Sberbank Wants to Save Skeptical Russian Rivals From Hackers

  • Lender offers to protect other banks against online criminals
  • Cyber-umbrella raises competition questions, analysts say

A wall of screens blinks with dozens of data incidents at Sberbank PJSC’s cybersecurity war room that monitors 16,000 branches across Russia. An ex-employee’s ID used to enter the system -- a level 3 threat. An ATM catches a virus after it’s serviced -- level 9. A level 10 threat, the equivalent of a Code Red, would be if the bank’s ATM network became infected.

Now the country’s biggest lender wants to bring other Russian banks under its digital umbrella, a move some analysts say may give it an unfair competitive advantage. State-owned Sberbank is cooperating with the Federal Security Service while the lender crafts a nationwide cybershield for use by other financial bodies that it says are woefully unprepared to fight off hackers.

“As a rule, what usually happens is this: they beg us to come, help, and clean it up,” Stanislav Kuznetsov, Sberbank’s deputy chief executive in charge of cybersecurity, said of other financial institutions in an interview. “We come and clean it up, but there are times when the very next day they’re infected again.”

While the U.S. accuses state-backed Russian hackers of stealing computer data to influence the presidential elections, officials in Russia say banks are the targets for increasingly sophisticated online crime. Police made their biggest breakthrough against hackers in June when they arrested 50 members of an alleged cybergang that stole more than $45 million from Russian banks. Malware used by Russian and eastern European cybergangs was also implicated in a string of bank heists this year that culminated in the theft of $81 million from the Bangladeshi central bank.

Social Unrest

Growing numbers of hacking attacks on Russian banks risk provoking social unrest by undermining trust in the electronic payments system, Oksana Dokuchaeva, a cybersecurity specialist at the FSB, said at a tech forum in Moscow on Wednesday. Banks should be required by law to report incidents to the central bank’s cybercenter, and should work more closely with each other and with law enforcement, she said.

Sberbank, which holds nearly half of retail deposits in Russia, spends about 1.5 billion rubles ($23.4 million) annually on cyberdefense. By comparison, JPMorgan Chase & Co. spends $600 million annually. The Moscow center’s head, Dmitry Blokhin, said Sberbank’s investment was vindicated during a recent visit to Silicon Valley in the U.S., when meetings with International Business Machines Corp. and Stanford University confirmed that it meets best practice in information security.


Kuznetsov said the bank doesn’t yet charge for helping other institutions. That may change if discussions on a joint anti-fraud monitoring system are successful. Sberbank’s platform for other banks will be a commercial product working in line with the central bank’s proposed methodology, an official with knowledge of the situation said, asking not to be identified as he isn’t authorized to speak to the media.

Financial institutions have to agree on a “unified interface that will be comfortable for everyone,” said Sberbank’s head of cybersecurity methodology, Alexey Volkov.

Officials at the lender said a new subsidiary, Bizon, is a key element of its expansion strategy, and will be the vehicle for a nationwide anti-fraud system that may develop into a competitor to Kaspersky Lab, Russia’s only globally known cybersecurity company. The bank isn’t disclosing how exactly it plans to deal with other lenders under a single cybersecurity umbrella.

Data Sharing

While some smaller banks may be interested in the offer, “big banks already have defenses set up and don’t want to outsource it,” Dmitry Volkov, an executive at cyber-investigations company Group-IB, said by phone in Moscow. “It’s not a given that Sberbank will find outside clients who want to give them access to their networks.”

Banks will worry that the need to share decoded data may lead to clients being lured away, said Alexander Lyamin, head of Moscow-based cybersecurity firm Qrator Labs, which specializes in preventing so-called DDOS attacks. “Common interests are served only when the cyber-umbrella doesn’t belong to any of the banks,” he said.

Collaboration is needed because cyber-attacks on all banks are increasing, though “it will be easier to organize if a third party takes the reins to avoid the impression of a conflict of interests,” Konstantin Chigirev, global head of security at Bank Otkritie, Russia’s largest private bank, said by phone. “I think the regulator is the most appropriate middleman.”

Fraud Attempts

Cyber-crime rates in Russia are up four-fold compared to 2015 and have caused more than 6 billion rubles in losses so far this year, Interfax news agency reported Monday, citing Alexander Kurennoi, a spokesman for the Prosecutor General’s office.

In the U.S., major banks are considering forming a group to share information about cyber threats and how to respond to attacks, the Wall Street Journal reported in August, citing unidentified people familiar with the situation.

Sberbank’s protection system will be completed by 2018 and will rely on big data technologies and machine learning, Kuznetsov said. It currently has cybersecurity centers in five cities, where nearly a thousand specialists deal with about 1 million registered incidents daily and helped avert losses of 8 billion rubles in the first half of this year, he said.

The bank averts 99 percent of fraud attempts and sees the greatest risks coming from three big cybercriminal groups, according to Kuznetsov, who declined to name them.

As it strives to become a major cybersecurity player, Sberbank is actively lobbying for new laws against computer crime. Russia’s newly elected parliament will vote on two legislative initiatives this fall that introduce penalties for theft from electronic accounts and manipulating people to share confidential data, Kuznetsov said.

    Before it's here, it's on the Bloomberg Terminal.