THE RESOLUTION OF BOARD OF THE AGENCY OF THE REPUBLIC OF KAZAKHSTAN ON REGULATION AND DEVELOPMENT OF THE FINANCIAL MARKET

of April 3, 2026 No. 53

About approval of Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities

According to Items 2 and 10 of article 55 of the Law of the Republic of Kazakhstan "About banks and banking activity in the Republic of Kazakhstan" Board of the Agency of the Republic of Kazakhstan on regulation and development of the DECIDES: financial market

1. Approve the enclosed Requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities.

2. Recognize invalid the resolution of Board of National Bank of the Republic of Kazakhstan and some resolutions of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market, and also separate structural elements of the resolution of Board of National Bank of the Republic of Kazakhstan and some resolutions of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market in the list according to appendix to this resolution.

3. To provide to department of information and cyber security in the procedure established by the legislation of the Republic of Kazakhstan:

1) together with Legal department state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;

2) placement of this resolution on official Internet resource of the Agency of the Republic of Kazakhstan on regulation and development of the financial market after its official publication;

3) within ten working days after state registration of this resolution submission to Legal department of data on execution of the action provided by the subitem 2) of this Item.

4. To impose control of execution of this resolution on the supervising vice-chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market.

5. This resolution becomes effective after ten calendar days after day of its first official publication.

Approved by the Resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of April 3, 2026 No. 53

Requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities

Chapter 1. General provisions

1. These Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types bank transactions (further - Requirements), are developed according to Items 2 and 10 of article 55 of the Law of the Republic of Kazakhstan "About banks and banking activity in the Republic of Kazakhstan" and establish requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan (further - bank) and the organizations performing separate types of banking activities (further - the organization).

2. In Requirements the concepts provided by the Law of the Republic of Kazakhstan "About informatization" and also the following concepts are used:

1) information security in the field of informatization (further - information security) - condition of security of electronic information resources, information systems and information and communication infrastructure from external and internal threats;

2) data asset - set of information and the object of information and communication infrastructure used for its storage and (or) processing. The data asset is subdivided on critical and not critical and determined by bank based on the level of losses from violation of their confidentiality, integrity, availability;

3) IT manager of information system / asset - the worker or division (workers or divisions) bank, the organization responsible for maintenance of information system / asset in the condition conforming to requirements of the business owner of information system / asset;

4) the business owner of information system or subsystem - the division (worker) of bank, the organization which is (being) the owner of the main business process which is automated by information system or subsystem;

5) information and communication infrastructure (further - information infrastructure) - set of the objects of information and communication infrastructure intended for ensuring functioning of the technological circle for the purpose of forming of electronic information resources and provision of access to them;

6) perimeter of protection of information and communication infrastructure - set of the software and hardware separating information and communication infrastructure of bank, organization external information networks and realizing protection against threats of information security;

7) threat of information security - set of the conditions and factors creating premises to emergence of incident of information security;

8) incident of information security - separately or serially arising failures in work of information and communication infrastructure or its separate objects creating threat to their proper functioning and (or) conditions for illegal obtaining, copying, distribution, modification, destruction or blocking of electronic information resources;

9) information on incidents of information security - information about separately or serially arising failures in work of information and communication infrastructure or its separate objects creating threat to their proper functioning and (or) conditions for illegal obtaining, copying, distribution, modification, destruction or blocking of electronic information resources;

10) risk of information security - probable emergence of damage owing to violation of confidentiality, deliberate violation of integrity or availability of data assets of bank, the organization;

11) ensuring information security - the process directed to maintenance of condition of confidentiality, integrity and availability of data assets of bank, organization;

12) the regular data carrier - the data carrier which is component of object of information and communication infrastructure and connected to it on permanent basis;

13) the preset accounting records - the accounting records of information systems established by their producers;

14) exclusive accounting record - the accounting record in information system having privileges of creation, removal and change of access rights of accounting records;

15) the console of administration and monitoring - the workstation allowing to exercise remote control of information system;

16) data-processing center of bank, the organization - specially allocated room in which the servers ensuring functioning of information systems of bank, organization are placed;

17) business process - set of the interconnected actions or tasks directed to creation of certain product or service for the external or internal consumer;

18) the owner of business process - the division (worker) of bank, the organization which is responsible (answering) for lifecycle of business process and coordination of activities of the divisions of bank, organization involved in business process;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info