Digest of Information Security Regulation. January – March 2025

1. Fines again: initiative to amend the Code of Administrative Offenses of the Russian Federation

What happened?

Officially: The State Duma is considering a bill to amend the Code of Administrative Offenses of the Russian Federation to toughen liability for violating information security rules.

In fact: it is proposed to increase fines:

• For using uncertified information security tools – up to 50-100 thousand rubles for legal entities, up to 10-50 thousand for officials. In both cases, the security tools may be confiscated.

• For violating statutory information protection requirements – the same amounts for legal entities and officials, but without confiscation of the security tools.

Commentary:

The proposal to increase fines came after analyzing information security events in state sector information systems. Government experts found: more than 70% of incidents that affected these resources were caused by insufficient protective measures from those responsible for information security. Critical vulnerabilities were found in 40% of systems, through which even a rookie hacker could do serious harm.

Information security specialists and state sector organizations are mainly at risk of fines. The amendments coincide with the development of a decree on testing state information systems for security. That's why government agencies should think seriously about searching for and closing vulnerabilities, excessive permissions, and other security weak points. SIEM systems can help find them. With small info-sec budgets, lack of experienced staff and hardware, it may be reasonable to consider “boxed” solutions of this class: SIEM is not necessarily rocket science.

2. Getting serious about cybercrime: draft law on combating ICT crime

What happened?

Officially: On April 1, the State Duma adopted a law on creating a state information system for combating offenses committed with the use of ICT, and making amendments to certain legislative acts of the Russian Federation.

In fact: The Ministry of Digital Development will create a state information system to collect data about cybercrimes from organizations and citizens. Upon request and under conditions of confidentiality, the Ministry of Internal Affairs and Investigative Committee will be able to receive this data. Also, employees of public sector organizations and financial institutions will be forbidden from conducting official communication with citizens through foreign messengers.

Commentary:

Combating cybercrime is one of the priorities of the new national project “Data Economy”, which is why so much focus is being given to this area. In light of the new law, the most important thing will be to raise the level of protection for major data operators, especially financial institutions. This will deprive criminals of the information base for their “work” – citizens' data.

Read also:

• Replacement of Langchain: How OpenAI Agents SDK Handles Deep Search?

It's absolutely realistic to fulfill the new requirements: all necessary information security tools are already available on the market. For example, DLP will monitor the use of foreign messengers and block attempts to send confidential data there. DCAP solutions will help find sensitive data in sprawling information systems and proactively protect data from being exported.

3. Critical amendments for critical systems: changes to the law on the security of critical information infrastructure

What happened?

Officially: a law has been adopted on comprehensive amendments to Federal Law No. 187-FZ "On the security of critical information infrastructure of the Russian Federation".

In practice: the government will be able to establish:

• lists of typical critical information infrastructure (CII) objects,

• features of categorization by sectors,

• requirements for software and hardware means at significant CII objects,

• procedures and deadlines for their implementation,

  as well as monitor the transition of CII subjects to Russian solutions.

It is established that continuous interaction with the State System for Operational Monitoring and Control (GosSOPKA) is required not only for CII subjects but also for all government bodies and institutions. The GosSOPKA system will collect data on computer attacks along with incident information.

However, individual entrepreneurs (IE) are no longer considered CII subjects.

Comment:

The changes are significant, but some procedures, such as categorization, are simplified. Organizations will be able to refer to established lists to understand whether they are CII subjects, which objects require attention, and what measures are needed to protect them. First, this will help avoid mistakes in categorization. Second, organizations with relevant IT objects will not be able to avoid being recognized as CII subjects.

The government is also taking control of the issue of import substitution. Requirements for replacing software and hardware will be "imposed" on organizations, and their timely implementation will be monitored.

The cybersecurity tasks are also assigned to public sector organizations: all government bodies and state institutions at the federal and regional levels. Now, regardless of their affiliation with CII, they need to identify incidents and interact with the National Coordination Center for Computer Incidents (NKCKI), and accordingly, monitor IT infrastructure. Such measures are implemented using SIEM systems. It is preferable that these systems be easy to manage and directly integrated with GosSOPKA—so that even government organizations with limited resources and no experience in solving such tasks can manage.

4. Classified information for everyone: new procedures for handling restricted-use official information

What happened?

