The Federation Council bill should establish a mechanism for financial coverage of risks due to data leaks for companies and citizens

The Federation Council, which is preparing a bill on cyber risk insurance for companies processing personal data, wants to narrow its scope only to the risks of leaks. Operating companies will be asked to either create a mandatory cash fund to compensate for harm to citizens whose data was stolen, or to insure this risk. Insurance market participants welcome the initiative, but, like data operators, they call for more specific wording of the project.

Kommersant got acquainted with the bill of the Federation Council, which should establish a mechanism for financial coverage of risks due to data leaks for companies and citizens. We are talking about compensation for moral and property damage that may be caused to subjects of personal data due to a leak in the operating company. Amendments are planned to be made to 152-FZ “On Personal Data”.

According to the document, personal data operators will be required to either create a reserve fund in the amount “necessary to compensate for moral and property damage to citizens” whose data has become publicly available, or to enter into an insurance agreement covering these risks, or a bank guarantee of financial security for this risk .

The latter, the Federation Council clarified to Kommersant, is a document that the bank issues to the client, pledging to repay his debt to third parties. The mechanism for calculating damage compensation by operators is proposed to be written down separately by the responsible federal executive authorities. Telecom operators will need to provide data to Roskomnadzor. If adopted, the document must come into force no earlier than one month from the date of publication.

The explanatory note states that “data is used by criminals for their sale, fraudulent schemes and theft of funds,” while “the establishment of new fines does not guarantee personal data subjects compensation for the harm caused to them.” We are talking about a bill introduced in December to the State Duma on turnover fines for companies that have leaked (see “Kommersant” dated December 4, 2023).

A discussion of the initiative is scheduled for the end of February, the Federation Council told Kommersant. Among other things, we will talk about which operators the requirements will become mandatory, said Artem Sheikin, deputy chairman of the council for the development of the digital economy under the Federation Council. Roskomnadzor and the Ministry of Digital Development reported that they had not yet received the bill. The Central Bank did not answer Kommersant.

The overall growth in the volume of premiums in the area of ​​cyber insurance in the Russian Federation for 2023 was about 80%, to approximately 1.3 billion rubles, PSB estimated. But the bank includes in this indicator insurance against various types of cyber risks, including the consequences of DDoS attacks (see Kommersant on January 29). According to Roskomnadzor as of February, 936.4 thousand companies are registered in the register of personal data operators.

The National Insurance Information System considers it correct that this type of insurance will be mandatory. But according to the general director of the system, Nikolai Galushin, it is necessary, firstly, to decide how the insured amount is determined, and secondly, to develop approaches and principles for settling losses and assessing damage, and to specify the set of risks. The head of the council of the Association of Professional Insurance Brokers, Katerina Yakunina, clarifies that companies interested in protection against cyber risks seek to invest in the development of their own competencies, and “treats insurance with restraint, including due to the need to disclose information to assess risks.”

At the same time, the Association of Big Data (BDA; unites VK, Yandex, Sber, Rostelecom, etc.) believes that although mechanisms for covering potential damage are an important tool for companies when working with data, now There are no generally accepted approaches to determining the amount of harm to a data subject in case of leaks, “therefore, the process of calculating security is complex and depends on many factors.” The DBA believes that before introducing new regulation, its approaches should be “tested within the framework of self-regulation.” For example, through the practices of the Code of Ethics for Working with Data, a set of rules adopted in 2019 for self-regulation of market participants.

Tatiana Isakova, Yulia Poslavskaya