1. Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Until very recently Ukraine did not have a comprehensive dedicated cybersecurity law. While cybercrime has been flourishing in Ukraine for many years, development of a sustainable cybersecurity policy lagged behind. Ukrainian legislation to tackle crime in the cyberspace only partially met the needs of the country and did not always cover the key elements required to ensure effectiveness. Thus, up until October 2017 the legislative framework in this area included the following more generic pieces of legislation:
Also, the Parliament of Ukraine ratified the Budapest Convention on Cybercrime (Budapest Convention) back in 2006.
Inability of the above legislative framework to ensure the appropriate level of cybersecurity was becoming more and more obvious with rapid development of technologies throughout the last decade, which created serious threats for private, national and international security all over the world. Ukraine knows this first-hand, – since the times internet conquered post-Soviet life, the country has always been among the top cybercrime jurisdictions and one of the main sources of the Distributed Denial of Service (DDoS) attacks. Last three years have seen the increasing number of high-level cyberattacks on the Ukrainian state agencies, critical infrastructure, and private sector. Perhaps, the most important wake-up call rang on 23 December 2015 when a first-of-its-kind cyberattack on a power grid cut the lights to 225,000 people in western Ukraine, with hackers also sabotaging power distribution equipment through DDoS attack on a call-centre that complicated restoration of power supply.
Urged by internal weaknesses and external aggression, the strengthening of the legal framework for cybersecurity has now become a top priority for Ukraine. In response to these challenges, the following pieces of legislation were adopted:
The main goal of the Cyber Security Strategy was to create conditions necessary to ensure safe cyberspace and its use in the interests of individuals, the society and the government. This effectively paved the way to passing the dedicated law that comprehensively addresses a broad range of issues in the cybersecurity area – the Cybersecurity Law.
The Cybersecurity Law establishes the regulatory framework for a number of measures already enshrined in the Cyber Security Strategy and sets the stage for the upcoming sub-legislation – various regulations which are expected to further develop and detail the relevant rules and, eventually, help implement the Cybersecurity Law. The Law lays down the main directions of the state policy in the area as well as the roles of the major responsible stakeholders. Most importantly, the Cybersecurity Law introduces the concept of ‘critical infrastructure’ (CI), mandating stringent security requirements for organisations running the CI.
Overall, the Law is a quite high-level framework set of rules and requirements, which does not goes into much detail and leaves many issues for regulation by the secondary legislation to be developed by the Cabinet of Ministers of Ukraine (CMU) by 9 May 2018 (the date when the Law becomes fully effective). While there are some concerns that full implementation of the Cybersecurity Law is unlikely to meet the above deadline, unreasonable delays with adoption of the secondary legislation are unlikely for the a number of reasons. In particular, within the time period between the approval of the Cyber Security Strategy of Ukraine and the adoption of the Cybersecurity Law, Ukraine was once again hit by a series of powerful cyberattacks. Namely, on 27 June 2017, a malware called Petya.A swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity suppliers. Similar infections were then reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. On 28 June 2017, it was estimated that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. Cyberthreats of such scale demonstrate that local national incidents can quickly escalate to an international crisis with a damage potential of an incomparable dimension. Ukraine, which has become a victim to many instances of malicious activity in cyberspace over the last years, seems to be a testing ground in these global events, let alone a 'transit base' for carrying out cyberattacks against other countries, including the EU members. Therefore, Ukraine that wants to establish itself not only as a strong independent state, but also as an equal, contributing, democratic and safe member of the international community should perceive cyber security as one of its top priorities.
2. Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction? (Which sectors have made the most progress towards promoting cybersecurity? Which sectors need to improve?)
The Cybersecurity Law envisages stringent rules for CI. This is a new concept that is defined rather broadly and may potentially catch any company providing services in chemicals, energy, utilities, transport, information technologies, electronic communications, banking & finance, healthcare, food production, and agriculture. Most of these sectors, however, have no specific cybersecurity regulations at the moment, and these should be developed only next year by the CMU. At the same time, there are sectors that have already made some progress towards promoting cybersecurity.
