Saudi Arabia: Potential impact of cybersecurity regulatory framework
The Kingdom of Saudi Arabia ('KSA') has been leading change within digital transformation thanks to the implementation of the National Transformation Plan, and the ambitious 'Visions 2030.' This transformation is inevitably building a wealth of data, and digital products and services that necessitates careful attention to cybersecurity, which has developed rapidly from a private sector concern to a matter of national security. Karim Fawaz and Bilal Al Samarrai, from CMS (UAE) LLP and Feras Al Shawaf Law Firm, in association with CMS, respectively, discuss the current cybersecurity legislation in the KSA, including sector specific laws, their scope, and who they apply to.
So, how is the KSA readying its regulatory environment in relation to cybersecurity, and how is the market responding? Starting with a National Digital Transformation Unit, the KSA now has a National Committee for Digital Transformation that has been established by a Royal Decree, to ensure the involvement of as many government bodies as possible to collaborate towards growing a digital society.
Development of regulatory bodies
Despite the size of its economy, as well as its demographic composition, the KSA has been agile in structuring and restructuring government bodies that are mandated to look after the KSA's growing wealth of data, and protecting it. Given the rapid developments, it is worth understanding the current bigger picture.
Towards the end of August 2019, the Saudi Authority for Data and Artificial Intelligence ('the Authority') was established, and it reports directly to the Prime Minister, HRH King Salman Bin Abdulaziz Al Saud. Under the Authority, there are a few sub-authorities, one of which is the National Cybersecurity Authority ('NCA'). The NCA has been established by Royal Decree No. 55775 dated 1/12/1438H (corresponding to 23 August 2017), and the Statute of the NCA was issued by Royal Decree No.6801, dated 11/2/1439H, corresponding to 31 October 2017 ('the NCA Law'). The NCA succeeded the Data Security Supervisory Council, and the National Centre for Electronic Security at the Ministry of Interior, as well as the National Data Security Centre (Computer Emergency Response Team) at the Communication and Information Technology Commission ('CITC'), were both merged into the NCA.
The NCA has both regulatory and operational functions related to cybersecurity, and it works closely with public and private entities to improve cybersecurity in the KSA. Article 4 of the NCA Law, gives the NCA mandate over the following, amongst others:
- developing and revising the national strategy for cybersecurity and overseeing its implementation;
- developing and revising cybersecurity frameworks, and ensuring compliance with the same;
- identifying and classifying critical infrastructure, and identifying the relevant authorities/bodies whose cybersecurity should be prioritised;
- notifying relevant authorities of cybersecurity risks;
- building and operating national cybersecurity operation centres;
- regulating data sharing mechanisms between various bodies and in various sectors, and exercising oversight of the same;
- extending support to the relevant authorities in the event of any investigation of cybersecurity crimes;
- establishing and revising national standards for encryption, and ensuring compliance with the same;
- establishing and revising rules for the import, use, export, and licensing of critical equipment and software, in terms of cybersecurity, and ensuring compliance with the same; and
- licensing individuals and non-government entities for cybersecurity related activities.
Considering the wide scope of the NCA, the KSA appears to be covering cybersecurity from all perspectives, from regulation, to awareness, and infrastructure.
Prior to the development of the NCA Law, the Saudi Anti-Cyber Crime Law was issued by Royal Decree No.M/17 dated 8/3/1428H, corresponding to 27 March 2007. Recognising crimes in the cyber space necessitated developing regulatory frameworks for cybersecurity.
NCA – laws, rules and guidelines
Cybersecurity has been defined in the NCA Law as the protection of IT systems and networks, as well as systems and components of operating technologies, including hardware and software components, together with services provided thereby and data included therein, against unlawful hacking, obstruction, modification, access, use, or exploitation.
The NCA has accordingly issued the Essential Cybersecurity Controls ('ECC') in 2018, which is in force under Sovereign Decree No. 57231 dated 10/11/1439H / 23 July 2018, and which applies to government organisations in the KSA, including ministries, authorities, and establishments, and government owned companies and entities, as well as private sector organisations owning, operating, or hosting Critical National Infrastructures ('CNI'). The NCA further defines CNIs as assets, such as facilities, systems, networks, processes, and key operators who operate and process them, whose loss or vulnerability to security breaches may lead to certain significant impacts. Further, the applicability of certain controls of the ECC depend on the technology being used by, or the business of, the concerned organisations.
Cybersecurity for e-commerce
E-commerce is another field that the KSA is developing1. The NCA has therefore issued the Cybersecurity Guidelines for E-Commerce Service Providers ('CGESP'). The CGESP is a non-binding document representing best practices, and addresses small and medium enterprises, and small offices/home offices carrying out e-commerce activities/merchants. The NCA has also issued another guiding document on the Cybersecurity Guidelines for E-Commerce Consumers ('CGEC'). Both the CGESP and the CGEC address protection of e-commerce data and systems. Whilst these are specifically e-commerce related, the banking and transactional aspects of cybersecurity are regulated differently.
