Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
The main statutes and regulations that promote cybersecurity are as follows:
- the Law on the Main Principles of Maintaining Cybersecurity of Ukraine (the Cybersecurity Law);
- the Law on Protection of Information in Information and Telecommunication Systems;
- Budapest Convention on Cybercrime;
- Decree of the Cabinet Ministers of Ukraine on Approval of the Concept of Establishment of a State System for Critical Infrastructure Protection;
- Resolution of the Ukrainian National Security and Defence Council on the National Security Strategy of Ukraine, approved by Presidential Decree (the National Security Strategy); and
- Resolution of the Ukrainian National Security and Defence Council on the Cybersecurity Strategy of Ukraine, approved by Presidential Decree.
The Cybersecurity Law establishes the regulatory framework for a number of measures in the cybersecurity domain. It lays down the main directions of the state policy in the area as well as the roles of the major responsible stakeholders. The Cybersecurity Law introduces the concept of critical infrastructure (CI) and critical information infrastructures, mandating stringent security requirements for organisations running the CI. Overall, the Law is a high-level set of rules defining competence of and delegating to the governmental authorities the right to regulate many other issues in the cybersecurity domain.
The National Security Strategy is a document that states the priorities of the national security policy. Its main goal is to create conditions necessary to ensure safe cyberspace and its use in the interests of individuals, society and government. This effectively paved the way for passing the dedicated law that comprehensively addresses a broad range of issues in the cybersecurity area: the Cybersecurity Law.
At the end of 2017, the government approved the Concept of Establishment of a State System for Critical Infrastructure Protection in Ukraine. The Concept identifies the main directions, mechanisms and timetables for implementation of legal measures aimed at protecting critical infrastructure.
A draft law ‘On critical infrastructure and its protection’ has been developed. Its goal is to increase the critical infrastructure protection capability and to help reduce vulnerabilities concerning critical infrastructures.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
The Cybersecurity Law envisages stringent rules for CI. This is a new concept that is defined rather broadly and may potentially catch any company, which is essential for the maintenance of vital civil services, the disruption or destruction of which would have a significant impact on national security. In particular, the Cybersecurity Law names the following industries: chemicals, energy, utilities, transport, information technologies, electronic communications, banking and finance, healthcare, food production and agriculture.
Most of these sectors have no specific cybersecurity regulations at the moment, and these should be developed by the goverment. The banking sector is still ranked first towards promoting cybersecurity.
The Cybersecurity Law determines the National Bank of Ukraine (NBU) as one of the subjects of providing cybersecurity, authorised to develop and implement preventive, organisational, educational and other measures in cybersecurity and cyber defence.
The NBU adopted Decree on Approval of the Measures to Ensure Information Security in the Banking System of Ukraine (Decree No. 95). Decree No. 95 for the first time provides for mandatory regulation by the NBU of information security and cyber defence issues in Ukraine’s banking system. It also provides for the appointment of a chief information security officer in banks with the authority to take relevant managerial decisions, and defines the principles of information security management based on the new national standards of Ukraine on information security and the principles of information security and cyber defence.
The NBU intends to resolve the issue of ensuring the proper level of cyber defence and information security in the area of money transfer for the first time.
At the end of September 2018, the NBU proposed a draft of the Decree on Approval of the Regulations on Cybersecurity and Information Security in Payment Systems and Settlement Systems for public discussion.
Specifically, the draft Decree stipulates:
- requirements in regard to building information and cybersecurity systems;
- procedures for detecting cyber attacks; and
- requirements in regard to organisational and technical measures to ensure protection of information and cybersecurity by the respective market players, etc.
Has your jurisdiction adopted any international standards related to cybersecurity?
Yes. Decree No. 95 defines the principles of information security management based on the new (effective from 1 January 2017) national standards of Ukraine on information security (ISO 27001:2015 and ISO 27002:2015), and the principles of information security and cyber defence, which commonly apply in international practice. Some of the other standards include ISO/IEC 27000:2015 and ISO/IEC TR 13335:2003.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
The Cybersecurity Law still envisages some basic steps that companies subject to the CI rules will have to take. These include:
- ensuring the cyber defence of communication and technological systems;
- protection of technological information;
- undergoing independent cybersecurity audits; and
- instant reporting of cyber incidents to the Computer Emergency Response Team of Ukraine (CERT-UA).
Under the law, the owners and CEOs of legal entities are responsible for ensuring compliance with the above-mentioned requirements, and failure to comply may trigger criminal liability under article 363 of the Criminal Code for violation of rules on electronic communications and protection of information.
