The essence of the resolution is to improve cybersecurity control mechanisms in the Ukrainian banking system. The document amends two NBU regulations regarding information security control of banks and cybersecurity organization. The key innovation is the introduction of a clear procedure for reporting cyber incidents and strengthening cybersecurity requirements for banks.
Structure and main provisions:
1. Changes to the Regulation on Monitoring Banks’ Compliance with Information Security Requirements:
– Clarification of terminology and control procedures
– New reporting requirements for banks
– Detailed bank inspection procedures
2. Changes to the Cybersecurity Organization Regulation:
– Introduction of the concept of “significant cyber incident”
– Establishing clear reporting timelines for incidents
– Defining cyber incident criticality levels
– Detailing procedures for informing the NBU about cyber incidents
Key practical aspects:
1. Banks are obliged to notify the NBU about significant cyber incidents within 24 hours
2. A three-level reporting system is introduced: preliminary notification (24 hours), interim report (72 hours), and final report (1 month)
3. The NBU establishes a taxonomy of cyber incidents and their criticality levels
4. Banks must inform the NBU about significant changes in cybersecurity organization within 5 working days
