Reviews of the financial stability of the Bank of Russia. Financial Stability Review of the Central Bank: Cyber Risk: Threats to Financial Stability and Measures to Manage It Financial Stability Review
Review text:
Cyber risk is becoming more and more significant in the activities of financial institutions and can potentially have consequences for financial stability if systemically important banks, central banks or financial infrastructure facilities (including payment systems) are targeted by cyberattacks. Attackers are using increasingly sophisticated methods, with cyberattacks shifting from client payment applications provided by financial institutions to the information infrastructure of financial institutions themselves. The activity of intruders is often organized and does not have national borders.
Reporting of unauthorized transfers is on the rise based on mandatory reporting of information security incidents Money from accounts individuals made through remote banking (remote banking).
The increase in the number of incident reports is due to the rapid increase in the number of individuals using Internet and mobile banking services. In many cases, cyber fraud against individuals is carried out quite simple ways, usually using social engineering methods (methods that encourage customers to provide information necessary to make money transfers on their behalf). An effective way to minimize damage from unauthorized transfers from individuals' accounts is to set restrictions by banks when making transfers using RBS, in particular, by introducing a limit and additional confirmation of transactions by clients. Reducing the risks associated with unauthorized transfers of funds from bank accounts is facilitated by checking the quality of payment applications and their certification.
At the beginning of 2016, targeted attacks were recorded related to the substitution of input data for the KBR automated workplace (automated workplace client of the Bank of Russia), as a result of which attempts were made to steal funds from correspondent accounts opened with the Bank of Russia in the amount of 2.87 billion rubles. At the same time, the theft of 1.67 billion rubles was prevented, of which 1.1 billion rubles. temporarily blocked by financial institutions in which attackers opened accounts to make unauthorized transfers, and 0.57 billion rubles. The Bank of Russia has suspended money transfers from correspondent accounts.
The main types of damage from the activities of intruders include:
– direct financial damage associated with unauthorized transfers of funds; – withdrawal of funds from legal circulation; – violation of stability in the activities of financial organizations; – causing reputational damage to financial institutions and the formation of distrust in their activities.
The main reasons for increased cyber risks, according to the Bank of Russia, are:
– presence of vulnerabilities in information systems and payment applications used by financial institutions; – deficiencies in ensuring information security, lack of proper compliance by financial organizations with the requirements established by regulations and industry standards; – lack of necessary coordination of the activities of financial organizations to counter mass (broadcast) and typical cyber attacks.
To ensure financial stability and maintain confidence in financial institutions, it is important for the authorized bodies and financial institutions themselves to quickly take measures aimed at reducing existing cyber risks.
Measures to counter cyber attacks in information security and risk management systems of financial organizations. The reasons for the increased risks of cyber attacks are, in particular, the insufficient development of internal procedures for managing these risks by the financial organization, the lack of action plans in the event of cyber attacks, and the incompetence of employees. In this regard, the Cyberattack Risk Management System should be brought into line with the requirements for risk management systems established by the Bank of Russia for banks and non-banking financial institutions. Specialized requirements for information security are established in the standards of the Bank of Russia and recommendations in the field of standardization for ensuring information security.
An important element of an effective cyberattack risk management system is its audit and regular self-assessment. Financial institutions are also encouraged to evaluate service providers in the information technologies and testing IT products and services to identify vulnerabilities and undeclared capabilities.
Large banks are creating automated tracking and incident response centers (SOC, Security Operation Center), taking into account the best practices for their construction, and discussing the possibility of outsourcing and centralizing individual SOC functions. With the rapid digitalization of financial services, banks with weak information security systems may not be ready to withstand cyber attacks and protect their clients' funds.
Coordinating the activities of financial organizations in countering cyber attacks and investigating incidents. In 2015, the Bank of Russia established the Center for Monitoring and Response to Computer Attacks in the Credit and Financial Sphere (FinCert) to ensure coordination of the activities of financial institutions and law enforcement agencies to counter mass (broad) and typical cyber attacks.
Currently:
– organized information exchange with the FSB of Russia, the Ministry of Internal Affairs of Russia and the State System for Detecting, Preventing and Eliminating the Consequences of Cyber Attacks on Information Resources Russian Federation(State SOPKA); – accession of about 300 financial organizations to information exchange through FinCert services was ensured; – participation in FinCert activities of state authorities (FSB of Russia and the Ministry of Internal Affairs of Russia), payment systems, developers software, telecom operators; – organized regular notification of information exchange participants about identified information security vulnerabilities.
