Unofficial transfer (c) Soyuzpravoinform LLC

RESOLUTION OF BOARD OF THE NATIONAL BANK OF UKRAINE

of February 25, 2025 No. 24

About approval of Changes in some regulatory legal acts of the National Bank of Ukraine concerning information security and cyberprotection

According to Articles 7, of 15, 56 Laws of Ukraine "About the National Bank of Ukraine", Zakonov of Ukraine "About banks and banking activity", "About the basic principles of ensuring cyber security of Ukraine", "About electronic identification and electronic confidential services", for the purpose of normative settlement of function of control of ensuring cyberprotection, information security, provision of electronic confidential services in bank system of Ukraine decides Board of the National Bank of Ukraine:

1. Approve Changes in:

1) Regulations on control of observance of requirements of the legislation by banks concerning information security, cyberprotection and electronic confidential services approved by the resolution of Board of the National Bank of Ukraine of January 16, 2021 No. 4, which are applied;

2) Regulations on the organization of cyberprotection in bank system of Ukraine, the Board of the National Bank of Ukraine approved by the resolution against August 12, 2022 No. 178, which are applied.

2. To department of safety (Alexander Palamarchuk) after official publication to inform banks of Ukraine information on adoption of this resolution.

3. To impose control over the implementation of this resolution on the Head of the National Bank of Ukraine Andrey Pyshny.

4. The resolution becomes effective from the date of, its official publication following behind day.

Approved by the Resolution of Board of the National Bank of Ukraine of February 25, 2025 No. 24

Changes in Regulations on control of observance of requirements of the legislation by banks concerning information security, cyberprotection and electronic confidential services

1. In the Section I:

Item 1 to state 1) in the following edition:

"1. This Provision is developed according to the laws of Ukraine "About the National Bank of Ukraine", "About banks and banking activity", "About the basic principles of ensuring cyber security of Ukraine", "About electronic documents and electronic document management", "About electronic identification and electronic confidential services", taking into account regulations of the European parliament and Council (EU) of December 14, 2022 No. 2022/2554 of rather digital operational stability of the financial sector and modification of Regulations (EU) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011, Regulations on organization of events on ensuring information security in bank system of Ukraine approved by the resolution of Board of the National Bank of Ukraine of September 28, 2017 No. 95 (further - No. Provision 95), Regulations on qualified predostavitel of the electronic confidential services entered in the Confidential list on representation of the certification center approved by the resolution of Board of the National Bank of Ukraine of September 19, 2019 No. 116 (with changes) (further - No. Provisions 116), Regulations on use of means of cryptographic information security of the National Bank of Ukraine approved by the resolution of Board of the National Bank of Ukraine of April 14, 2023 No. 49 (further - No. Provision 49).";

2) in Item 3:

replace subitem 1 with two new subitems of the following content:

"1) audit of information security (further - external audit of information security) - process of receipt of assessment of information security by bank on the results of the procedure of audit of information security;

1-1) permanent control measures - information analysis, documents on activities of bank concerning information security, cyberprotection, provision of qualified electronic confidential services which is carried out by National Bank according to the procedure, established in the Section III of this provision, without exit on the bank location;";

exclude subitem 8;

9, 10 to add subitems with the words "and/or beyond its limits by way of remote access to documents, information and systems of automation with use of information and communication technologies;";

in the paragraph the thirteenth shall be replaced with words the words "About Electronic Confidential Services" "About electronic identification and electronic confidential services";

The subitem 5 of item 4 to state 3) in the following edition:

"5) checks of fulfillment of requirements of the Provision No. 116 and Provision No. 49.";

Item 6 to exclude 4).

2. In the Section II:

1) in Item 8:

state subitem 3 in the following edition:

"3) the information analysis, documents, reports received from banks in pursuance of this provision, No. Provision 116, of the Provision No. 49;";

in subitem 6 to replace the word of "conclusions" with the word "information";

to state the paragraph of the eighth in the following edition:

"The plan of checks affirms National Bank. Information on the list of banks which checks are included in the approved plan will be promulgated on the page of official Internet representative office of National Bank.";

The subitem 3 of Item 10 to state 2) in the following edition:

"3) violation of requirements of the Provision No. 116.";

In paragraph one of Item 11 of figure "20" to replace 3) with figures "10";

4) in Item 15:

in subitems 1, "telecommunication" to replace the 6th word with the word "communication";

add Item with two new subitems 7, 8 following contents:

