Information Security and Cyber Protection for Financial Service Providers (NBU Regulation)
This guide is part of the documentation available in SecBoard. It summarises the Regulation on the organization of measures to ensure information security and cyber protection by financial service providers, approved by the Resolution of the Board of the National Bank of Ukraine of 09 December 2025 No. 143 (the Regulation / Положення). It explains scope, main requirements, and how SecBoard modules help insurers, credit unions, financial companies, and pawnshops implement and demonstrate compliance. Use SecBoard Framework Compliance with a Custom or Local framework to map controls and evidence; use other SecBoard modules for risk, assets, access, logging, incidents, policies, training, and third parties.
What is the Regulation (No. 143)?
The Regulation establishes requirements for information security and cyber protection for financial service providers (as defined by Ukrainian law): insurers (страховики), credit unions (кредитні спілки), financial companies (фінансові компанії), and pawnshops (ломбарди). It does not apply to payment service providers, certain other entities, or operators of postal services with currency trading rights. The Regulation references the Law on the NBU, the Law on Financial Services and Financial Companies, the Law on Insurance, the Law on Information Protection in Information and Communication Systems, the Law on Cybersecurity, EU DORA (Regulation (EU) 2022/2554), and national standards DSTU EN ISO/IEC 27000:2022, DSTU ISO/IEC 27001:2023, and DSTU ISO/IEC 27002:2023.
Objects of protection include: (1) insurance secrecy processed in insurers’ (reinsurers’, intermediaries’) systems; (2) financial service secrecy processed in the provider’s systems; (3) information and communication systems (ICTS) that support core business processes and/or interact with NBU systems. Providers must apply measures across the lifecycle of ICTS and implement a risk-based approach to cyber and information security risks. They must also implement a process for managing cyber risks and information security risks. When engaging external parties for security or incident response, NDA and sanctions/aggressor-state restrictions apply; software and hardware must comply with the Law on Sanctions, the Law on Information Protection, and the Law on Cybersecurity.
Structure of the Regulation
The Regulation is organised in three main sections. Key obligations are summarised below for mapping to SecBoard.
Scope (insurers, credit unions, financial companies, pawnshops); definitions (e.g. user, privileged user, access management, risk-based approach, security incident); objects of protection; obligation to apply measures and to implement cyber/information security risk management; outsourcing conditions and sanctions compliance.
Management and responsible person (policies, approval, training); internal documents (user awareness, annual review); access rights (groups, roles, least privilege, annual review); authentication (unique ID + password or token/cert/biometric); MFA for remote access; account lock/delete rules; password complexity (12/15 symbols) and change (90 days); logging (config, auth, access events, sessions, failures, account/password changes); log archive (≥1/year, retain ≥1 year); network protection and segmentation; DMZ; anti-malware; supported OS and applications; unsupported software risk analysis and migration plan; removable media policy.
Process for managing cyber and information security incidents; approved response plan (impact assessment, roles, user actions, management reporting, storage and analysis); alignment with business continuity; contracts with external responders (incident response, monitoring); NBU right to request information and provider’s obligation to respond in the required form and time.
Key requirement areas (Section II and III)
| Area | Requirements (summary) |
|---|---|
| Governance & policies | Designate responsible person; approve internal documents (policies, procedures, standards); risk-based control mechanisms; annual review of internal documents (п. 11–15). |
| Asset & inventory | Actuality of register/list of software and hardware in ICTS at least once a year (п. 13). |
| Access control | Access rights by group/role; templates; annual review; least privilege; internal documents on identification, authentication, authorization, logging (п. 16–18). |
| Authentication & MFA | Unique identifier + password or HW identifier; MFA for remote access; lock after failed attempts or 90 days inactivity; privileged: stronger passwords or MFA, separate accounts; password rules 12/15 chars, change every 90 days (п. 19–25). |
| Logging & monitoring | Log access to config and logs, auth results, access events, sessions, failures, account/password changes, config changes; archive at least yearly; retain ≥1 year; protect logs (п. 26–28). |
| Network & malware | Network protection, segmentation, controlled access points; DMZ for client-facing services; anti-malware with current signatures (п. 29–30). |
| Systems & software | Supported OS and applications; block default/guest accounts; risk analysis and compensating controls for unsupported software; migration plan within 2 years (п. 31–36). |
| Removable media | Policy on use, categories, identification, sanitization, malware check (п. 37–38). |
| Incident management | Process and response plan; impact assessment; roles; management reporting; storage and analysis; contracts with external parties; NBU requests (п. 39–46). |
How SecBoard modules support the Regulation (No. 143)
SecBoard does not replace technical or physical controls but helps you document scope, map requirements to controls, collect evidence, and track status. Use the modules below in line with your role (insurer, credit union, financial company, pawnshop) and NBU expectations.