Officially: a draft of the Government Resolution of the Russian Federation "On amendments to the Government Resolution of the Russian Federation of 03.11.1994 No. 1233" has been published, updating the requirements for processing information "for official use" (classified information).

In practice: now the security requirements for restricted-use official information apply to all operators of such data. Previously, all regulations were established by separate acts for different organizations. Now, all organizations with classified information, including regional and municipal authorities and institutions, are recommended to standardize the regulations on working with such information. They should bring its protection into line with new requirements for cybersecurity in public sector systems being prepared by FSTEK. We discussed them in the previous digest.

Comment:

This project went largely unnoticed, but it’s truly significant: it introduces unified data protection rules for information for official use, aligning them with FSTEC requirements. Previously, these requirements were regulated separately, with the main focus often on protecting information in paper format.

The new project streamlines the accounting, organization of storage and transfer, and protection of DSP data in electronic form. In fact, all public sector organizations will be recommended to implement a data-centric approach to protecting official information, take control over actions with such data and their movement, and block leaks.

The process of bringing the processing and protection of yet another large category of data to a common standard will be simplified by security tools. DCAP systems will allow organizations to find, account for, and mark files containing DSP in all file storages, as well as segregate access to them and prevent their loss. Such solutions are simple enough and undemanding: even a small budget organization can implement and effectively use them.

5. Not Only Personal Data: Tougher Article 183 of the Criminal Code for Leaks

What happened?

Officially: In April, the State Duma will consider a bill amending Article 183 of the Criminal Code (Illegal acquisition and disclosure of information constituting commercial, tax, and banking secrets).

In fact: A lower threshold for criminal punishment for disclosing such information is being introduced. If the crime is committed for personal gain, by a group of individuals, or in the case of major damage from the crime—a minimum of 2 years in prison will be imposed (the maximum remains unchanged—5 years). If the incident leads to serious consequences, the minimum punishment will be 3 years (maximum—7 years). Additionally, courts will be able to fine those responsible for leaks: up to 5 million rubles in the first case, and between 1 and 5 million in the second.

Commentary:

The explanatory note states that the bill was created to combat leaks from customs systems. In reality, it covers violations in many areas: the financial sector, public administration (especially in the tax sphere), enterprises from various industries.

Commercial and banking secrets are an attractive target for insiders: this information is valued on the black market, and useful for any business competitor. The adoption of this bill and the new, harsher punishment potentially could stop some insiders “on approach”—simply put, scare them off.

For more determined violators and accidental incidents, security tools will help. DCAP will prevent commercial secrets from mistakenly falling into the hands of those not supposed to work with them. DLP helps fight intentional “leakage”: it blocks the downloading and sending of data. When investigating an incident, DLP will make it easy to quickly find the culprit and gather proof of their involvement. This will help bring insiders to justice. Having a conviction against the offender makes it easier to claim compensation for damages, as in the case when commercial secrets are affected: court practice confirms this.

In the first quarter of the current year, regulators turned their attention to the protection of confidential information that does not relate to personal data. This is definitely a plus, since businesses lose not only personal data: for example, in business, information about deals is leaked much more often. The tightening of liability for direct perpetrators—now effectively for any leaks—is a serious step to deter them.

Another important trend this year will be the fight against cybercrime. Regulators are formalizing already established protection practices, making them mandatory for everyone. It’s encouraging that there are solutions for this on the market and that the necessary experience has been gained.

We’ll tell you how the situation develops at the end of the second quarter. Stay tuned! In the meantime, we’re sharing materials that will help you meet the new regulatory requirements:

• Guideline: “Using SIEM Systems to Meet Regulatory Requirements.” Explains how a single solution can fulfill over 20 FSTEC requirements for the protection of critical information infrastructure and personal data.

• Manual: “How to Manage File Access.” Provides detailed instructions on automating the search for protected files, setting up access, and avoiding dangerous mishaps during file handling. Suitable for working with DSP files, personal data and trade secrets.

• Checklist: “5 Steps to Implementing Trade Secrets Protection.” Outlines the organizational measures needed to introduce a trade secrets regime and use information security tools so their metrics can serve as evidence in case of an incident.

• Webinar recording: “Simple Solutions to Acute Information Security Problems.” Alexei Parfentyev, Deputy CEO for Innovation at SearchInform, explains how to meet information security requirements in the face of staff and budget shortages.