"To perform 7) with use of the equipment of National Bank photo / video fixing during procedure of the demonstration determined by the subitem 6 of Item 15 of the Section II of this provision;

8) to appoint and conduct interview with heads of bank and employees of structural divisions of bank to which sphere of responsibility questions of information security and cyberprotection, management of information and communication technologies, operational risk managements of bank belong.";

add Item with two new paragraphs of the following content:

"The demonstration determined by the subitem 6 of Item 15 of the Section II of this provision is carried out on the bank location (in premises of the divisions of bank performing maintenance/administration program, equipment rooms, software and hardware of ensuring information security and cyberprotection of bank and the rooms connected with provision of electronic confidential services) and/or by video conference, and can be followed photo / video fixing of the facts having signs of non-compliance with requirements of the legislation by bank concerning information security, cyberprotection, provision of electronic confidential services.

The interview specified in the subitem 8 of Item 15 of the Section II of this provision is held in coordination with the curator of check and to the prior notice of the contact person from bank directly on the location of bank or with use of means of video conference.";

5) undressed after Item 15 to add with new Item 15-1 of the following content:

"15-1. Materials (this) photo / the video fixings received according to the subitem 7 of Item 15 of the Section II of this provision are filed checks.";

The word "telecommunication" to replace 6) in the subitem 6 of Item 17 with the word "communication";

Shall be replaced with words 7) in Item 25 of the word of "supervision (oversight) of payment systems" "oversight of payment infrastructure";

To state Item 26 in the following edition:

"26. Results of check of the questions determined by the subitem 5 of item 4 of the Section I of this provision are provided to certification center for decision making relatively:

1) sending to qualified predostavitel of electronic confidential services of the letter on elimination of the violations/shortcomings established by check;

2) informing the special representative of the central executive body concerning the organization of special communication and information security in spheres of electronic confidential services and electronic identification about the revealed violations of requirements of the Provision No. 116 for implementation of actions according to requirements of the legislation in the field of electronic confidential services.".

3. To add the Section III after Item 28 with new Item 28-1 of the following content:

"28-1. The bank shall inform National Bank on the essential changes in the organization of information security and cyberprotection of bank connected with:

1) dismissal or movement of other position / CISO appointment;

2) changes in distribution of functions, obligations and powers of governing bodies and control of bank regarding questions of information security and cyberprotection;

3) changes in organizational structure of bank regarding divisions to which functions ensuring information security and cyberprotection of bank belongs;

4) decision making about introduction of new product or considerable changes in activities of bank which will have influence on the organization of information security and cyberprotection of bank;

5) decision making about transfer on outsourcing of functions on ensuring information security / cyberprotection of bank or change of supplier of such services.

The bank performs such informing by submission of the message means of system of e-mail of National Bank in form according to appendix 1 to this Provision within five working days from the date of introduction of such changes.".

4. In the Section IV:

"Risks of information safety / cyberrisks" shall be replaced with words 1) in Item 30 of the word "processes of the organization and ensuring information security / cyberprotection";

Item 31 to state 2) in the following edition:

"31. The head of bank shall provide provision of complete and reliable information in the report constituted in form according to appendix 2 to this Provision and timely submission of the report to National Bank.";

3) undressed after Item 31 to add with two new Items 31-1, 31-2 of the following content:

"31-1. The report moves in National Bank in electronic form in the xlsx format with imposed the CAP of the head of bank by means of system of e-mail of National Bank taking into account the requirements established by National Bank on transfer of documents with access restriction signature stamp.

31-2. The report is constituted annually as of March 31 and moves in National Bank within one month following the accounting period.".

5. To exclude appendix to the Provision.

6. Add provision with two new appendices, having stated them in the following edition:

"Appendix 1

to Regulations on control of observance of requirements of the legislation by banks from questions of information security, cyberprotection and electronic confidential services (Item 28-1 of the Section III)

Messages on essential changes in the organization of information security and cyberprotection

See Messages on essential changes in the organization of information security and cyberprotection (14Kb In original language)

 

Appendix 2

to Regulations on control of observance of requirements of the legislation by banks from questions of information security, cyberprotection and electronic confidential services (Item 31 of the Section IV)

Assessment of processes of the organization and ensuring information security / cyberprotection

See Assessment of processes of the organization and ensuring information security / cyberprotection (62Kb In original language)

".