The draft law on critical infrastructure and its protection introduces a new concept - ‘operator of critical infrastructure’ covering the entities (both public and private) and individuals that own or otherwise legitimately hold critical infrastructure objects and are responsible for day-to-day operation of such objects. Moreover, it defines, also, assignments, rights, obligations and responsibilities for operators of critical infrastructure.
Some specific obligations for operators of critical infrastructure in banking sector are designated in Decree of the NBU No. 95.
How does your jurisdiction define cybersecurity and cybercrime?
The Cybersecurity Law gives the following definitions:
- ‘cybersecurity’ as the ‘protection of the vital interests of men and citizen, society and the state in cyberspace, which ensures the sustainable development of the information society and digital communication environment, timely detection, prevention and neutralisation of real and potential threats to the national security of Ukraine in cyberspace’; and
- ‘cybercrime’ as a ‘socially dangerous offence in cyberspace and/or its use, criminal liability for which is provided for by the law of Ukraine and/or recognised as a crime by international treaties of Ukraine’.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
Under the Law on Personal Data Protection data controllers, data processors and third parties are required to protect personal data from accidental loss or destruction, as well as unlawful processing, including unlawful destruction of or access to personal data. However, neither said law nor the Model Order for Personal Data Protection provides further details or requirements on any specific technical measures.
According to the Law on Telecommunications, the operators and providers of telecommunication services must adopt technical and organisational measures required to ensure secrecy of communications; protection of telecommunication networks and telecommunication facilities; limited access to information transmitted by these networks.
Under the Law on Protection of Information in Information and Telecommunication Systems, the owner of a system is responsible for ensuring the protection of information in the system. State information resources and classified information must be processed in an integrated, protected and verified system certified by the competent state agency.
The technical measures to ensure information security in the banking system of Ukraine are described in more details in Decree No. 95. These measures include, among others:
- use of an authorisation system (ie, including password restrictions and best practices for password selection and regular update);
- protection of electronic means and data against unlawful data processing operations, unauthorised access and malware;
- network security, encompassing the overall structure and network access control;
- security protection of servers;
- security protection of applications;
- data security and backup;
- establishment and maintenance of a security management system and related procedures and policies;
- establishment and maintenance of security management positions, clearly defining responsibilities of each, as well as the examination of the identity and professional qualifications of each personnel;
- regular employee training to enhance security awareness; and
- compliance with the established requirements concerning purchase of the relevant IT products and services.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
Yes. In general, cyberthreats to intellectual property are addressed by the provisions of Law No. 3792-XII of 23 December 1993 on Copyright and Neighbouring Rights, which regulate and provide for several means for protecting intellectual property both in the online and offline environment. For example, key provisions of the Law punish:
- copyright piracy (publication, reproduction and distribution of counterfeit copies of works on the internet);
- falsification, unauthorised modification or removal of information, including in electronic form, regarding digital rights management;
- illicit use of trademarks, either of a digital or a material nature;
- plagiarism (completely or partly publishing someone’s work under the name of a person who is not the author of the work) either of a digital or a material nature;
- card sharing, namely provision in any manner of access to a broadcasting programme, the access to which is restricted by copyright or related rights holder by virtue of technical protection means (eg, subscription card or code), by circumvention of such technical protection and making the programme accessible. Moreover, the Law provides for sanctions against intellectual property infringement in general and more specific provisions on anti-piracy, which often also extend to cyberthreat prevention; and
- any acts aimed at intentional circumvention of technical protection means for the protection of copyright and related rights, including production, distribution, import with the purpose of distribution and exploitation of means for such circumvention.
Finally, Law No. 3792-XII of 23 December 1993 on Copyright and Neighbouring Rights provides for sanctions against intellectual property infringement in general; there are no specific provisions, for example, on anti-piracy or for infringements of a digital nature.
In addition to the above, the Law introduced legal tools aimed at preventing cyberthreats to intellectual property by means of notice and takedown procedures and other judicial and non-judicial remedies.Further, the Law provides for a non-judicial procedure for termination of copyright infringement or related rights using the internet, or both.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Yes, the Cybersecurity Law specifically addresses cyberthreats and other cybersecurity issues with regard to critical infrastructures.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
Yes. The right to privacy (secrecy) of correspondence (including letters, telegrams, telephone conversations, wire messages or other types of communications) is a personal right guaranteed by the Ukrainian Constitution and implemented through various other acts, including the Law on Telecommunications.
