Cybersecurity Compliance Framework

1. Why Cybersecurity Compliance MattersSOURCE VERIFIED

Pakistani IT companies face a unique challenge: growing client expectations for security while operating under evolving local regulations. Whether you serve government tenders, international clients, or domestic businesses, cybersecurity compliance is no longer optional.

Regulatory BodiesSOURCE VERIFIED

2. PECA 2016 — Prevention of Electronic Crimes ActSOURCE VERIFIED

The primary cybercrime law in Pakistan. Key sections relevant to IT companies:

3. PTA Cybersecurity GuidelinesSOURCE VERIFIED

For IT Service ProvidersSOURCE VERIFIED

• Licensee Security: All telecom/ISP licensees must maintain security policies
• Incident Reporting: Security incidents must be reported within 72 hours
• Data Retention: Traffic data retention for 1 year (under telecom regulations)
• Audit Requirements: Annual security audits for licensees
• VAPT: Vulnerability assessment and penetration testing mandatory

For Government IT VendorsSOURCE VERIFIED

• VAPT clearance from Category 1/2 firm before deployment
• Data classification and handling procedures
• Secure coding practices
• Background verification of development staff
• Source code escrow for critical systems

4. NCERT / PakCERTSOURCE VERIFIED

National Computer Emergency Response TeamSOURCE VERIFIED

Pakistan's national CERT under NTISB (National Telecom & Information Security Board). Provides:

• Incident Response: 24/7 support for cyber incidents
• Advisories: Vulnerability alerts and threat intelligence
• Coordination: International CERT coordination
• Training: Cybersecurity awareness programs

When to Contact PakCERTSOURCE VERIFIED

• Your systems are compromised
• You discover a vulnerability in systems you manage
• You receive threat intelligence about attacks on Pakistani targets
• You need guidance on incident response

5. ISO 27001 — Information Security ManagementSOURCE VERIFIED

Why Get ISO 27001?SOURCE VERIFIED

• Required for many government tenders (PPRA, PTA)
• International client requirement
• Competitive advantage
• Demonstrates security maturity

Implementation StepsSOURCE VERIFIED

Estimated CostsSOURCE VERIFIED

* One-time costs. Annual surveillance audit: 30-50% of initial certification cost. Timeline: 6-12 months.

6. Data Protection in PakistanSOURCE VERIFIED

Current Legal FrameworkSOURCE VERIFIED

Best Practices (Until PDPB is Enacted)SOURCE VERIFIED

• Appoint a Data Protection Officer (even if not legally required)
• Maintain data processing records
• Implement consent mechanisms for user data collection
• Ensure data encryption (at rest and in transit)
• Conduct privacy impact assessments for new projects
• Define data retention policies
• Include data protection clauses in client contracts
• Train staff on data handling procedures

7. SBP Cyber Resilience & Technology Risk (2023-2026)SOURCE VERIFIED

Cyber Shield — Cyber Resilience Strategy 2025-2030SOURCE VERIFIED

Per CRMD CL01/2026, SBP has launched Cyber Shield, the first-ever cyber resilience strategy for all SBP-regulated entities. Key requirements:

• Mandatory alignment: All banks, EMIs, PSOs/PSPs must align internal cybersecurity programs with the Cyber Shield roadmap by 2030
• Five strategic priorities: Strengthen → Mature → Enhance → Develop → Evolve — phased milestones through 2030
• Zero Trust Architecture: Roadmap for implementation across critical banking infrastructure — no implicit trust, continuous verification (Federal (SBP))
• FinCERT: Financial sector Computer Emergency Response Team to be established for incident lifecycle management and threat intelligence sharing (Federal (SBP))
• 2-hour RTO for FMIs: Systemically important Financial Market Infrastructures must achieve two-hour recovery time objective (Federal (SBP))
• Cyber-testing framework: Mandatory controlled cyber-attack simulations for regulated entities (Federal (SBP))
• Annual cyber threat landscape report: SBP will publish annual report on evolving threats to the banking sector (Federal (SBP))
• Third-party risk oversight tightening: Enhanced supervisory expectations for vendor/third-party risk management, directly impacting IT service providers (Federal (SBP))
• Scope: Covers prevention, detection, response, and recovery from cyber incidents across the financial sector

Technology Risk Management Framework for Payment InstitutionsSOURCE VERIFIED

Per PSD C4/2025, all PSOs/PSPs and EMIs must comply with the Technology Risk Management (TRM) Framework by March 31, 2026. Key requirements for IT companies:

Digital Channel Downtime GuidelinesSOURCE VERIFIED

Per PSD C1/2023, regulated entities must:

• Planned downtime: Inform customers 2 days in advance (SMS, social media, in-app); notify SBP 1 week in advance
• Unplanned downtime >30 min: Immediately inform customers + estimated restoration time; report to SBP
• Overtime reporting: If planned downtime exceeds 2+ hours, immediately convey to customers and SBP
• Monthly max downtime: Cumulative downtime monitored; social media complaints tracking mandatory

Digital Lending App RestrictionsSOURCE VERIFIED

Per PSD C2/2023: Banks/EMIs must not provide digital payment services to unauthorized/unlicensed digital lending apps. This includes: deposit products, mobile app integration, payment gateway services, credit scoring, and fund transfers. IT companies building fintech products must verify licensing status from SBP/SECP before integration.

Mobile App Security GuidelinesSOURCE VERIFIED

Per PSD CL6/2022: Banks/EMIs/PSOs must implement secure coding practices, VAPT before app launch, certificate pinning, and runtime integrity checks for all mobile applications.

8. Cybersecurity Compliance ChecklistSOURCE VERIFIED

Immediate (This Month)SOURCE VERIFIED

Short-term (1-3 Months)SOURCE VERIFIED

Medium-term (3-12 Months)SOURCE VERIFIED

8. Security Tools & CostsSOURCE VERIFIED

Free/Open SourceSOURCE VERIFIED

Paid (Recommended for Production)SOURCE VERIFIED

9. Frequently Asked QuestionsSOURCE VERIFIED