In particular, banks have witnessed many cyber attacks in Ukraine over the last years. This prompted them not to wait until the relevant laws and regulations are adopted, but voluntarily implement certain safeguards relying on various internationally accepted standards. Under these circumstances, it is not surprising that the banking sector is among the first that has received detailed mandatory cybersecurity rules. The National Bank of Ukraine (NBU) adopted Decree On Approval of the Measures to Ensure Information Security in Banking System of Ukraine No 95 of 28 September 2017 (Decree No 95). The Decree No 95 for the first time provides for mandatory regulation by the NBU of information security and cyber defence issues in the banking system of Ukraine by introducing requirements for the organization of information security measures, which should be implemented by banks. These include the following measures:
In line with the prevailing global information security practices, the Decree No. 95 also provides for the appointment of a Chief Information Security Officer (CISO) in banks with the authority to take relevant managerial decisions. Separately, information security units of the banks must be staffed exclusively with the personnel of the bank directly subordinate to the CISO.
Finally, the Decree No. 95 defines the principles of information security management based on the new (effective from 1 January 2017) national standards of Ukraine on information security (ISO 27001:2015 and ISO 27002:2015), and the principles of information security and cyber defence, which commonly apply in international practice. The Decree No. 95 will come into force on 1 March 2018.
3 Has your jurisdiction adopted any international standards related to cybersecurity (such as the International Organization for Standardization’s ISO 27001:2013 (specifications for information security management systems))?
Please see response to question 2 in relation to banks. Some of the other standards include ISO/IEC 27000:2015 and ISO/IEC TR 13335:2003.
4 What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Despite its more general and framework nature, the Cybersecurity Law still envisages some basic steps that the companies subject to the CI rules will have to take. These include:
Under the new law, the owners and managers of companies are responsible for ensuring compliance with the above requirements, while failure to comply may trigger criminal liability under Article 363 of the Criminal Code for violation of rules on electronic communications and protection of information. To this end, some relevant practice of the Ukrainian courts is already available. In particular, by decision of a districts court in the Kherson Region No 654/4294/14-к of 4 November 2014 one of the state enforcement officers was found guilty of failure to prevent unauthorized access to the Ukrainian Unified State Register of Enforcement Proceedings that caused substantial damage to the State.
5 How does your jurisdiction define cybersecurity and cybercrime? (Are there any statutory or case-law definitions? Is a distinction made between cybersecurity and data privacy? Are information system security and cybercrime enforcement considered distinct?)
The definitions of both cybersecurity and cybercrime were introduced by the Cybersecurity Law. In particular, the latter defines:
6 What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats? (Are there types of password restrictions or encryption that must be used? Must organisations take reasonable steps to protect data? Do the requirements vary by type of data?)
The minimum protection measures include various requirements to passwords, encryption algorithms, and architecture of IT systems. Normally, the measures also include education seminars for employees, adoption of crisis management guidelines, business continuity management frameworks, plans, and business impact analysis methods.
7 Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property? (Give details.)
According to the Law on Copyright and Neighbouring Rights No 3792-XII of 23 December 1993, the following activities fall within the scope of copyright infringement and constitutes a cause of action:
The technical protection means may generally include devices and engineering developments designed to prevent copyright or neighbouring rights infringement in receiving and/or copying encrypted records or to ensure control over access to the materials that are copyrighted or protected by related rights.
Violation of copyright and neighbouring rights may entail administrative sanctions including fine and confiscation of unlawfully produced items and, where damages in certain amount are caused (currently EUR 500 and higher), - criminal punishment such as fine, correctional labour or even imprisonment.
8 Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure (such as electricity grids and financial services systems) or specific sectors? (Give details.)
Yes. Please see the response to question 2 above for more details.
9 Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information? (For example, are there laws that prohibit the recording or accessing of private communications, and are there exceptions if communications are accessed to protect information networks or data? Are there laws governing access to metadata?)
