Cybersecurity stands at an interesting developmental stage in Saudi Arabia. Unevenly applied in the private sector, a combination of market forces and regulatory encouragement is driving its uptake in areas where online transactions are increasingly becoming the norm. Elsewhere in the economy, the development of cloud services is presenting a data protection challenge to a much wider array of businesses. This is being met by the government with an overhaul of the ICT regulatory framework which intends to enable Saudi individuals, businesses and government agencies to entrust their valuable data with the growing number of cloud service providers operating in the Kingdom.

Finance First

The frontline of cybersecurity development is, like that of other markets, largely defined by the activities of the Kingdom’s financial institutions and largest service providers. Financial technology (fintech) products and services are expanding rapidly in the GCC, and customers are taking advantage of e-payment capabilities across all bank channels, as well as those offered by other service providers, such as telecoms, utilities, card schemes and transportation companies.

Providing cutting-edge fintech solutions is a central component of the growth strategy of most large financial institutions, but the advantages new platforms bring to businesses and their clients come with an increased security risk. This is of particular concern to the banking sector, where the advance of fintech and digitisation has brought cybersecurity to the top of the agenda. A recent report by EY showed that GCC banks consider cybertrust, convenience and personalisation to be the future core of customers’ relationship with their bank — all of which will be driven by technology.

As an increasing amount of financial transactions take place online, however, cybersecurity is moving up the risk rankings of regional institutions. EY’s conversations with banks around the Gulf revealed that they now consider cybersecurity to be the biggest threat to the prospects of achieving their digital aspirations, with 88% of respondents ranking it the top concern. Customers, too, are concerned by a number of recent high-profile data breaches in the region. While the banks in question threw doubt on the figures, the damage on reputation was done. One effect on the industry is that in the increasingly connected world some lenders have realised that cybersecurity, rather than being an unwelcome compliance cost, can actually provide useful competitive advantages.

Security precautions now feature prominently in the marketing efforts of the Kingdom’s leading financial institutions, particularly in connection with their digital offerings. The financial sector regulator, the Saudi Arabian Monetary Authority, is also pushing the security agenda. Working with local banks and other stakeholders it is producing an array of payment options by which they can transact securely. This integrated payment strategy aims to increase electronic transactions to 30% of total transactions by 2021, and contains a number of key objectives, including: building an automated clearing house to enable retail payment transactions to move at the speed of the internet; developing new online and mobile payment applications; and promoting product development through an innovation centre, concept hubs and fintech labs.

Both the new payment system and the wider arena of banking activity are to be protected by a new Cyber Security Strategy, developed in cooperation with the banking sector. Part of the strategy involves the implementation of a new cybersecurity framework, which establishes a common approach by which banks can address cyberthreats. Both of these initiatives are being implemented with the aid of the newly created Banking Committee for Information Security.

Gaps In The System

Beyond the financial system, however, the uptake of cybersecurity technology and practices has been more patchy. According to Symantec, a US-based security software, storage and professional services firm, Saudi Arabia is the most targeted country in the MENA region for ransomware attacks, and the 25th-most targeted globally. In January 2017 the Kingdom’s telecoms authority warned domestic institutions about a resurgence of the Shamoon virus after attacks suffered by the Ministry of Labour and Social Development and a chemicals firm. The virus first came to the notice of the authorities in 2012 when it infected thousands of computers belonging to the Kingdom’s flagship energy company, Saudi Aramco. Like its predecessor, the Shamoon 2 variant crippled computers by wiping hard drives and overwriting them with images, which some security analysts interpreted as a political act. The possibility of a foreign state’s involvement with the virus means that attacks of a similar nature are likely to occur in the future, and therefore cybersecurity has become an issue of national importance.

Cloud Rules

The rapid uptake of cloud computing has made the task of meeting such security challenges a more daunting one. According to the International Data Corporation, a global provider of ICT market intelligence, spending on cloud services, such as infrastructure as a service and software as a service, has driven much of the Kingdom’s overall ICT spending growth in recent years. However, data security concerns have resulted in many local enterprises confining their cloud development to local systems rather than public cloud solutions. The government also has concerns regarding the security of cloud data: while the International Data Corporation survey found that a growing number of organisations are exploring public cloud options for both storage and applications, some in the industry believe that the Kingdom’s preference for keeping data within its jurisdiction means that the full-scale adoption of public solutions seen in developed markets may be slow to emerge in Saudi Arabia.

Both the government and the private sector will be able to more confidently weigh the risks and benefits of cloud computing when a new cloud computing law is introduced. Currently, organisations wishing to invest in cloud infrastructure must be cognisant of a range of legal instruments, including the Telecommunications Act, the Telecommunications Bylaw, the Electronic Transactions Law and the Anti-Cyber Crimes Law.

Draft Law

These laws govern areas such as licensing and regulatory responsibility, but the lack of a single law which can be applied to cloud services is a hurdle to electronic growth in the view of the Communications and Information Technology Commission (CITC), the sector regulator. In 2016 the CITC began to explore the possibility of establishing a dedicated cloud computing regulatory framework, consulting with the local industry and undertaking a benchmarking exercise against other jurisdictions. Having established that such a framework would be beneficial for users of cloud services and the development of the cloud industry in the Kingdom, it has since published a draft law.

The proposed legislation has security at its core, envisioning a two-tier licensing system which separates cloud providers that “manage data considered to be critical from an information security point of view” from those dealing with less sensitive content. Critical – or level three – data may not be transferred out of the country in any format. While this is an unusual requirement in a global context, and one which may be technically challenging for some operators given the increasing prevalence of cross-border data transfers permitted by sophisticated encryption, the provision may be a deciding factor for some government bodies as they evaluate their cloud strategy. By implementing such a licensing scheme, the CITC believes confidence in cloud services will increase. The draft regulations also include other data protection measures commonly seen in advanced jurisdictions, such as requirements to permit users the right to access, verify and delete data, and an obligation to report data security breaches to both users and the CITC without undue delay. Some of the new law’s articles echo those in the EU’s recent General Data Protection Regulation, most notably the array of requirements which apply to business continuity, disaster recovery and risk management, as well as a new obligation for cloud service providers to comply with certification programmes or standards set by the CITC.