Report on the Description of the National Settlement Depository Controls, Suitability of Controls Design and Operating Effectiveness,
12 October, 2015
15
The insurance policy covers all property interests of NSD (policy holder) related to any damage
inflicted upon them as a result of financial frauds and cyber-crimes (willful misconduct of the
policy holder's employees and third parties), as well as losses arising from a failure by the policy
holder to perform their professional duties to third parties.
The insurance policy covers the types of NSD's activity that are carried out in accordance with its
valid licences, incorporation documents, and contracts, as well as:
clearing services;
depository related services;
services associated with safekeeping of securities not related to the depositary services;
and
services related to the performance by NSD of the Central Securities Depository functions.
NSD has been procuring packaged insurance programmes for more than 10 years. There
occurred no events insured against over than period.
Information security
The information security (IS) framework at NSD complies with the Russian laws, and a set of
documents on the standardisation issued by the Bank of Russia (Maintenance of Information
Security of the Russian Banking System Organisations – hereinafter, the Bank of Russia
Recommendations on Standardisation, or RS BR IBBS), the NSD's Information Security Policy,
as well as a number of best practices and international standards.
This framework is designed to safeguard assets of clients serviced at NSD, as well as banking,
settlement, and information automated solutions in place at NSD.
The responsibility for effective management of the information security risk at NSD is vested in
the Information Security Department that works to counter potential threats and exposures. In
accordance with the RS BR IBBS requirements, the Department actively participates in the
development of specifications, implementation of software and hardware solutions, performs
vendor due diligence, regulates user access and separation of duties process, sets up and
provides technical support for the information protection means, assigns access rights, and
maintains key information. In 2014, a new function assigned with the NSD's business process
security tasks was launched and staffed.
To maintain and enhance the achieved IS level, NSD develops information protection solutions
designed for automated systems. In the reporting year, the Company launched and successfully
completed the project aimed at implementing a vulnerability testing system, made
improvements to the automated system of IS related events monitoring, implemented an
automated system for recording user authorities and rights, and started the test operation of the
centralised access control system on the IDM platform. Also, a confidential information leakage
protection solution was deployed. The above-mentioned improvements made it possible to raise
the level of security of the NSD's IT environment on the whole, and their critical information
systems in particular, mitigate substantially regulatory and operating risks arising as a result of
the use of digital solutions.
The Company conducts on a consistent basis organisational activities to prevent unauthorised
access to sensitive information. The coverage of the IS system has been expanded, and more
rigorous controls over the actions of users of information resources were put in place, resulting
in a higher efficiency and speed of response to detected deficiencies. The results of control
