Banking Regulation 2025

KUWAIT Law and Practice Contributed by: Yousef Al Shereedah, Abdulrahman Al-Roumi and Bashayer Al-Tuwais, International Counsel Bureau – Lawyers and Legal Consultants

Both the CMA and Boursa Kuwait emphasise that entities should focus on material issues that impact stakeholders and guide corporate strate - gies. Alignment with International Standards While ESG reporting is voluntary, companies are strongly encouraged to align with international frameworks such as the GRI, SASB, and IR to ensure consistency and comparability in their disclosures, as recommended by both the CMA and Boursa Kuwait. While there is no direct equivalent to the Euro - pean Union’s Digital Operational Resilience Act (DORA), the CBK has developed a comprehen - sive Cybersecurity Framework to ensure oper - ational resilience against cyber threats. This framework outlines specific requirements for governance, risk management, incident report - ing, third-party risk management, operational testing, and compliance, aligned with interna - tional best practices. Governance and Risk Management 10. DORA 10.1 DORA Requirements • Board responsibility: The board of directors is accountable for overseeing the cybersecurity framework, ensuring that adequate resources are allocated for managing cyber risks, and that cybersecurity is integrated into overall risk management strategies. • Cybersecurity policies: Regulated entities must implement formal cybersecurity poli - cies that cover critical areas such as access control, data protection, incident response, and vulnerability management. • Risk assessment: CBK-Regulated Entities are required to conduct regular cyber risk assess -

ments, updating them periodically to reflect new threats and changes in the operational landscape. • Reporting structures: Clear reporting lines from cybersecurity teams to the board are essential to ensure timely communication of risks and incidents. Incident Reporting and Management • Mandatory reporting: CBK-Regulated Entities are required to report significant cybersecu - rity incidents to the CBK. High-risk incidents must be reported within four hours, including critical breaches or operational compromises. Medium-risk incidents must be reported within eight hours, while low-risk incidents are reported quarterly as part of routine cyber - security reporting. Reports should provide a comprehensive overview of the incident, including its scope, impact, and the mitiga - tion measures taken. • Incident reporting process: The report sub - mitted to the CBK must include: (a) the nature and cause of the incident (eg, phishing, malware, data breach); (b) the extent of the damage (eg, data loss, service disruption); (c) the actions taken to mitigate the incident, including containment and recovery ef - forts; (d) an assessment of whether personal data or critical systems were compromised; and (e) communication with affected parties, including customers, regulators, and stakeholders. • Escalation and notification: CBK-Regulated Entities must have predefined escalation procedures in place to ensure that incidents are promptly escalated to senior management and the CBK.

310 CHAMBERS.COM

Powered by