When Fincert receives a message about a threat from a participant in an information exchange, it analyzes it, including the examination of malicious software, and sends out a newsletter based on the results of the analysis. In the 1st-3rd quarters of 2016, 164 mailings were sent out about identified actual threats of cyberattacks and software vulnerabilities, blocking of 362 domains used to collect confidential information, distribute malicious software and spam was initiated. The FinCERT Report for the period from July 1, 2015 to May 31, 2016 published statistics on cyber attacks, technical description the main types of cyberattacks, as well as recommendations for financial institutions on countermeasures for these attacks.
Development of legislation and standards in the field of cybersecurity. Application modern instruments reduction of cyber risks and adequate methods of investigation to identify the attacker who committed a cyber attack is impossible without the development of specialized legislation.
In order to increase the level of coordination of financial organizations in countering cyberattacks, with the participation of the Bank of Russia, amendments to the legislation have been prepared aimed at:
- legislative consolidation of the right of a financial organization to suspend the transfer of funds when signs of a transfer of funds are revealed without the consent of the payer; - establishing the procedure for the financial organization to act in case of revealing signs of a transfer of funds without the consent of the payer in order to return funds to the rightful owner and the procedure for returning funds when it is proved that the transfer was carried out without the consent of the client; – non-distribution of legal mechanisms aimed at protecting bank secrecy to situations where the disclosure of information about transactions is carried out in order to prevent and detect transactions performed without the consent of the client.
Also, with the participation of the Bank of Russia, draft amendments to the Criminal Code of the Russian Federation were prepared, providing for the introduction new article, which establishes criminal liability for such activities as theft of funds held in a bank account, electronic money, including those committed using counterfeit or owned by another person payment cards, as well as interference with the functioning of the means of storing, processing or transmitting computer information.
As part of the work of the interdepartmental working group to coordinate the issues of creating a unified system for countering information threats in the credit and financial sector until 2018, it is planned to:
– creation of legal and technological conditions for conducting a widespread quality check of payment applications by certifying them or analyzing them for compliance with information security requirements in order to control the absence of vulnerabilities and undeclared capabilities; – creation of legal and technological conditions for the widespread introduction of technological protection mechanisms that implement additional confirmation of instructions for transferring funds when using untrusted environments for generating payment orders, primarily in remote banking systems and when using the Internet; – development and implementation of national standards of the Russian Federation that establish detailed technical requirements for ensuring information security in financial institutions, as well as the development of an industry set of standards of the Bank of Russia on information security issues; – creation of an independent system for confirming the compliance of information security in financial organizations with the requirements of national information security standards (external audit of information security); – creation of legal conditions for the mandatory application of national information security standards in financial institutions, as well as mandatory confirmation of compliance with the requirements of national standards; – setting capital adequacy requirements for financial institutions based on an assessment of operational risk using the results of an external audit of information security and incident data.
It is expected that improved cyber risk management in financial institutions and coordinated actions to prevent and investigate cyber attacks, continuously improve protections and address vulnerabilities in new technologies will lead to a reduction in cyber risks in the financial sector. Along with this, new approaches to regulation in the field of information security for organizations involved in the provision of financial services will be developed. Particular attention will be paid to improving the financial literacy of users of electronic banking technologies.
The financial stability review is one of the main types of reports reflecting the central bank's point of view on the situation in the financial sector. Regular publication of such reviews is carried out by most central banks of developed countries. The article presents the results of a comparison of financial stability reviews in Russia and abroad and recommendations for improving the quality of information and analytical materials of the Bank of Russia.
Plekhanov D.A. Institute for Comprehensive Strategic Studies (ICSI)
In response to the financial crises of the 1990s bodies monetary regulation began to pay close attention to the financial stability of the economy. This was reflected in the development of a wide range of indicators of financial stability both at the national and international levels, as well as the transition to the publication of regular reports on the situation in the financial sector. At present, one of the main types of such reports, which has become most widespread among central banks and international financial institutions, is a review of financial stability.
The relevance of monitoring financial stability has increased significantly due to the events that took place in the global financial market in 2007-2008. The liquidity crisis that broke out in the global financial markets in mid-2007 led to significant write-offs of the assets of large financial institutions. Central banks reacted to financial sector problems by lowering interest rates and changing the conditions for granting loans to increase the liquidity of the interbank market.
The events that have taken place in the global financial system have led to the emergence of new initiatives in the field of monitoring financial stability. In the Global Financial Stability Report prepared by the IMF in April 2008, representatives of the fund note that special financial stability reviews are now needed to inform the public about current risks and actions of the monetary authorities aimed at addressing vulnerabilities in countries affected by the effects of the global liquidity crisis.
