Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The National Police of Ukraine, the Security Service of Ukraine, CERT-UA may provide some recommendations addressing cybersecurity protections; take actions for preventing, detecting and eliminating the effects of cyber incidents; organise and conduct practical workshops on cyber defence.

Nowadays, those who are interested in cybersecurity can find publicly accessible news about new malware, phishing, denial of service attacks, etc, on the official websites of the Cyberpolice of Ukraine (a department within the National Police) and CERT-UA. Moreover, it is possible to find necessary recommendations addressing cyberthreats fixed by these authorities.

In February 2018, the CERT of the Security Service of Ukraine was established; however, it has not launched any public resources or issued guidelines or recommendations as to protection from cyberthreats.

How does the government incentivise organisations to improve their cybersecurity?

There are no effective government mechanisms that can incentivise organisations to improve their cybersecurity. Exchanging incident information is not enough to get interested in cybersecurity improvement. Motivation for the private sector to participate should be a priority.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

The main standards include:

  • ISO 27001:2015 (available at: http://document.ua/informaciini-tehnologiyi_-metodi-zahistu_-sistemi-upravlinnj-nor29396.html);
  • ISO 27002:2015 (available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66911);
  • ISO/IEC 27000:2015;
  • ISO/IEC TR 13335:2003 (available at: https://dnaop.com/html/41033/doc-%D0%94%D0%A1%D0%A2%D0%A3_ISO/); and
  • ISO/IEC 27032:2012 (available at: www.klubok.net/article2617.html).

Are there generally recommended best practices and procedures for responding to breaches?

No official guidelines on how to respond to breaches are available yet. However, the widely accepted recommended best practices include:

  • immediate reporting to cyber police and CERT-UA;
  • alerting employees and customers;
  • PR support; and
  • engagement of competent technical experts for adequate cyber response and audit.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

There are some international platforms such as VirusTotal that are popular in Ukraine. Information and cybersecurity forums are also used to share information about cyberthreats. In addition, the Cybersecurity Law mentions the sharing of information between public and private sectors about cyberthreats, cyberattacks and cyber-incidents as one form of public-private cooperation.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

So far, the development (predominantly a translation of widely accepted international standards into Russian and Ukrainian) of the standards has generally been a private initiative. With the adoption of the Cybersecurity Law, the role of the state in this area should increase.

For example, the Cybersecurity Law envisages that the CI objects will have to undergo cybersecurity audits. Requirements and procedure for such audits will be set in the relevant regulations of the Cabinet of Ministers. In turn, such regulations should be based on international standards, including those of the European Union and NATO, developed with the mandatory involvement of representatives of the main stakeholders of the national cybersecurity system, scientific institutions, independent auditors, experts in the field of cybersecurity and NGOs.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, insurance for cybersecurity breaches is available in Ukraine but this is not common. Apparently, comparatively high cyber risks that are currently inherent in Ukraine do not make the market particularly attractive for many international insurance companies, and hence the penetration of this service is somewhat limited.