposed measure will ensure the highest level of data protection at the industry level, she adds.

In recent years, at least four members of the DBA have had large data leaks, which were widely discussed by the public and users, notes Tatyana Nikonorova, leading information security consultant at Innostage. The requirements described in the standard should have been met previously by many organizations processing personal data in Russia, she points out. The problem is precisely in the motivation and stimulation of this process, which the upcoming bill on turnover fines should solve, the expert notes.

Yandex is constantly improving its data storage and protection systems and regularly undergoes security audits; the industry needs a unified standard, says Anna Zinchuk, head of the company’s cybersecurity compliance and training service. The introduction of the institute of voluntary audit of companies’ security information systems will allow real control over their implementation and use, says Alexander Matskevich, head of the department for interaction with federal authorities of MTS.

There are quite a lot of risks associated with data security, noted Yaroslav Shitsle, head of the It&Ip Dispute Resolution department at the law firm Rustam Kurmaev and Partners. “These could be hacker attacks due to data insecurity or, rather, due to the insufficient range of capabilities of data operators. These could be technical failures that could trigger theft or data leakage; this could also be caused by the negligence of those in charge, including due to the fact that there is no special unit or specialized education,” he says.

Risks are associated with violations of confidentiality, integrity and availability of data, lists the director for strategic alliances and interaction with government authorities of the group of companies “Garda» Pavel Kuznetsov. Information may leak, change, or become temporarily or completely unavailable after a ransomware attack, he gives examples. This also includes reputational risks and risks associated with loss of profit, adds Nikonorova.

Despite the proposed standards, there must be specific liability for violations of obvious requirements and regulations, which is why the bill on negotiable fines for data leaks is still relevant, Schietzle believes. “Voluntary enforcement of codes of practice will not keep the data situation under proper control,” he says.

The bill and the industry standard cannot replace each other, they have different purposes, so they must complement each other, says Egor Lednev, director of services at the IT company RooX. “The bill on negotiable fines for personal data leaks contains information about what objects need to be protected and what penalties are provided for the insufficient level of protection of these objects. The standards, in turn, describe exactly how this data needs to be protected,” he notes.

Most likely, there is no question of replacing penalties for leaks with this standard, Kuznetsov agrees. “The project looks more like a formalized set of measures that the PD operator can apply in order to minimize the risk of leakage,” he points out. At the same time, the expert notes the practical applicability of the measures listed in the standard.