Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Policies and procedures should include information security risk assessment policy, IT-roles segregation, segregation of test and product environment, separation of project networks, change management, malicious code protection, patch management, acceptable usage policy, mobile device usage policy, etc.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

There are no specific requirements of Ukrainian law that effectively require organisations to keep records of cyberthreats or attacks. However, an obligation to retain certain records may apply, for example, to tele­communications operators; such data retention obligation is imposed by article 39 of the Law on Telecommunications. However, many commentators argue that this provision is vague, does not contain definitive requirements and safeguards and, as a result, is applied arbitrarily.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Detailed rules are yet to be developed.

Timeframes

What is the timeline for reporting to the authorities?

Under the Cybersecurity Law, the reporting shall be made instantly, but the exact timeline for this has yet to be set by secondary legislation.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Detailed reporting obligations are yet to be developed.