The right to privacy (secrecy) of correspondence (including letters, telegrams, telephone conversations, wire messages or other types of communications) is a personal right guaranteed by the Ukrainian Constitution and implemented through various other acts, including the Law of Ukraine On Telecommunications.
Breach of privacy of correspondence may only be allowed by court to prevent a crime or within a criminal proceeding if the information needed cannot be obtained otherwise. In all other instances, breach of privacy of correspondence may be regarded as a criminal offence – breach of privacy of letters, telephone conversations, telegraph or other correspondence transmitted via communication means or computer – that attracts fines, correctional labour, or limitation of freedom.
Moreover, in relation to broader scope of communications (i.e. not only those covered by privacy of correspondence) the Law of Ukraine On Telecommunications expressly provides that interception of information from telecommunication networks is prohibited, unless otherwise provided by law. Such interception, as well as collection of information from electronic informational systems, is a criminal investigatory activity that interferes with private communications and may only be taken by law enforcement bodies if authorized by court.
Telecommunication operators and services providers must take technical and organizational measures for the protection of telecommunication networks and means, classified information regarding arrangement of such networks and the data transmitted. Further, they must ensure security of information regarding consumers.
Relatedly, telecommunication operators should, at their own cost, install on their networks the equipment required for the competent authorities to conduct criminal investigations; ensure that this equipment functions properly and remains duly protected from unauthorized access; facilitate conduct of the investigations and prevention of disclosure of relevant organizational approaches.
In the context of personal data, the Law of Ukraine On Personal Data Protection provides that processing of confidential personal data without proper consent is prohibited except as provided for statutorily, and only in the interests of national security, economic welfare and human rights.
10 What are the principal cyberactivities that are criminalised by the law of your jurisdiction? (Restrict your answers to cybercrimes that are relevant to organisations.)
Ukraine ratified the Budapest Convention in 2006. This was followed by the adoption of the law that added additional articles in the section dedicated to 'Crimes in the Area of the Use of Electronic-Computational Machines (Computers), Systems, Computer Networks and Telecommunication Networks' into the Criminal Code. In particular, the principal criminalized cyber activities relevant to organisations include:
Importantly, Article 363(1) does not criminalize DDoS attacks, the ‘mass distribution’ rather refers to sending messages to a multitude of non-specific recipients. Thus, this crime usually refers to spam with a malware component. In turn, DDoS attacks are criminalized under Article 361 of the Criminal Code, which is confirmed by the recent practice.
In particular, by the decision of a district court in Kharkiv No 640/953/17 of 21 March 2017 a group of persons was found guilty of the online sale of software designed to carry out DDoS attacks (Article 361(1) of the Criminal Code). In this respect, in order to demonstrate the operability of the said software, the perpetrators completed several DDoS attacks (Article 361 of the Criminal Code).
Interestingly, the same Article 361 of the Criminal Code was also used as a preliminary qualification for the Petya.A malware infection. Namely, according to a statement of the Head of the Department of the Cyberpolice, 597 criminal proceeding were been initiated by 5 July 2017 under Article 361.
There were a couple of other cases recently where Article 361 and 361(1) were used. In particular, on 3 November 2017, a district court in Kiev found the conduct of hackers who stole $1 million from Credit Dnipro Bank to fall under the definition of the said offences. Additionally, by the decision of a court in Chernihiv of 28 July 2014 a person was found guilty of creating of harmful software for its further use and sale.
11 How has your jurisdiction addressed information security challenges associated with cloud computing? (Discuss domestic policies and international agreements.)
The draft law On Amendments to Certain Laws of Ukraine Regarding Processing of Information in Systems Using the Technology of Cloud Computing was prepared for the second reading in the Ukrainian Parliament back in November 2016, but has not been passed yet.
The Law of Ukraine On Protection of Information in Telecommunication Systems lays down the legal framework for data protection in information and telecommunication systems. Specifically, owners of such systems are charged with ensuring protection of information. The procedure and requirements of data protection as well as its processing, are to be set forth in an agreement between the owner of the system and the owner of information. In addition, the procedure for access to the information, the list of users and their rights should be determined by the information owner. Most probably, the cloud services providers operating data centres or other automated equipment physically located in Ukraine will qualify as owners of information systems subject to the said statutory requirements.
