Russia's IT & Cybersecurity: Data Protection, Rostelecom Dividends, and Evolving Cyber Threats

A significant legislative proposal is emerging in Russia to enhance data protection requirements for third-party cloud solutions used by financial institutions. The State Duma Committee on Information Policy, Information Technology, and Communications has proposed stricter norms for handling personal data of banking service users when stored in external cloud environments. Currently, the draft bill allows for data transfer without explicit user consent, a point of contention among lawmakers and industry experts. Deputy Anton Nemkin emphasized that personal data processing should always require the consent of the data subject, aligning with federal laws. Legal experts, including Andrey Salomatin and Viktor Rykov, support this, highlighting the potential conflict if a financial organization's consent is revoked while a contractor continues to process data. Ilya Lokhanin further clarified that outsourcing data processing requires obtaining consent from the data subject, as stipulated by Federal Law No. 152 "On Personal Data." The article also touches upon the need for domestic IT providers and a clear selection mechanism for outsourcing partners, with a call to exclude provisions that grant exceptions to companies within the same banking group regarding the need for licenses for technical protection of confidential information. The Central Bank is designated as the controlling body, but concerns remain about the lack of a state control and oversight mechanism for outsourcing and cloud service providers.

The Federal Service for Technical and Export Control (FSTEC) continues to grapple with persistent issues in protecting Critical Information Infrastructure (CII) objects. In 2023, FSTEC identified approximately 700 violations, with common problems including underestimation of an object's category and potential damage, leading to a third of applications being returned for revision. Vitaly Lyutikov, Deputy Director of FSTEC, reported issuing over 1600 orders for legislative compliance and noted that half of the systems have unaddressed vulnerabilities, a situation exacerbated by the withdrawal of foreign software vendors and the cessation of technical support. The immaturity of Russian software developers in secure development practices is also a concern, contributing to a rise in supply chain attacks. The National Coordination Center for Computer Incidents (NCCCI) reported a shift in attack structures for 2023, with professional foreign intelligence services replacing less organized hacktivists. The primary goals of these attacks are data acquisition (38%) and disruption of IT infrastructure (25%). The article also highlights that while data leaks were often faked in 2022, this practice has decreased, though companies still attempt to conceal incidents, hindering investigations.

A recurring theme across the articles is the emphasis on prioritizing domestic IT solutions and ensuring robust vendor selection processes. In the context of IT outsourcing for financial institutions, Deputy Anton Nemkin stressed that service providers should be under the control of Russian entities. The lack of a clear mechanism for selecting IT outsourcing vendors and specific restrictions on foreign states engaging in unfriendly actions against Russia are highlighted as deficiencies in the current draft legislation. The article suggests that accredited Russian organizations with a focus on information technology should be given priority. Andrey Salomatin supports this, noting that IT company accreditation, based on factors like IT service revenue and average labor costs, can serve as a minimal defense against unscrupulous providers. The discussion also touches upon the need for domestic software developers to mature in secure development practices to mitigate supply chain risks.

In a regional development, Ildar Fakhrutdinov has been appointed as the director of the Perm branch of Rostelecom. This appointment signifies a focus on enhancing customer centricity across government, corporate, and mass market segments within the Perm region. Ivan Pichugin, Vice President of Rostelecom in the Urals, expressed confidence in Fakhrutdinov's ability to maintain the branch's high performance and drive new projects. The Perm region is recognized as a vital area for business and the Russian economy, hosting major industrial and trade enterprises. The current emphasis in the region is on the development of digital solutions and the transition to domestic technologies.