Security across the board – Newspaper Kommersant No. 243 (7444) dated 12/29/2022

Cancellation of relaxation in the implementation of information security requirements from next year may complicate the life of small professional market participants. The costs of implementing these requirements have grown strongly this year against the backdrop of the departure of foreign vendors. In addition, the financial performance of many players leave much to be desired. Experts warn that meeting the requirements will lead to an increase in the cost of services and a flow of customers to large players.

From January 1, 2023, the Bank of Russia’s relaxations for non-bank financial institutions (NFOs) regarding information security and operational stability requirements will cease to apply. The National Association of Securities Market Participants (NAUFOR) proposes to keep the non-use of enforcement measures for violation of these requirements next year as well. NAUFOR has repeatedly approached the Bank of Russia with a proposal to “revise the approach to regulating information security in NFOs, to make it more flexible and proportionate,” says its head Alexei Timofeev. However, according to him, “the regulator is not yet ready for this.” The Central Bank did not respond to Kommersant’s request.

The introduction of new cybersecurity standards pursues a reasonable goal – to improve the quality of the service provided, in particular, the number of cases of illegal access to client information and illegal financial transactions should be reduced, Igor Kirillov, head of the treasury of Ingosstrakh-Investments, points out. However, the main problem is the significant costs that market participants will have to pay, Anna Avakimyan, chief analyst at RegBlock, points out, primarily for software. In connection with the departure of some foreign vendors, their products require import-substituting analogues, which can increase costs by 30-60%, the expert believes. The growth of the software load also requires hardware amplification, in some cases, the replacement of servers with more powerful ones. In general, Mrs. Avakimyan estimates the costs at tens of millions of rubles.

In the meantime, the performance of NFOs has noticeably worsened this year. According to the Central Bank, in the first to third quarters, the share of unprofitable professional participants is about 50%, while in the past three years it did not rise above 36%. Another 17–21% of NFOs have a return on equity that does not exceed 10%. The total number of professional participants currently exceeds 500 companies.

The new cybersecurity standards for professional participants “are written inflexibly and in practice the requirements are not feasible for small organizations,” says Dmitry Alexandrov, managing director of Ivolga Capital. According to him, there are about 80% of such people on the market now. Small professional participants include companies with a small volume of securities purchase and sale transactions (up to 100 billion rubles per quarter for brokers and up to 50 billion rubles per quarter for dealers), the number of clients is not more than 2 thousand people, and a small amount of client assets ( no more than 50 billion rubles in brokerage services, up to 10 billion rubles in remote control).

“If the new requirements were introduced with an installment plan of three to five years, then smaller participants with a relatively small client base could smooth out the expenditure burden,” says Ms. Avakimyan. Small professional participants, according to Mr. Kirillov, will become even less competitive as a result, which may lead to a shift in the client base in favor of large participants, which means a decrease in competition in the market and an increase in the risk of concentration on large professional participants.

Ksenia Kulikova, Yulia Poslavskaya