RESOLUTION OF BOARD OF THE NATIONAL BANK OF UKRAINE

of May 19, 2021 No. 43

About approval of the Regulations on information security and cyberprotection of the payment market by participants

According to Articles 7, 15, 56 Laws of Ukraine "About the National Bank of Ukraine", to Articles 14, 17, 18, 19, 22, 38 Laws of Ukraine "About payment systems and money transfer in Ukraine", to Articles 6, 8 Laws of Ukraine "About the basic principles of ensuring cyber security of Ukraine", for the purpose of establishment of requirements for ensuring information security and cyberprotection in the Board of the National Bank of Ukraine DECIDES: payment service providers

1. Approve Regulations on information security and cyberprotection of the payment market by participants (further - the Provision) which are applied.

2. To payment institutes of payment systems, participants/members of payment service providers and operators of services of payment infrastructure within 12 months from the date of entry into force of this resolution:

To develop/finish 1) taking into account requirements of the Provision and to approve internal documents on information security and cyberprotection;

2) to bring the activities into accord with requirements of the Provision.

3. To department of safety (Igor Konovalov) after official publication to inform payment institutes of payment systems, participants/members of payment service providers, operators of services of payment infrastructure information on adoption of this resolution.

4. To impose control over the implementation of this resolution on the Chairman of National Bank Kirill Shevchenko.

5. The resolution becomes effective from the date of, its official publication following behind day.

Approved by the Resolution of Board of the National Bank of Ukraine of May 19, 2021 No. 43

Regulations on information security and cyberprotection of the payment market by participants

I. General provisions

1. This Provision is developed according to the Laws of Ukraine "About the National Bank of Ukraine", "About payment services", "About the basic principles of ensuring cyber security of Ukraine", "About electronic confidential services".

2. This Provision determines requirements and actions for ensuring information security, cyberprotection and information security in the sphere of provision of payment services and control of their accomplishment.

3. The terms used in this Provision are used in such value:

1) the administrator - appointed the head, his deputy or governing body of the subject of information protection (further - management) the responsible person who provides maintenance and management program and/or hardware or resources;

2) No. 119 Is excluded according to the Resolution of Board of the National Bank of Ukraine of 13.06.2022

3) the virtual computer - emulation of computer system which provides functionality of the physical computer and works under control of hypervisor;

4) hypervisor - set program and the hardware providing parallel functioning of several virtual computers on one computer, isolating these virtual computers and possibility of management of the available resources, possibility of resource allocation between virtual computers which are used;

5) remedy of network - program or the hardware which protects the information system used for provision of payment services (further - IC), from unauthorized access to its network components, accidental or intentional interference in network functioning;

6) information security - preserving confidentiality, integrity and availability of information;

7) incident of information security - event or series of events of violation of information security which can lead to losses and losses for the subject of information protection or users of payment services;

8) the head of the subject of information protection - the official designated by the owner of the subject of information protection acting on behalf of the subject of information protection who represents its interests in public authorities and local government bodies, other organizations in the relations with legal entities and citizens, creates administration of the subject of information protection and resolves issues of activities of the subject of information protection in the limits and procedure determined by constituent documents;

9) cyberincident - the event or set of unfavorable events of accidental nature or having signs of possible cyber attack which pose safety hazard of information infrastructure, create probability of violation of the normal mode of its functioning, and also threaten security of information resources;

10) the key subject of information protection - the subject of information protection belonging to one category or more:

the operator of significant payment system, if he performs functions of the technological operator of payment services in this payment system;

important technological operator of payment services;

the technological operator of payment services who provides services to the payment system created by the nonresident and who got permission of the National Bank of Ukraine (further - National Bank) to provide the services in Ukraine;

the technological operator of payment services providing services more than one payment system;

11) the user of IC - the authorized worker of the subject of information protection who has opportunity to perform creation, viewing, processing, modification, storage and removal of information in IC;

12) cryptographic algorithm - algorithm which determines rules of transformation of information for the purpose of its cryptographic protection;

13) the critical room - data-processing center, the server room or other room in which systems which perform processing, storage or transfer of payment instructions and their archives and/or other critical data are placed;

Critical data - data, unauthorized use or loss of which leads 14) to violation of information security or violation of the rights of users of payment services;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info