Cybersecurity in the banking sector
As mentioned above, the KSA is delving into the international market of the digital space as an influencing player. In view of the rapid growth, we have seen KSA organisations seeking to comply with the Payment Card Industry Security Standard Council. Whilst this relates more to self-regulation, the Saudi Arabian Monetary Authority ('SAMA'), the central bank, and the banking regulator in the KSA, was prudent of cybersecurity.
In May 2017, the SAMA issued the Saudi Arabian Monetary Authority Cybersecurity Framework ('SAMA Cybersecurity Framework'), which applies to institutions that are regulated by the SAMA. These institutions include banks, insurance and reinsurance companies, financing companies, and credit bureaus. The SAMA Cybersecurity Framework is based on industry standards, such as the National Institute of Standards and Technology ('NIST'), the International Organisation for Standardisation ('ISO'), and the Basel Committee on Banking Supervision, and identifies three objectives in respect of information assets, namely confidentiality, integrity, and availability.
It aims at securing at least a 'level 3' cybersecurity maturity level, which ensures that:
- cybersecurity controls are defined, approved, and implemented in a structured and formalised way; and
- the demonstration of implementation of cybersecurity controls.
Cybersecurity in the information and telecommunications technology sector
As another essential sector in Saudi Arabia's transformational plans, the CITC published, in May 2019, a draft regulatory framework ('the Framework') for cybersecurity in the information communications technology sector, for public consultation. The Framework is based on industry standards, such as NIST, the European Telecommunications Standards Institute, and the ISO.
The Framework is intended to apply to all service providers ('SPs'), licensed by the CITC, who are required to comply with the minimum cybersecurity requirements provided therein. Being a comprehensive document, certain cybersecurity controls may not apply to all SPs. For example, if a SP does not develop software, then compliance with the secure software development category/controls (Category ID: 4.14) will not be required. Nevertheless, the control will apply in case software if developed via a third party.
We have seen the CITC actively developing other regulations that relate to cybersecurity, such as the Cloud Computing Regulatory Framework.
Controls for the use of telecommunication and IT in government agencies
The Council of Ministers approved the Regulations to use Information and Communication Technologies in Government Agencies ('the Government IT Rules') through its Resolution No. 555 dated 23/9/1440H, corresponding to 28 May 2019, repealing similar rules that were issued previously. The Government IT Rules set out rules in respect to cybersecurity, emails, cloud computing, and other new technologies, and the use of personal devices, and social media. Government agencies are defined in the Government IT Rules to include ministries, commissions, public establishments, councils, and national centres.
The impact of the wide array of cybersecurity regulations is, simply, compliance. To achieve such compliance, there are various practical aspects to be considered. We address below only a few general practical aspects.
Institutions in the KSA are developing cybersecurity policies to ensure they have clarity as to what the cybersecurity measures required are. These policies differ between sectors, company structures (public and private), and stakeholders (government and private). To that end, cybersecurity consultants are being retained to bring in best international practices. The key however is to adapt the international practices to the local requirements.
Setting a cybersecurity policy requires having adequate implementation, as setting a policy triggers a new responsibility on the Directors and Officers of the concerned institution. To that end, investment in talent and solutions becomes inevitable.
Talent and solutions
With respect to developing talent, the Saudi Federation for Cybersecurity, Programming and Drones has been established to contribute to such development.
There is a growing need for cybersecurity related technology solutions, including but not limited to, vulnerability-related services, as well as hardware. Driven by the Government Tenders and Procurement Law, and the success of the Saudi Arabian General Investment Authority in attracting foreign investors, we have seen many international providers of cybersecurity solutions, software as well as hardware, getting directly involved in projects in the Saudi market, as opposed to relying fully on distributors and resellers.
However, whilst a cybersecurity solution remains with certain exposures, new risks have arisen and there is increasing awareness to cyber insurance.
The question of what comes first, the cybersecurity solution or the cyber insurance, continues to be a matter of discussion. In the KSA, there seem to be less awareness as to the importance of cyber insurance as opposed to having a robust cybersecurity solution. Coverage, but also the role of providers of cybersecurity services, such as with respect to vulnerability, and response, are yet to be explained further to the market. Whilst this requires collaboration of market players, in our view, cyber insurance will only develop in the KSA pursuant to regulation as a matter of compliance.
Considering the various initiatives in regulating cybersecurity in the KSA, there seem to be overlapping roles and responsibilities of various regulators. In our view, this may not necessarily lead to complete compliance as over-regulation may be accompanied with tolerance in enforcement. Companies with a proven track record in the Saudi market know how to adapt with such changes. For multinational players, however, there seems to be an increasing regulatory risk with respect to cybersecurity, and it may be prudent to take a slower pace awaiting the complete cybersecurity framework to develop, if full compliance may not be commercially achievable. We are also of the view that cyber insurance could develop quicker if supported by regulation, as compliance seems to be a major driver.
1. See, 'Saudi Arabia implements its new E-Commerce Law,' available at: https://www.cms-lawnow.com/ealerts/2019/10/saudi-arabia-implements-its-new-e-commerce-law