Approved by the Resolution of Board of the National Bank of Ukraine of February 25, 2025 No. 24

Changes in Regulations on the organization of cyberprotection in bank system of Ukraine

1. In the Section I:

1) in Item 1:

words and figures "National standard of Ukraine DSTU ISO/IEC 27032:2016 "Information technologies. Protection methods. Guidelines of cyber security" (ISO/IEC 27032: 2012, IDT), the State company "Ukrainian Research and Training Center of Problems of Standardization, Certification and Quality" accepted by the order of December 27, 2016 448," to exclude No.;

add Item with words and figures "regulations of the European parliament and Council (EU) of December 14, 2022 No. 2022/2554 of rather digital operational stability of the financial sector and modification of Regulations (EU) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011.";

2) in Item 2:

to add Item after subitem 3 with new subitem 3-1 of the following content:

"3-1) considerable cyberincident event or number of unfavorable events of inadvertent nature and/or such which have signs of possible (potential) cyber attack which criticality level significantly threatens regular functioning of the information systems of bank which are directly providing automation of banking activity and have considerable negative impact on provision of banking services which can lead to change of functionality of such services or does them unavailable;";

to add Item after subitem 9 with new subitem 9-1 of the following content:

"9-1) level of criticality of cyberincident foot of negative impact on bank and/or subjects of system of cyberprotection in bank system of Ukraine that can result from realization of cyberthreats;";

to add Item after subitem 10 with new subitem 10-1 of the following content:

"10-1) system cyberrisk risk of violation of banking system stability owing to realization of cyberthreats concerning separate bank because of the corresponding shortcomings of its cyberstability;";

in the paragraph the sixteenth to exclude the word "independent";

The word "independent" to exclude 3) in the subitem 4 of Item 3;

"Risks of information safety / cyberrisks" shall be replaced with words 4) in item 4 of the word "processes of the organization and ensuring information security / cyberprotection";

And figures "in the Section IV" shall be replaced with words 5) in Item 5 of the word also in figures "in Sections II, IV".

3. In the Section II:

Paragraph two of Item 11 to replace 1) with four new paragraphs of the following content:

"The National Bank claims and places on the portal of the Center of cyberprotection:

1) regulations of work of the Center of cyberprotection;

2) procedure for informing by banks on considerable cyberincidents;

3) procedure for information exchange.";

The paragraph the fifth the subitem 3 of Item 13 to state 2) in the following edition:

"development of the list of categories of cyberincidents (taxonomy) and levels of their criticality in bank system of Ukraine (dalee-Perechen categories of cyberincidents) and the publication of such list on the portal of the Center of cyberprotection;";

3) undressed after Item 19 to add with three new Items 19-1-19-3 of the following content:

"19-1. The National Bank establishes requirements to procedure for informing by banks on considerable cyberincidents. The description of these requirements and templates of messages are provided according to the procedure of informing on considerable cyberincidents, posted on the portal of the Center of cyberprotection in the section "Banks/documentation".

19-2. The bank which fixed cyberincident/cyber attack determines the preliminary level of criticality according to the list of categories of cyberincidents, published on the portal of the Center of cyberprotection in the Section "Banks/documentation".

The bank for the purpose of prevention of realization of system cyberrisk shall inform without unreasonable delay the Center of cyberprotection on considerable cyberincident in such procedure:

1) within 24 hours after the bank knew of considerable incident, by provision of the prior notice funds of e-mail for mailbox of cyber@bank.gov.ua according to procedure for informing by banks on considerable cyberincidents;

2) within 72 hours after the bank knew of considerable incident, by provision of the intermediate message containing updated information on considerable cyberincident through the portal of the Center of cyberprotection or funds of e-mail for mailbox of csirt-nbu@bank.gov.ua according to procedure for informing by banks on considerable cyberincidents;

3) on CSIRT-NBU request by provision of the answer containing the interim statement on the corresponding updating of the status of cyberincident;

4) not later than in month after provision of the notification on considerable incident according to the subitem 2 of Item 19-2 of the Section II of this provision by provision of the final report containing:

the detailed description of cyberincident, including its effects and influence on activities of bank;

the type of threat or the prime cause which possibly provoked cyberincident;

the measures taken by bank for prevention of repeating of realization of cyberthreats.

The report moves in electronic form with imposed the CAP of CISO bank by means of system of e-mail of National Bank.

19-3. The bank has the right to inform the Center of cyberprotection about cyberincident which is not determined by bank as considerable, with the purpose and method established in the Section III of this provision.".

4. In the Section V:

The word "independent" to exclude 1) in the name of the Section;

The word "independent" to exclude 2) in Item 42;

To replace 3) in the subitem 2 of Item 45 of figure "38" with figures "44".

 

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info