Breach of privacy of correspondence may only be allowed by court to prevent a crime or within a criminal proceeding if the information needed cannot be obtained otherwise. In all other instances, the breach of privacy of correspondence may be regarded as a criminal offence (ie, the breach of privacy of letters, telephone conversations, telegraph or other correspondence transmitted via communication means or computer), which attracts fines, correctional labour or imprisonment.
Moreover, in relation to the broader scope of communications (ie, not only those covered by privacy of correspondence) the Law on Telecommunications expressly provides that interception of information from telecommunication networks is prohibited, unless otherwise provided by law. Such interception, as well as collection of information from electronic informational systems, is a criminal investigatory activity that interferes with private communications and may only be taken by law enforcement bodies if authorised by court.
Telecommunication operators and services providers must take technical and organisational measures for the protection of telecommunication networks and means, classified information regarding arrangement of such networks and the data transmitted. Further, they must ensure security of information regarding consumers.
Further, telecommunication operators may, at their own cost: install on their networks the equipment required for the competent authorities to conduct criminal investigations; ensure that this equipment functions properly and remains duly protected from unauthorised access; and facilitate conduct of the investigations and prevention of disclosure of relevant organisational approaches.
The Law on Personal Data Protection provides that the processing of confidential personal data without proper consent is prohibited, except when provided for statutorily, and only in the interests of national security, economic welfare and human rights.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Ukraine ratified the Budapest Convention in 2006. This was followed by the adoption of the law that added additional articles in the section dedicated to ‘Crimes in the Area of the Use of Electronic-Computational Machines (Computers), Systems, Computer Networks and Telecommunication Networks’ into the Criminal Code.
In particular, the principal criminalised cyberactivities relevant to organisations include:
- unsanctioned interference in the operation of computers, networks (article 361 of the Criminal Code);
- creation for the purpose of use, dissemination and distribution of harmful software or hardware, as well as their dissemination and distribution (article 361(1) of the Criminal Code);
- unauthorised dissemination and distribution of information with restricted access, which is stored in the electronic computing machines (computers), automated systems, computer networks or information-carrying medium (article 361(2) of the Criminal Code);
- unauthorised alteration, erasure or blocking of information, which is processed in the electronic computing machines (computers), automated systems, computer networks or stored on the information-carrying medium, if it led to a leak, committed by a person entitled to access to such information (Part 1, article 362 of the Criminal Code);
- unauthorised interception or copying of information, which is processed in the electronic computing machines (computers), automated systems, computer networks or stored on the information-carrying medium, if it led to a leak, committed by a person entitled to access to such information (Part 2, article 362 of the Criminal Code);
- violation of operation of electronic computing machines (computers), automated systems, computer networks or telecommunications networks and the order or rules on protection of information that is processed there, if it caused significant damage, committed by a person entitled to access to such information (article 363 of the Criminal Code); and
- impeding the work of electronic computing machines (computers), automated systems, computer networks or telecommunication networks by mass distribution of electronic messages (article 363(1) of the Criminal Code).
Importantly, article 363(1) does not criminalise DDoS attacks; rather, the ‘mass distribution’ refers to sending messages to a multitude of non-specific recipients. Thus, this crime usually refers to spam with a malware component. In turn, DDoS attacks are criminalised under article 361 of the Criminal Code, which is confirmed by the recent practice.
In particular, by the decision of a district court in Kharkiv, No. 640/953/17 of 21 March 2017, a group of persons were found guilty of the online sale of software designed to carry out DDoS attacks (article 361(1) of the Criminal Code). In this respect, to demonstrate the operability of the said software, the perpetrators completed several DDoS attacks (article 361 of the Criminal Code).
Interestingly, the same article 361 of the Criminal Code was also used as a preliminary qualification for the Petya malware infection. Namely, according to a statement from the head of department of the cyber police, 597 criminal proceedings had been initiated by 5 July 2017 under article 361.
There were a couple of other cases recently where articles 361 and 361(1) were used. In particular, on 3 November 2017, a district court in Kiev found the conduct of hackers who stole US$1 million from Credit Dnipro Bank to fall under the definition of the said offences. Additionally, by the decision of a court in Chernihiv of 28 July 2014, a person was found guilty of creating of harmful software for its further use and sale.
How has your jurisdiction addressed information security challenges associated with cloud computing?
The draft Law on Amendments to Certain Laws of Ukraine Regarding Processing of Information in Systems Using the Technology of Cloud Computing was prepared for a second reading in the Ukrainian parliament back in November 2016, but has not been passed yet.
