10.3. Disclosure of Information
NCC discloses the information as a credit organization, a clearing company and a central counterparty as well as in course of its performance of functions of the commodities supply operator in compliance with Federal Law 7-FZ dated 07.02.2011 ‘On Clearing, Clearing Activity and Central Counterparty’, Federal Law 395-1 dated 02.12.1990 “On Banks and Banking Activities’ and any other regulations and regulatory documents.
The main channel of disclosure is NCC’s website, on which the information sufficient for forming an objective understanding of material aspects of NCC’s activity is posted in the special section ‘Disclosure’, while taking into account the provisions of the law on the components and list of disclosed information. The website, in particular, publishes the information showing the results, statistics and other data on the Company, including corporate governance, annual results of NCC, financial statements, risk management and clearing activity, tariffs, information protection, etc.
NCC provides 24/7 access to the disclosed information to all stakeholders to review thereof free of charge and other restrictions. As a rule, any material events or actions of NCC are normally disclosed by publication of press releases.
In disclosing its information, the Company also complies with the international standards – requirements for information disclosure by the financial infrastructure institutions developed by the Committee on Payment and Settlement Systems of the Bank for International Settlements (CPSS) together with the Technical Committee of the International Organization of Securities Commissions (IOSCO). According to such requirements, NCC regularly discloses the performance metrics on its website.
NCC discloses its financial statements according both to the Russian and international standards and discloses additional information of its operations, which may be essential for the sole shareholder and other stakeholders, while maintaining a reasonable balance between transparency of the Company and protection of its business interests.
Website publishes the information according to the rules for interaction between business units of NCC in the course of information posting on the website. The document defines the sequence of actions of executive officers / employees / structural divisions and their interaction when posting (disclosing/publishing) information on NCC’s official site and its modification, the competency and responsibility of division concerning the website contents and maintenance.
10.4. Data Protection
During the reporting year, NCC protected the Company’s information based on the normative acts and internal documents of NCC.
According to Regulation 382-P ‘On the Requirements to Protect Information Related to Funds Transfers and on the Procedures for the Bank of Russia to Control the Compliance with the Requirements to Protect Information Related to Funds Transfers’, NCC performed its scheduled evaluation of the compliance of the payment system sections with the established requirements with engagement of Deloitte, an independent auditor. The evaluation rating is ‘satisfactory’, the compliance level for last 2 years meets the required level.
Introduction of the stay-at-home restrictions in Moscow since the end of March 2020 demanded sharp change in the approaches to the information protection while working remotely. Therefore, the Information Protection Division took active part in building the remote access systems, conducting regular accesses security tests, organizing continuous operation of the organization in the environment of stay-at-home restrictions while developing the ‘flexible office concept’ regarding the safety and protection. The stay-at-home restrictions also had significant effect on the processes ensuring the continuous operation of the legally binding electronic document flow and accelerated the processes of conversion of paper document flow into the electronic form while ensuring the legal value, protection of integrity and confidentiality of documents.
Changes in the environment gave rise to NCC’ necessity to build a more flexible infrastructure. The result of the above was development, together with IT, of the plans to upgrade its IT infrastructure with account of the provision the information protection at least at the existing level. The plans provide for step-by-step upgrade of the infrastructure during 2 years.
During the reporting period, NCC performed a number of tests regarding protection against penetration into the Company’s infrastructure with engagement of a third-party company. The above actions were taken in NCC on an annually basis, however, in 2020 the research scope was increased significantly and covered, inter alia, payment system sections, main back office systems. Based on the results of tests, the objectives were set aimed to develop a procedure for updating the information systems regarding their security configuration. A system of continuous penetration testing using the specialized automated systems is planned to be established.
In 2020, the SWIFT Security Assessment was successfully performed. The assessment demonstrated the full compliance with SWIFT requirements, which was captures on the SWIFT customer portal and available to all SWIFT community members.
In addition, during the reporting year, a number of the objectives, aimed to improve the information protection, were attained, i.e.:
- research was carried out and resulted in introduction of the two-factor authentication in the product environment based on the user registrations by the domain controller. As a result, the employees were transfer to work remotely and use statutory two-factor authentication;
- the Technical Account Management Policy was developed and introduced and the technology for upgrading on an ongoing basis was developed.
- the new version of Kaspersky Security Center with FSB and FSTEC certificates was introduced. All infrastructure of NCC was transferred to Kaspersky Endpoint Security 11 and Kaspersky For Windows Servers 10.6.;
- as a part of compliance with the requirements of information security policies and the Bank of Russia, the new file gateway technology was implemented between two physically separated network segments and the capacity to prove independent file directories for NCC divisions was configured;
- audit of change in the domain group membership was configured.
The main efforts on further improvement of the information security system will be aimed to implement the Road Map for the information security division’s activity, which includes:
- Compliance with the requirements for information protection contained in Regulation No. 683-P, dated 17 April 2019, ‘On Mandatory Requirements for Credit Institutions to Ensure Data Protection in Banking to Counter Unauthorized Funds Transfers’ and Regulation No. 684-P, dated 17 April 2019, ‘On Mandatory Requirements for Non-bank Financial Institutions to Ensure Data Protection in Operations in the Financial Markets to Counter Illegal Financial Transactions’. In this case, the fact, that strict requirements for proper security levels are imposed on NCC as a credit institution and a central counterparty, is taken into account.
- Engagement in IT infrastructure upgrade according to the initiatives of the business and IT divisions aimed at maintaining the security levels.
Further strengthening of the information security measures taking into account the changing threats, improved cycle of safe development of NCC’s information systems