Cybersecurity Legal Conference gathered lawyers and experts specializing in technologies
On 2 October Asters law firm, in cooperation with Yuridicheskaya Praktika Publishing held Cybersecurity Legal Conference. The event brought together representatives of state authorities, leading lawyers, compliance and information security officers and IT professionals of the largest international and Ukrainian companies.
When opening the first panel dedicated to the first anniversary of the law on cybersecurity, Yuriy Kotliarov, partner heading Asters' TMT practice and head of CyberDesk, recalled that the agreed text of the EU Directive on security of network and information systems was published on 18 December 2015. For the participating countries, the deadline to implement its provisions in the national legislation was set to 9 May that year. However, only 6 countries have implemented it in full, and two more countries are close to finalize this process.
Moreover, on 5 September 2017, the Law of Ukraine On Principles of Cyber Security was adopted. To implement this document, basic regulatory and legal instruments are currently being developed.
Aleksandr Chauzov, the first deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, has told about regulatory initiatives at first hand, claiming that nowadays a number of regulations is still in process of preparation, including the audit conduct procedure and criteria for critical infrastructure facilities establishment. “Our regulations are also derived from international experience. And taking into account the fact that Ukraine is a very active cyberpolygon, we include new aspects in these acts to continuously improve them”, he pointed out.
In his turn, Dmitriy Zolotukhin, the deputy minister of Information Policy, has said that a comprehensive information distribution is a very important issue. This is due to the fact that, as a rule, the main objective of most attacks is to spread information and to inflict reputational risks by influencing media.
Aleksandr Derlig, Member of the Board, PJSC CB PrivatBank, has noted that the banking sector is the critical infrastructure facility. Moreover, in addition to obligations to fulfill all regulatory requirements, banks have also undertaken to comply with requirements of international payment systems. Despite control and multi-level security systems, banks still experience attacks. With that in mind, it is required to create incident management centers in Ukraine.
When discussing effectiveness of the cyber defense system operation, participants noted importance of the following three components: people, processes and technologies.
Yevgeniy Gulak, deputy director of the Security Department, TASCOMBANK JSC, noted that recently NBU has adopted a lot of formal documents in this area – and, accordingly, nowadays the industry is one of the most regulated. He also drew attention to the necessity of developing procedures on response to different situations.
Continuing the discussion, Andrey Derecha, the security officer of subsidiary enterprise Erickson Ukraine, has noted that availability of certain standards of compliance is often a requirement of European contracting parties.
Yulia Semeniy, partner of Asters law firm, has recalled that recently a new personal data protection regulation, GDPR, has entered into force in the EU, which provisions are extraterritorial and are related, among other things, to Ukrainian business.
Liudmila Tseitlina, the head of the Planning and Analytical Division of the Legal Department, PrJSC VF Ukraine, told about the impact of the new procedure on telecommunications companies' operations in Ukraine. The speaker considered provision of services to the EU residents, as well as provision of roaming and international long-distance calls services in partnership with operators, which are EU residents, in the territory of Ukraine or the EU as the areas of potential risk. She called termination of roaming services provision in case of confirmation of breach on part of the Ukrainian operator by the EU supervisory authority as the most serious consequence of GDPR requirements violation.
Dmitriy Cherkas, the specialist of the Information Security Management Department, JSC PIRAEUS BANK MKB, has pointed out that the main purpose, for which banks collect personal data, is to meet requirements of anti-money laundering and anti-terrorist financing legislation. He has commented on specifics of personal data processing and deletion, including upon request of the bank’s client. At the same time, a conflict of GDPR regulations and provisions of the national legislation of Ukraine is possible.
At the end, Aleksandra Pustovalova, the legal expert, Helsi electronic medical system, has emphasized that the medical reform is creating the foundations for GDPR application. On the other hand, certain experience in handling personal data of patients has already been gained by private medical institutions. Among the current issues, she has highlighted the unresolved medical data exchange mechanisms noting that if all the requirements of Ukrainian legislation are complied with, even if not of the field-oriented one, personal data of Ukrainian patients are protected quite well, and in some cases national requirements are even stricter than those provided for in GDPR.