The publication of financial stability reviews has several purposes. The first and most obvious is to monitor the situation in the financial sector. Thus, the 2007 Financial Stability Review prepared by the Bank of Russia presents the following statement of the purpose of the publication: “The purpose of this review is to analyze the conditions for maintaining financial stability. The publication of the review is aimed at informing the public about a wide range of issues regarding the ability of the Russian financial sector to withstand possible destabilization.”
The publication of the review also pursues another equally important goal - increasing the transparency and accountability of the activities of the central bank. The publication of the results of the analysis and research of central bankers in the review provides an external independent evaluation activities of the central bank by experts. Thus, the publication of a review can play an important disciplinary role, placing increased demands on the activities of central bank employees in preparing certain analytical materials in a given format.
Distribution of financial stability reviews in the world
Currently, financial stability reviews are published by 57 central banks, i.e. one in three of the monetary authorities that currently exist in the world. The first reviews were published in the second half of the 1990s. the central banks of England and the Nordic countries (Sweden, Iceland, Norway). In the early 2000s the number of central banks publishing financial stability reviews has increased dramatically (Figure 1). In general, after the onset of financial crises in the late 90s. central banks began to pay increased attention to financial stability issues.
Figure 1. Number of central banks publishing a Financial Stability Review on their websites
On average, since 2002, the number of countries that publish financial stability reviews has increased by 10 countries annually. However, in 2007 the active growth of this indicator stopped. Thus, it can be assumed that all major central banks are already publishing financial stability reviews, and further growth in the number of countries in which reviews are issued will occur at a rather slow pace. At the same time, the regions of Asia and South America have the greatest potential in terms of dissemination of reviews, which, on the one hand, have a fairly high level of economic development, and, on the other hand, have a lower index of popularity of reviews among the countries of the region compared to Europe (Table 1) .
It should be noted that the Bank of Russia also began publishing the Financial Stability Review by one of the first central banks in the world in 2001. However, the review has been distributed electronically on the website of the Bank of Russia only since 2003.
Table 1. Distribution of Financial Stability Reviews in different regions peace
Countries publishing OFS |
Total number of countries in the region |
||
% of total countries |
|||
South America |
|||
North America |
|||
Central America |
|||
Source: central bank websites
It should be noted that the Bank of Russia also began publishing the Financial Stability Review by one of the first central banks in the world in 2001. However, the review has been distributed electronically on the Bank of Russia website only since 2003. on the level of economic development of the country. Countries where the monetary authorities issue regular financial stability reviews have an average GDP per capita of US$25,000 (purchasing power parity), while countries where no such reviews exist have GDP per capita on average, 3 times lower and amounts to about 8 thousand dollars.
At present, the practice of publishing financial stability reviews is gradually spreading to developing countries Oh. Financial stability reviews are issued on a regular basis in almost all countries of Eastern Europe. In 2006-2007 The central banks of countries such as Romania, Qatar, Pakistan, Macedonia, Kazakhstan, Georgia, Bolivia, Bangladesh and Bahrain began to publish reviews.
Figure 2. Distribution of countries by level of economic development and release of the Financial Stability Review
Comparative Analysis of Review Practices
The Bank of Russia publishes a financial stability review, but its characteristics are inferior to similar reports issued by the central banks of both developed countries and countries with economies in transition. Materials from foreign central banks tend to be longer, provide information on more indicators of the state of the economy and the financial market, and also, in most cases, include the results of stress testing - i.e. quantification possible consequences in case of a crisis situation in the financial market (Table 2).
Elements of “best practice” among central banks also include issuing a Financial Stability Review twice a year (instead of once). Of the 57 central banks surveyed that publish reviews, 26% or 46% prepare reviews twice a year. In Russia, the financial stability review is published once a year and contains an analysis of the situation on the financial market over the previous year. However, a more urgent problem than the frequency of publication of the review is that this document, prepared by the Bank of Russia, comes out with a significant delay in time. Thus, the financial stability review for 2007 was published by the Bank of Russia on its website almost four months after the end of the reporting period (April 22, 2008). In developed countries, financial stability reviews tend to be faster. For example, in a Bank of England report published in April 2008, for individual indicators data are presented up to March 2008.
Most often, financial stability reviews are posted in a special section of the central bank website called “Financial Stability” or “Financial System Stability”. Links to these sections are placed on the front page of the websites of the 4 central banks in order to make it easier for visitors to access these materials. It is also expedient for the Bank of Russia to create a special section of the website dedicated to financial stability, since At present, the review is posted in the Publications and Reports section along with materials on the main areas of monetary policy and speeches by representatives of the Bank of Russia. In addition, it is advisable to supplement the placement of the review on the site with the publication in the same section of detailed statistical annexes to the review in Excel format. This practice is quite common in the world and is used by the central banks of New Zealand, Poland, Portugal, South Africa, Sweden and England. Financial stability reviews are quite lengthy documents containing a large number of economic indicators, so supplements to the review in the form of Excel files with data will be of undoubted value to visitors to the Bank of Russia website.
