Bank of Russia works out data protection requirements for non-bank financial institutions

In accordance with the new Bank of Russia regulation, non-bank financial institutions (NFI) will be required to guarantee enhanced, standard or simplified data protection depending on the operation specifics of each institution.

Central counterparties and central depositories will be subject to the highest requirements, while standard requirements will apply to specialised depositories, clearing organisations, trade organisers, insurance companies, NPFs, repositories and professional securities market participants if they reach certain performance indicators. Other NFIs will be subject to simplified requirements.

The regulation lists data protection requirements related to information infrastructure, applied software, and protected data processing.

The document is aimed at countering unauthorised financial transactions and at protecting funds of NFIs and their customers from cyber-criminals.

NFIs will have to conduct annual penetration testing and information security vulnerability analysis of information infrastructure units, and assess data protection compliance. NFIs with enhanced data protection must do so at least once a year, while those with standard data protection — at least once in three years.