12 How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Yes. The rules are the same for foreign and local organisations.
13 Do the authorities recommend additional cybersecurity protections beyond what is mandated by law? (For example, are there any voluntary guidelines for reducing risk to computers and networks?)
Yes, sometimes the authorities come up with cybersecurity recommendations. The most recent example are recommendations issued by the National Police of Ukraine and State Security Service of Ukraine following the Petya.A cyberattack in 2017.
14 How does the government incentivise organisations to improve their cybersecurity (eg, through grants, tax credits)?
To our knowledge, there are no such incentives.
15 Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
The main standards include:
16 Are there generally recommended best practices and procedures for responding to breaches (including retention of third-party forensic firms, notices to employees and customers, interaction with media, and other post-breach response strategies for an effective response to a breach)?
No official guidelines on how to respond to breaches are available yet. However, the widely accepted recommended best practices include:
17 Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
There are some international platforms like VirusTotal, which are popular in Ukraine. Information and cybersecurity forums are also used to share information about cyberthreats. Besides, sharing information in such cases is mandated by the Cybersecurity Law under Articles 10 and 11 of the same.
18 How do the government and private sector cooperate to develop cybersecurity standards and procedures?
So far, the development (predominantly translation of widely accepted international standards into Russian and Ukrainian) of the standards has generally been a private initiative. With the adoption of the Cybersecurity Law, the role of the state in this area should increase.
For example, the Cybersecurity Law envisages that the CI objects will have to undergo cybersecurity audits. Requirements and procedure for such audits will be set in the relevant regulations of the CMU. In turn, such regulations should base on international standards, including those of the European Union and NATO, developed with the mandatory involvement of representatives of the main stakeholders of the national cyber security system, scientific institutions, independent auditors, experts in the field of cyber security, and NGOs.
19 Is insurance for cybersecurity breaches available in the jurisdiction and is such insurance common?
Such insurances may be available from some insurers, but this is not something common. Apparently, comparatively high cyber risks that are currently inherent for Ukraine do not make the market particularly attractive for many international insurance companies, and hence the penetration of this service is somewhat limited.
20 Which regulatory authorities are primarily responsible for enforcing cybersecurity rules? (Identify authorities that enforce compliance with information security standards and authorities charged with prosecuting cybercrimes relevant to businesses and other organisations.)
The main authorities that have to ensure cybersecurity in Ukraine include the Ministry of Defence of Ukraine, the State Service of Special Communications and Information Protection of Ukraine, the Security Service of Ukraine, the National Police of Ukraine, the National Bank of Ukraine, the intelligence agencies. In particular,
21 Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements. (Can authorities request or demand documents or interviews related to cybersecurity incidents?)
Under the Cybersecurity Law, the mandate of the State Service for Special Communications and Information Security (SSSCIS) is most relevant to the compliance monitoring activities. For this purpose, the SSSCIS has an extensive set of powers, including the right to request information and documents, carry out interviews and down raids, etc. Yet, it remains to be seen how the SSSCIS will apply those powers in practice in the private context. So far, it maintained quite focused approach in its work dealing mostly on special communications’ technical matters (e.g., establishment of secure communication lines with foreign top officials, provision of mobile service for state and governmental authorities, cryptographic information protection, etc.), rather than on the broader spectrum of threats and concerns characterizing protection of private sector in cyber space.
As far as investigation of cyber incidents is concerned, this is a key function of law-enforcement bodies, including the Security Service of Ukraine and the National Police of Ukraine (the Cyberpolice Department). That said, they have various rights to carry out investigative activities, including to request court orders to subpoena the production of documents and testimony of witness, carry out searches and seizures, use technology-assisted physical surveillance, non-consensual electronic surveillance, to record communications, etc.
22 What are the most common enforcement issues and how have regulators and the private sector addressed them? (What types of enforcement actions have been brought by authorities and how has the private sector responded? Identify any notable examples.)