Table 2. Characteristics of Financial Stability Reviews
Review publication start |
Frequency, once a year |
Overview size |
stress testing |
|||
Number of pages |
Number of indicators |
Number of indicators per page |
||||
The developed countries |
||||||
Bank of England |
||||||
Bank of Japan |
||||||
Bank of Canada |
||||||
Bank of Finland |
||||||
Bank of Switzerland |
||||||
Bank of Korea |
||||||
Bank of Australia |
||||||
Average |
||||||
Countries with economies in transition |
||||||
Bank of the Czech Republic |
||||||
Bank of Slovakia |
||||||
Bank of Hungary |
||||||
Bank of Poland |
||||||
Average |
||||||
Bank of Russia |
Source: websites of central banks, ICSI calculations
Content of Financial Stability Reviews
The analysis of the situation in the financial sector, presented in the reviews of central banks, is based on monitoring a large number of indicators. In general, the indicators presented in the reviews can be divided into 3 groups:
- general macroeconomic indicators - indicators that characterize the development of the economy or the financial system as a whole (GDP growth rates, balance of payments dynamics, inflation, etc.).
- indicators of financial stability - indicators that characterize the stability or possible risks development of financial institutions (for example, the volume of overdue loans, return on assets, etc.).
- market indicators - indicators that reflect the prices of financial assets (stocks, bonds, options, etc.) or are obtained on the basis of surveys of financial market participants. Indicators of this type reflect, in one form or another, the expectations of market participants. This information cannot be obtained from financial statements and thus is an important addition to forecasting the development of the situation in the financial market.
The balance of indicators used in the Bank of Russia survey is shifted towards general macroeconomic indicators, while in the financial stability survey, relatively less attention is given to the actual indicators characterizing the state of the financial system (Table 3).
Table 3 Comparative analysis indicators used in the financial stability review
Note: Calculations for each central bank have been made based on the latest Financial Stability Review available (as at 1 July 2008)
In Q4 2014 – Q1 2015, the Russian financial system faced a number of problems (falling oil prices, increased payments on debt obligations, downgrading credit ratings), which together led to a significant increase in market volatility. However, the measures taken by the Bank of Russia and the government “allowed us to stabilize the situation relatively quickly,” and “the financial system turned out to be resilient to external shocks,” the Central Bank shares its assessment in the Financial Stability Review published today.
Durable Buffer
According to the Bank of Russia, the external debt of banks and other sectors as of April 1, 2015 amounted to $509 billion, which is $106.6 billion, or 17% less than on October 1, 2014. The main factor in the decline was not the repayment of debt, but its exchange rate revaluation (decrease in the dollar value of debt denominated in rubles and euros as a result of the strengthening of the US dollar).
The Central Bank indicates in the review that companies and banks have a sufficient liquidity buffer in foreign currency to repay external debts.
According to the Bank of Russia, as part of the Central Bank’s refinancing operations in foreign currency, the volume of funds attracted by credit institutions amounted to $36 billion as of June 9, 2015. The amount of the unspent limit ($14 billion), according to the Bank of Russia, is currently sufficient to maintain a stable situation with foreign exchange liquidity in the domestic market. The maximum amount of repayment of the external debt of non-financial companies and banks was planned for the 4th quarter of 2014 - the 1st quarter of 2015, in subsequent periods, the repayment volumes are noticeably lower, reminds the Central Bank.
In addition, the Central Bank notes that as market conditions improve, Russian borrowers began to enter foreign markets more often, and internal placements are also actively carried out. From November 2014 to April 2015, non-financial companies attracted subordinated loans and issued Eurobonds for $6.1 billion, credit institutions for $0.7 billion, according to the Cbonds news agency. The volume of placements of ruble corporate bonds in this period amounted to 1.8 trillion rubles.
At risk - builders and realtors
Nevertheless, the Central Bank highlights several risks for the coming quarters.
The Bank of Russia does not rule out that the expected tightening of monetary conditions in the United States - the first increase in the Fed's discount rate from the level of 0-0.25%, at which it has been for the past seven years, will lead to "moderately negative consequences" for developing countries: the weakening of currencies , rising bond yields, capital outflows. The implementation of stimulus measures in the eurozone "may mitigate the negative consequences of the tightening of the Fed's policy to a certain extent," but the uncertain situation with Greece contributes to increased volatility in world currencies, according to the Central Bank.
