Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The National Police , the Security Service of Ukraine (the Security Service) and CERT-UA may provide recommendations addressing cybersecurity protections; take actions for preventing, detecting and eliminating the effects of cyber incidents; and organise and conduct practical workshops on cyber defence.
Nowadays, those who are interested in cybersecurity can find publicly opened news about new malware, phishing, denial of service attack, etc, on the official websites of the Cyber Police and CERT-UA. Moreover, it is possible to find necessary recommendations addressing cyberthreats fixed by these authorities.
In February 2018, the CERT of the Security Service was established; however, it has not launched any public resources or issued guidelines or recommendations as to protection from cyberthreats.
In 2018, the CERT of the Security Service of Ukraine and the Computer Emergency Response Team of the National Bank (CSIRT-NBU) were established.
How does the government incentivise organisations to improve their cybersecurity?
There are no effective government mechanisms that can incentivise organisations to improve their cybersecurity. Exchanging incident information is not enough for cybersecurity improvement. Motivation for the private sector to participate should be a priority.
In September 2019, Ukraine became the ninth country in the world to publicly find bugs in the state information system. On a trial basis, the Ukrainian procurement system Prozorro was checked for cyber vulnerabilities by invited and selected groups of ‘white hackers’. All ethical hackers were Ukrainians with experience of participating in bug bounty programs. The marathon for finding bugs was held in a closed environment. Hackers simultaneously attacked the system for seven hours. To avoid interfering with the bidding, cyber specialists worked in a testing environment. The initiative is the first for Ukraine because scanning of the state information system for vulnerabilities is forbidden in the product environment and can only be provided by the national regulator – the State Special Communications Service of Ukraine.
The Hack Prozorro project was implemented with the partnership of the private sector, which included HackenProof, OptiData and DeNovo.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
The main standards include:
- ISO 27001:2015 (SO/IEC 27001:2013; Cor 1:2014, IDT) – available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66910;
- ISO 27002:2015 (ISO/IEC 27002:2013; Cor 1:2014, IDT) – available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=66911;
- ISO/IEC TR 13335:2003 (ISO/IEC TR 13335-4:2000, IDТ) – available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=71834; and
- ISO/IEC 27032:2016 (ISO/IEC 27032:2012, IDT) – available at: http://online.budstandart.com/ua/catalog/doc-page.html?id_doc=69128.
Are there generally recommended best practices and procedures for responding to breaches?
No official guidelines on how to respond to breaches are available yet. However, the widely accepted recommended best practices include:
- immediate reporting to the Cyber Police and CERT-UA;
- alerting employees and customers;
- PR support; and
- engagement of competent technical experts for adequate cyber response and audit.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Information and cybersecurity forums are used to share information about cyberthreats. In addition, the Cybersecurity Law mentions the sharing of information between public and private sectors concerning cyberthreats, cyberattacks and cyber incidents as one form of public–private cooperation.
CERT-UA and CSIRT-NBU signed a memorandum on collaboration and partnership in the fields of cybersecurity and cyber defence aimed at preventing, detecting and effectively responding to current cyberthreats and increasing awareness in the field of cybersecurity. The parties agreed on a voluntary basis to share information on the results of analyses of cyber incidents and cyberattacks, and technical, technological and background information in the field of cybersecurity.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
So far, the development (predominantly a translation of widely accepted international standards into Russian and Ukrainian) of the standards has generally been a private initiative. With the adoption of the Cybersecurity Law, the role of the state in this area should increase.
For example, the Cybersecurity Law envisages that the CIOs will have to undergo cybersecurity audits. The requirements and procedure for these audits will be established in the relevant regulations of the Cabinet of Ministers. In turn, these regulations should be based on international standards, including those of the European Union and NATO, developed with the mandatory involvement of representatives of the main stakeholders of the national cybersecurity system, scientific institutions, independent auditors, experts in the field of cybersecurity and NGOs.
Private sector representatives can participate in discussions of introduced drafts and provide comments within one month from the date of publication at the official website.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Yes, insurance for cybersecurity breaches is available in Ukraine but it is not common. The comparatively high cyber risks in Ukraine, which are currently the norm, do not make the market particularly attractive for many international insurance companies.
Law Stated Date
Give the date on which the information above is accurate.
12 December 2019