| SecBoard module | Regulation area | How it helps |
|---|---|---|
| Framework Compliance | All sections (controls, evidence) | Create a Custom or Local framework (e.g. “NBU 143 – Information security and cyber protection for financial service providers”). Map control categories and controls to the Regulation’s paragraphs (governance, access, logging, incident, etc.). Attach evidence (documents, links), assign owners and review dates. Use for gap analysis and NBU readiness. Dashboard and Cabinet traffic light show status. |
| Risk Assessment | п. 6–8, 34 (risk management) | Document cyber and information security risk management; risk assessment and treatment. Use for risk-based approach and for unsupported-software risk analysis (п. 34). Link risks to Framework Compliance controls. |
| Incident Register | Section III (п. 39–46) | Record and manage cyber and information security incidents. Document response, impact, and lessons learned. Use for incident management process and response plan evidence; store incident information for analysis and NBU requests. Link to Framework Compliance. |
| Asset management | п. 13 (inventory) | Maintain inventory of ICTS components (software, hardware). Support annual actualisation of the register per п. 13. Use for scope and asset-list evidence. Asset Guide available. |
| Keys & Certificates | п. 19, 25 (auth, certificates) | Manage certificates and tokens used for authentication (e.g. software/hardware identifiers per п. 19). Track lifecycle. Key/Cert Guide available. |
| Document Register / Legislative docs ) | п. 11–15, 18, 37 (policies) | Store and version internal documents (policies, procedures, standards, access management, removable media). Link to Framework Compliance evidence. Supports governance and annual review. Legislative docs for official texts (e.g. Regulation No. 143). Mandatory Processes for recurring control activities. |
| Access managment | п. 16–18, 19–25 (access, users) | Manage users, groups, roles, and permissions; support least privilege and annual access review (п. 17). Document access model (groups, roles, templates). Cabinet Users Guide and Org Structure support documentation of responsible person and roles. |
| SOC / Wazuh | п. 26–28 (logging, monitoring) | Centralise logs, monitor access and config changes. Use for logging and monitoring evidence (events listed in п. 26); support log retention and protection. FIM Dashboard Guide available. Attach reports in Framework Compliance. |
| Gophish | п. 14 (awareness) | Phishing simulations and awareness. Support user awareness and behaviour in line with internal documents (п. 14). Gophish Guide available. |
| Study / Training | п. 11, 14 (training, awareness) | Deliver and track security awareness and training; support training of the responsible person (п. 11) and user awareness (п. 14). Password policy (e.g. complexity) can support п. 22–24 where applicable. |
| Access | п. 16–18 (access control) | Manage application and resource access. Use with Cabinet for access rights and authentication evidence. |
| TPRM | п. 9, 42–43 (external parties) | Manage vendors and external responders (п. 9). Use Vendor, VendorAssessment, VendorQuestionnaire, VendorDocument for contracts, NDA, and incident-response terms (п. 42–43). Evidence for Framework Compliance. |
| GDPR | Data protection overlap | Where personal data or insurance/financial secrecy overlaps with processing of personal data, use Data Processing Activities, Data Retention Policy, DataBreachIncident for documentation. Link to Framework Compliance where relevant. |
| Configuration | Scope by entity | Define companies (e.g. insurer, branch). Use to scope the Regulation by entity and align Framework Compliance instances. |
Quick mapping: Regulation area → SecBoard
| Regulation area | SecBoard modules to use |
|---|---|
| Governance, policies, review | Framework Compliance, Document Register, Legislative docs, Mandatory Processes. |
| Risk management (п. 6–8, 34) | Framework Compliance, Risk Assessment. |
| Asset / software inventory (п. 13) | Framework Compliance, Asset management. |
| Access, authentication, MFA (п. 16–25) | Framework Compliance, Cabinet, Access, Study (password policy), KeyCert (certs/tokens), Document Register (policies). |
| Logging & monitoring (п. 26–28) | Framework Compliance, SOC, Document Register (procedures). |
| Network, malware (п. 29–30) | Framework Compliance, Document Register (network protection measures), SOC (monitoring). |
| Incident management (Section III) | Framework Compliance, Incident Register, TPRM (external responders), Document Register (response plan). |
| External parties (п. 9, 42–43) | Framework Compliance, TPRM, Document Register (contracts). |
Getting started with the Regulation in SecBoard
- Create a framework: In Framework Compliance, create a Custom framework (e.g. “NBU 143 – Information security and cyber protection for financial service providers”). Add control categories and controls aligned to Sections I–III and key paragraphs (governance, inventory, access, auth/MFA, logging, incident, external parties).