The first problem is a functional parallelism of various organizations and bodies leading to major overlaps in their activities. For example, the State Security Service of Ukraine and the Ministry of Internal Affairs have nearly identical responsibilities for forensics related to investigation of cybercrimes, and no criteria could be ascertained with regard to allocation of work and tasks between these two institutions. Therefore, there is a high potential for jurisdictional conflicts, a factor that is prone to reduce the effectiveness of this particular area of cybersecurity safeguards. The Cybersecurity Law seems to add some clarity here expressly assigning responsibility for cyber incidents carried out against CI to the Security Service of Ukraine. However, it remains unclear whether this marking line will be appropriately reflected in other relevant laws and regulations.
This lack of clear separation of the criminal justice measures and the national security measures produce another problem of limited public trust and lack of cooperation between criminal justice authorities and private sector entities which are often reluctant to cooperate with the law enforcement bodies. Moreover, law enforcement powers such as those addressed in the Budapest Convention on Cybercrime are not clearly defined in the Ukrainian criminal procedure law, and this adversely affects law enforcement-service provider cooperation, confidentiality rights and sometimes the rule of law. So, public-private cooperation in cybercrime and electronic evidence has been hampered, among other reasons, by the absence of coherent legal framework for exercise of procedural powers available under the Budapest Convention on Cybercrime, as well as divergent practice of application of already available investigative powers.
Finally, another problem is underfinancing of the relevant public institutions that leads to a reduced attractiveness of workplaces over low salaries – only a limited number of highly skilled cybersecurity and cyber defence professionals are employed with the public sector institutions.
23 What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Please see answer to question 4 above.
24 What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Please see answer to question 4 above.
25 How can parties seek private redress (from organisations and individuals) for unauthorised cyberactivity or failure to adequately protect systems and data?
There are no specific rules for parties seeking private redress for unauthorised cyberactivity or failure to adequately protect systems and data. Private redress can be brought under existing civil, commercial and administrative laws.
Threat detection and reporting
26 What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats? (Are there any specific types of data protection or overall network protection, such as use of passwords, encryption or other security approaches, that must be in place?)
Policies and procedures should include information security risk assessment policy, IT-roles segregation, segregation of test and product environment, separation of project networks, change management, malicious code protection, patch management, acceptable usage policy, mobile device usage policy, etc.
27 Describe any rules requiring organisations to keep records of cyberthreats or attacks. (Who is responsible for keeping records? How must records be collected and stored? And for how long?)
There are no specific requirements of Ukrainian law which would effectively require organisations to keep records of cyberthreats or attacks. However, an obligation to retain certain records may apply e.g. to telecom operators – such data retention obligation is imposed by Article 39 of the Law of Ukraine on Telecommunications. However, many commentators argue that this provision is vague, does not contain definitive requirements and safeguards and, as a result, is applied arbitrary.
28 Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities. (Specify who is subject to these requirements, which cyberthreats or incidents trigger these requirements, and what information is required in threat reports.)
The detailed rules are yet to be developed.
29 What is the timeline for reporting to the authorities? (Do organisations need to report to the authorities on a continual or routine basis, or within a certain time after a serious threat or a breach?)
Under the Cybersecurity Law, the reporting shall be made instantly, but the exact timeline for this has still to be set by the secondary legislation.
30 Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public. (How must they be communicated?)
The detailed reporting obligations are yet to be developed.
UPDATE & TRENDS
(What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?)
We anticipate that the regulatory framework for cybersecurity will change significantly in 2018. These expectations base on the fact that the new Cybersecurity Law is a framework piece of legislation that needs to be backed by many implementation/secondary rules. To this end, the new Cybersecurity Law expressly requires that all secondary legislation is adopted by 9 May 2018.
Relatedly, as a party to the Budapest Convention, Ukraine is working towards its full implementation – a draft law defining the important terminology and clarifying the responsibilities of the service providers according to the Convention has been prepared and is currently discussed by the stakeholders.