The Law of Ukraine on Protection of Information in Telecommunication Systems lays down the legal framework for data protection in information and telecommunication systems. Specifically, owners of such systems are charged with ensuring protection of information. The procedure and requirements of data protection, as well as its processing, are to be set forth in an agreement between the owner of the system and the owner of information. In addition, the procedure for access to the information, the list of users and their rights should be determined by the information owner. Most probably, the cloud service providers operating data centres or other automated equipment physically located in Ukraine will qualify as owners of information systems, subject to the said statutory requirements.
Responsibility for ensuring information security in the system relies on the owner of the system. The owner of the system, where processed the state secret information or information with limited access, have to create a service for the protection of information or appoint a responsible qualified person.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Foreign organisations doing business in Ukraine are subject to the same cybersecurity obligations and responsibilities as domestic entities.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The National Police of Ukraine, the Security Service of Ukraine, CERT-UA may provide some recommendations addressing cybersecurity protections; take actions for preventing, detecting and eliminating the effects of cyber incidents; organise and conduct practical workshops on cyber defence.
Nowadays, those who are interested in cybersecurity can find publicly accessible news about new malware, phishing, denial of service attacks, etc, on the official websites of the Cyberpolice of Ukraine (a department within the National Police) and CERT-UA. Moreover, it is possible to find necessary recommendations addressing cyberthreats fixed by these authorities.
In February 2018, the CERT of the Security Service of Ukraine was established; however, it has not launched any public resources or issued guidelines or recommendations as to protection from cyberthreats.
How does the government incentivise organisations to improve their cybersecurity?
There are no effective government mechanisms that can incentivise organisations to improve their cybersecurity. Exchanging incident information is not enough to get interested in cybersecurity improvement. Motivation for the private sector to participate should be a priority.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
The main standards include:
- ISO 27001:2015 (available at: http://document.ua/informaciini-tehnologiyi_-metodi-zahistu_-sistemi-upravlinnj-nor29396.html);
- ISO 27002:2015 (available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66911);
- ISO/IEC 27000:2015;
- ISO/IEC TR 13335:2003 (available at: https://dnaop.com/html/41033/doc-%D0%94%D0%A1%D0%A2%D0%A3_ISO/); and
- ISO/IEC 27032:2012 (available at: www.klubok.net/article2617.html).
Are there generally recommended best practices and procedures for responding to breaches?
No official guidelines on how to respond to breaches are available yet. However, the widely accepted recommended best practices include:
- immediate reporting to cyber police and CERT-UA;
- alerting employees and customers;
- PR support; and
- engagement of competent technical experts for adequate cyber response and audit.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
There are some international platforms such as VirusTotal that are popular in Ukraine. Information and cybersecurity forums are also used to share information about cyberthreats. In addition, the Cybersecurity Law mentions the sharing of information between public and private sectors about cyberthreats, cyberattacks and cyber-incidents as one form of public-private cooperation.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
So far, the development (predominantly a translation of widely accepted international standards into Russian and Ukrainian) of the standards has generally been a private initiative. With the adoption of the Cybersecurity Law, the role of the state in this area should increase.
For example, the Cybersecurity Law envisages that the CI objects will have to undergo cybersecurity audits. Requirements and procedure for such audits will be set in the relevant regulations of the Cabinet of Ministers. In turn, such regulations should be based on international standards, including those of the European Union and NATO, developed with the mandatory involvement of representatives of the main stakeholders of the national cybersecurity system, scientific institutions, independent auditors, experts in the field of cybersecurity and NGOs.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Yes, insurance for cybersecurity breaches is available in Ukraine but this is not common. Apparently, comparatively high cyber risks that are currently inherent in Ukraine do not make the market particularly attractive for many international insurance companies, and hence the penetration of this service is somewhat limited.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The main authorities that ensure cybersecurity in Ukraine include the Ministry of Defence of Ukraine, the State Service of Special Communications and Information Protection of Ukraine, the Security Service of Ukraine, the National Police of Ukraine, the NBU and the intelligence agencies. In particular:
- the Security Service of Ukraine is responsible for fighting cyberterrorism, cyberespionage and countering cybercrimes that pose a direct threat to vital interests of Ukraine;
- the National Security and Defence Council Coordination is responsible for the control of defence sector actors responsible for cybersecurity in Ukraine;
- the State Service for Special Communications and Information Security is responsible for development and implementation of the government policy to protect the government information resources and critical information infrastructure;
- the Ministry of Defence and General Staff of the Armed Forces of Ukraine is responsible for preparation of the state to respond to military aggression in cyberspace;
- the National Police of Ukraine is responsible for countering cybercrimes;
- the Intelligence Agencies of Ukraine are responsible for operations to address the threats to national security in the cyberspace; and
- the NBU determines the procedure, requirements and measures for ensuring cybersecurity in the banking system of Ukraine and for entities transferring funds.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Under the Cybersecurity Law, the mandate of the State Service for Special Communications and Information Security (SSSCIS) is most relevant to compliance-monitoring activities. For this purpose, the SSSCIS has an extensive set of powers, including the right to request information and documents, and carry out interviews and dawn raids. Yet, it remains to be seen how the SSSCIS will apply these powers in practice in the private context. So far, it has maintained a focused approach in its work, dealing mostly with special communications’ technical matters (eg, establishment of secure communication lines with foreign top officials, provision of mobile service for state and governmental authorities, cryptographic information protection), rather than with the broader spectrum of threats and concerns that characterise the protection of the private sector in cyberspace.
