RESOLUTION OF BOARD OF THE NATIONAL BANK OF UKRAINE

of May 19, 2021 No. 43

About approval of the Regulations on information security and cyberprotection in payment systems

According to Articles 7, 15, 56 Laws of Ukraine "About the National Bank of Ukraine", to Articles 14, 17, 18, 19, 22, 38 Laws of Ukraine "About payment systems and money transfer in Ukraine", to Articles 6, 8 Laws of Ukraine "About the basic principles of ensuring cyber security of Ukraine", for the purpose of establishment of requirements for ensuring information security and cyberprotection in the Board of the National Bank of Ukraine DECIDES: payment service providers

1. Approve Regulations on information security and cyberprotection in payment systems (further - the Provision) which are applied.

2. To payment institutes of payment systems, participants/members of payment service providers and operators of services of payment infrastructure within 12 months from the date of entry into force of this resolution:

To develop/finish 1) taking into account requirements of the Provision and to approve internal documents on information security and cyberprotection;

2) to bring the activities into accord with requirements of the Provision.

3. To department of safety (Igor Konovalov) after official publication to inform payment institutes of payment systems, participants/members of payment service providers, operators of services of payment infrastructure information on adoption of this resolution.

4. To impose control over the implementation of this resolution on the Chairman of National Bank Kirill Shevchenko.

5. The resolution becomes effective from the date of, its official publication following behind day.

Approved by the Resolution of Board of the National Bank of Ukraine of May 19, 2021 No. 43

Regulations on information security and cyberprotection in payment systems

I. General provisions

1. This Provision is developed according to the Laws of Ukraine "About the National Bank of Ukraine", "About payment systems and money transfer in Ukraine", "About the basic principles of ensuring cyber security of Ukraine", "About electronic confidential services".

2. This Provision determines requirements and actions for ensuring information security, cyberprotection and information security in the sphere of money transfer and control of their accomplishment.

3. The terms used in this Provision are used in such value:

1) the administrator - appointed the head, his deputy or governing body of the subject of information protection (further - management) the responsible person who provides maintenance and management program and/or hardware or resources;

2) multiple-factor authentication - authentication with use of two (or more) various types of electronic identification data;

3) the virtual computer - emulation of computer system which provides functionality of the physical computer and works under control of hypervisor;

4) hypervisor - set program and the hardware providing parallel functioning of several virtual computers on one computer, isolating these virtual computers and possibility of management of the available resources, possibility of resource allocation between virtual computers which are used;

5) remedy of network - program or the hardware which protects the information system used for money transfer (further - IC), from unauthorized access to its network components, accidental or intentional interference in network functioning;

6) information security - preserving confidentiality, integrity and availability of information;

7) incident of information security - event or series of events of violation of information security which can lead to losses and losses for the subject of information protection or users of payment systems;

8) the head of the subject of information protection - the official designated by the owner of the subject of information protection acting on behalf of the subject of information protection who represents its interests in public authorities and local government bodies, other organizations in the relations with legal entities and citizens, creates administration of the subject of information protection and resolves issues of activities of the subject of information protection in the limits and procedure determined by constituent documents;

9) cyberincident - the event or set of unfavorable events of accidental nature or having signs of possible cyber attack which pose safety hazard of information infrastructure, create probability of violation of the normal mode of its functioning, and also threaten security of information resources;

10) the key subject of information protection - subject of information protection which belongs to one category or more:

payment institute of significant payment system if it performs functions of the operator of services of payment infrastructure in this payment system;

significant operator of services of payment infrastructure;

the operator of services of payment infrastructure who serves the payment system created by the nonresident and which got permission of the National Bank of Ukraine (further - National Bank) to provide the services in Ukraine;

the operator of services of payment infrastructure who serves more than one payment system;

11) the user of IC - the authorized worker of the subject of information protection who has opportunity to perform creation, viewing, processing, modification, storage and removal of information in IC;

12) cryptographic algorithm - algorithm which determines rules of transformation of information for the purpose of its cryptographic protection;

13) the critical room - data-processing center, the server room or other room in which systems which perform processing, storage or transfer of electronic documents for transfer, archives and/or other critical data are placed;

14) critical data - data which unauthorized use leads to violation of information security or violation of the rights of users of payment system;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info