Uncertainty also remains regarding the dynamics of oil prices. However, the current level of prices for Urals oil - $60-65 per barrel - is "quite acceptable" in terms of the creditworthiness of Russian oil companies and the fiscal stability of the state budget, the Central Bank believes.
But the Bank of Russia considers “a repeat of the situation that prevailed in December 2014” unrealistic in the current environment and notes: even in the case of an extremely negative scenario (a sharp drop in oil prices, an outflow of capital from emerging markets as a result of rising interest rates in developed markets) the Bank of Russia "has a wide arsenal of tools to ensure the stability of the financial sector."
The regulator is confident that oil and gas companies will maintain a stable financial condition even under the most unfavorable market conditions commodity markets– oil price at $40 per barrel. The depreciation of the ruble compensates for the decline in export earnings, and changes in the tax burden as a result of the "tax maneuver" in the current environment are insignificant, the Bank of Russia notes.
At the same time, he sees increased risks for such activities as construction, operations with real estate and rent. Against the backdrop of a decrease in the population's demand for housing, a deterioration in the financial condition of companies renting commercial space, "individual construction and development companies" have significant debts in foreign currency, while the share of their foreign exchange income is limited, the Central Bank notes. In this regard, "the transfer of lending to this sector and rental payments into rubles will help increase the sector's resilience" to foreign exchange risks.
Delay is the main trouble of bankers
The key problem for the banking sector in the coming year will be the realization of credit risks in the face of negative GDP dynamics, the regulator warns. In most sectors of the economy, there is already an increase in the share of "bad" loans against the backdrop of a decline in business activity, the Central Bank states. A significant increase in overdue debt since the beginning of 2015 has been noted in construction, the production of machinery and equipment for agriculture, and trade. Given the high debt burden of the corporate sector, the deterioration in the quality of the portfolio of loans to companies will continue, warns the Bank of Russia.
The situation on the unsecured consumer lending market has also continued to deteriorate over the past six months, but an analysis of the credit quality of various generations of loans (vintages) shows that in 2014 banks significantly tightened lending standards, the review notes. The Central Bank expects that the share of bad loans will peak at 16.5-17% in 2015-1H 2016, after which the situation will improve.
Due to the realization of credit risk, there was a significant reduction in the profits of the banking sector due to an increase in reserves for possible losses on loans, which limits the possibilities for capitalization of banks. Implemented in December 2014, the package of regulatory easing made it possible to increase the sector's capital adequacy by about 1.5 percentage points. The contribution of these incentives decreased by April 1, 2015 to 0.5–1.0 percentage points as the situation on the financial market stabilized, the review states.
The Central Bank notes that the reduction of the key rate in 2015 "significantly reduces the expected losses from interest rate risk", but to limit it, it recommends bankers to "improve management practices" for this risk.
Whether or not this publication is taken into account in the RSCI. Some categories of publications (for example, articles in abstract, popular science, informational journals) can be posted on the website platform, but are not counted in the RSCI. Also, articles in journals and collections excluded from the RSCI for violation of scientific and publishing ethics are not taken into account. "> Included in the RSCI ®: no | The number of citations of this publication from publications included in the RSCI. The publication itself may not be included in the RSCI. For collections of articles and books indexed in the RSCI at the level of individual chapters, the total number of citations of all articles (chapters) and the collection (book) as a whole is indicated. |
Whether or not this publication is included in the core of the RSCI. The RSCI core includes all articles published in journals indexed in the Web of Science Core Collection, Scopus or Russian Science Citation Index (RSCI) databases."> Included in the RSCI ® core: No | The number of citations of this publication from publications included in the RSCI core. The publication itself may not be included in the core of the RSCI. For collections of articles and books indexed in the RSCI at the level of individual chapters, the total number of citations of all articles (chapters) and the collection (book) as a whole is indicated. |
The citation rate, normalized by journal, is calculated by dividing the number of citations received by a given article by the average number of citations received by articles of the same type in the same journal published in the same year. Shows how much the level of this article is above or below the average level of articles of the journal in which it is published. Calculated if the journal has a complete set of issues for a given year in the RSCI. For articles of the current year, the indicator is not calculated."> Normal citation for the journal: 0 | The five-year impact factor of the journal in which the article was published for 2018. "> The impact factor of the journal in the RSCI: |
The citation rate, normalized by subject area, is calculated by dividing the number of citations received by a given publication by the average number of citations received by publications of the same type in the same subject area published in the same year. Shows how much the level of this publication is above or below the average level of other publications in the same field of science. For publications of the current year, the indicator is not calculated."> Normal citation in the direction: |