.eu
When customer data comes under threat, the responsibility does not rest on a company alone. In Russia, senior leaders at banks who oversee information security face the prospect of personal accountability if breaches occur. The Central Bank of Russia has signaled its intent to pursue stronger personal liability for these executives, a stance that was outlined by the regulator’s vice president, German Zubarev, during a high-profile discussion on cybersecurity in finance. The message was delivered to the audience with a clear warning: failures to protect customer information will have consequences that can reach the personal level, including disqualification as a potential penalty for those in charge of safeguarding sensitive data. The remarks highlight a shift toward tying security outcomes directly to the people who are charged with maintaining protective controls across bank systems.
The Central Bank also noted that it has established rigorous professional criteria for those who occupy senior security roles, such as vice presidents of security, with the aim of ensuring that only qualified individuals oversee critical defenses against data exposure. The policy makes it explicit that when personal data is leaked due to gaps in monitoring and protection, the employee responsible for the security of personal databases may be deemed out of compliance with the bank’s standards. In such scenarios, the bank reserves the right to replace the individual with a more qualified professional, emphasizing a move toward accountability at the top of the information security chain.
In late January, Roskomnadzor released figures showing nearly 150 major personal data breaches recorded in the prior year. Over the 12 months, the regulator conducted 78 unscheduled inspections, with breaches confirmed in the majority of reviewed cases. The judiciary acted in response to the incidents, delivering fines close to one million rubles and issuing several warnings after evaluating the evidence. These developments reflect a growing emphasis on data protection compliance and the consequences for organizations that fail to maintain adequate safeguards for personal information across sectors, including financial services.
Taken together, these steps illustrate a broader trend toward elevating the role of information security governance. Corporate boards and senior executives are being called to demonstrate stronger oversight, tighter controls, and clearer accountability for how customer data is stored, processed, and protected. While the precise mechanisms may vary by jurisdiction, the underlying principle remains consistent: personal responsibility is becoming a central feature of cyber risk management for financial institutions, reinforcing the expectation that individuals in leadership positions must model rigorous protection of customer data and respond decisively when gaps appear. This shift has wide implications for risk management practices, regulatory compliance, and the ongoing effort to build trust in the digital financial ecosystem.