- Policies and governance: Store internal documents (policies, procedures, access management, removable media) in Document Register. Link to controls. Use Legislative docs for the official Regulation text (No. 143). Assign responsible person and document annual review (п. 15).
- Risk and assets: Use Risk Assessment for cyber and information security risk management (п. 6–8) and for unsupported-software risk analysis (п. 34). Use Asset management for ICTS software/hardware inventory and annual actualisation (п. 13).
- Access and authentication: Use Cabinet and Access for users, groups, roles, and least privilege; document annual access review (п. 17). Align password and MFA practices with п. 19–24 (Study, IdP/app layer). Use KeyCert for certificates/tokens. Link evidence to controls.
- Logging and incidents: Use SOC for logging and monitoring evidence (п. 26–28). Use Incident Register for incident process and response plan (Section III); document response and storage/analysis. Use TPRM for external responders and contracts (п. 42–43).
- Review and NBU readiness: Use Framework Compliance dashboard to track status. Keep evidence up to date for NBU requests (п. 44–46).
NBU Regulation No. 143 and SecBoard
This guide is part of the documentation available in SecBoard. The Regulation on the organization of measures to ensure information security and cyber protection by financial service providers (Положення, approved by NBU Board Resolution of 09.12.2025 No. 143) applies to insurers, credit unions, financial companies, and pawnshops. Use SecBoard Framework Compliance (Custom/Local framework) to map controls and evidence; use Risk Assessment, Incident Register, Asset, Document Register, Cabinet, SOC, Study, Gophish, TPRM, and KeyCert to support governance, inventory, access, authentication, logging, incident management, and third-party requirements. Align with DSTU ISO/IEC 27001 and 27002 where referenced by the Regulation.
Providers have 12 months from the entry into force of the Resolution to bring their activities into compliance with the Regulation. Keep documentation and evidence ready for internal review and NBU requests.
Frequently asked questions
What is the Regulation (No. 143)? — The NBU Board Resolution of 09 December 2025 No. 143 approved the Regulation on the organization of measures to ensure information security and cyber protection by financial service providers (Положення). It applies to insurers, credit unions, financial companies, and pawnshops and sets requirements for governance, risk management, access, authentication, MFA, logging, network protection, supported software, removable media, and incident management.
Who must comply? — Financial service providers as defined: insurers (including reinsurers, intermediaries in the scope set by the Regulation), credit unions, financial companies, and pawnshops. Specific cross-references apply (e.g. to other NBU regulations). Payment service providers and certain other entities are excluded (п. 4).
How do I map the Regulation in SecBoard? — In Framework Compliance, create a Custom or Local framework (e.g. “NBU 143”). Add control categories and controls per sections and paragraphs (I: scope/risk; II: governance, inventory, access, auth, logging, network, software, media; III: incidents). Attach evidence from Document Register, Asset, Cabinet, SOC, Incident Register, TPRM, Risk. Use the dashboard to track status.
Which modules support incident management (Section III)? — Incident Register for recording and managing incidents and response; Document Register for the response plan and procedures; TPRM for contracts with external responders (п. 42–43). Link evidence to the relevant controls in Framework Compliance.
What about MFA and password requirements? — The Regulation requires MFA for remote access (п. 20), strong passwords (12/15 symbols, change every 90 days), and special rules for privileged users (п. 22–24). Implement in your IdP and applications; use Cabinet and Study to document access model and awareness; use Framework Compliance to attach policy and evidence.