KUWAIT Law and Practice Contributed by: Yousef Al Shereedah, Abdulrahman Al-Roumi and Bashayer Al-Tuwais, International Counsel Bureau – Lawyers and Legal Consultants
• Post-incident review: After each incident, entities are required to conduct a post- incident review to assess the response’s effectiveness, identify any weaknesses in their cybersecurity framework, and imple - ment corrective actions. This review must be documented and used to strengthen future response plans. Third-Party Risk and Dependencies • Third-party risk assessments: Regulated entities must assess and mitigate risks posed by third-party service providers, especially those involved in ICT services, by evaluating their cybersecurity controls and ensuring that proper measures are in place. • Contractual safeguards: Contracts must include cybersecurity clauses that require third-party providers to comply with security standards and promptly report any security incidents affecting their services. • Monitoring third-party providers: Continuous monitoring of third-party service providers is necessary to ensure compliance with security requirements and manage risks related to external dependencies. Cyber Threat Intelligence and Collaboration • Sector-wide collaboration: CBK-Regulated Entities are encouraged to participate in sector-wide initiatives, such as the Informa - tion Security Working Group (ISWG), to share threat intelligence and collaborate on mitigat - ing cybersecurity threats across the banking sector. • Threat monitoring: CBK-Regulated Entities are required to establish systems that actively monitor cyber threats and provide real-time alerts on potential vulnerabilities or suspi - cious activities. • Collaboration with authorities: Close co-ordi - nation with national regulators and cyber -
security authorities is encouraged to ensure alignment with national cybersecurity objec - tives. Operational Resilience Testing • Regular cybersecurity testing: CBK-Regu - lated Entities are required to conduct annual penetration testing, vulnerability assess - ments, and red teaming exercises to test the resilience of their systems against potential cyber threats. • Business continuity plans (BCP): Entities must maintain business continuity plans (BCP) that address continuity during cyber incidents, ensuring the restoration of critical functions and services. • Disaster recovery plans: Entities must have comprehensive disaster recovery plans that include data backup procedures, recovery strategies, and regular testing to ensure rapid recovery from cyber incidents. • Cyber simulations and drills: Entities are encouraged to conduct regular cyber incident simulations to test their preparedness and response capabilities in real-world scenarios. Compliance and Supervision • Compliance with international standards: Entities must comply with international stand - ards such as ISO/IEC 27001 (Information Security Management) and NIST (National Institute of Standards and Technology) frame - works. • Internal audits: Regulated entities are required to conduct annual internal cybersecurity audits to assess the effectiveness of their cybersecurity measures, incident response protocols, and adherence to CBK regulations. • Regulatory oversight: The CBK will perform periodic reviews and inspections to ensure compliance with the cybersecurity frame -
311 CHAMBERS.COM
Powered by FlippingBook