As far as the investigation of cyber incidents is concerned, this is a key function of law enforcement bodies, including the Security Service of Ukraine and the National Police of Ukraine (the cyber police department). That said, they have various rights to carry out investigative activities, including to request court orders to subpoena the production of documents and testimony of witnesses, carry out searches and seizures, use technology-assisted physical surveillance, non-consensual electronic surveillance, record communications, etc.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
The first problem is a functional parallelism of various organisations and bodies leading to major overlaps in their activities. For example, the State Security Service of Ukraine and the Ministry of Internal Affairs have nearly identical responsibilities for forensics related to the investigation of cybercrimes, and no criteria could be ascertained with regard to the allocation of work and tasks between these two institutions. Therefore, there is a high potential for jurisdictional conflicts, a factor that is prone to reducing the effectiveness of this particular area of cybersecurity safeguards. The Cybersecurity Law seems to add some clarity here, expressly assigning responsibility for cyber incidents carried out against CI to Ukraine’s Security Service. However, it remains unclear whether this distinction will be appropriately reflected in other relevant laws and regulations.
This lack of clear separation between the criminal justice measures and the national security measures creates another problem of limited public trust and lack of cooperation between criminal justice authorities and private sector entities, which are often reluctant to cooperate with the law enforcement bodies. Moreover, law enforcement powers, such as those addressed in the Budapest Convention on Cybercrime, are not clearly defined in the Ukrainian Criminal Procedure Law, and this adversely affects law enforcement service provider cooperation, confidentiality rights and sometimes the rule of law. Thus, public-private cooperation in cybercrime and electronic evidence has been hampered by, among other reasons, the absence of a coherent legal framework for exercising procedural powers available under the Budapest Convention on Cybercrime, as well as a divergent practice of application of already available investigative powers.
Finally, another problem is the under-financing of the relevant public institutions, which leads to a reduced attractiveness of these workplaces owing to low salaries; only a limited number of highly skilled cybersecurity and cyber defence professionals are employed in public sector institutions.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
See question 4.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
See question 4.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
There are no specific rules for parties seeking private redress for unauthorised cyberactivity or failure to adequately protect systems and data. Private redress can be brought under existing civil, commercial and administrative laws.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Policies and procedures should include information security risk assessment policy, IT-roles segregation, segregation of test and product environment, separation of project networks, change management, malicious code protection, patch management, acceptable usage policy, mobile device usage policy, etc.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
There are no specific requirements of Ukrainian law that effectively require organisations to keep records of cyberthreats or attacks. However, an obligation to retain certain records may apply, for example, to telecommunications operators; such data retention obligation is imposed by article 39 of the Law on Telecommunications. However, many commentators argue that this provision is vague, does not contain definitive requirements and safeguards and, as a result, is applied arbitrarily.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Detailed rules are yet to be developed.
What is the timeline for reporting to the authorities?
Under the Cybersecurity Law, the reporting shall be made instantly, but the exact timeline for this has yet to be set by secondary legislation.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Detailed reporting obligations are yet to be developed.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
We anticipate that the regulatory framework for cybersecurity will change in 2019. These expectations are based on the fact that the new Cybersecurity Law is a framework piece of legislation that needs to be backed by many implementations and secondary rules.
In connection with this, as a party to the Budapest Convention, Ukraine is working towards the Convention’s full implementation; a draft law defining the important terminology and clarifying the responsibilities of the service providers according to the Convention has been prepared and is currently being discussed by the stakeholders.