The various cyber security breaches in 2022 affecting government institutions such as SriLankan Airlines, the Ministry of Health, the Sri Lankan Bureau of Foreign Employment and the Department of Examinations, have exposed the need for a robust cyber security framework to be established.
The first draft of the Cyber Security Bill in Sri Lanka was released in December 2019 and has gone through subsequent changes. The salient features of the most recent draft which is publicly available are as follows:
- Establishment of the Digital Infrastructure Protection Agency of Sri Lanka (“Agency”) – the Agency will be vested with the authority to implement a National Cyber Security Strategy and to recommend standards for the Government of Sri Lanka.
- Specifying the powers and functions of the Sri Lanka Computer Emergency Readiness Team (“CERT”) – CERT will act as a coordination centre, and point of contact for cyber security incidents and provide reactive cyber security services in the event of such incidents as well as being proactive in preventing such incidents.
- Enabling the designation of “Critical Information Infrastructure” (“CII”) by the Agency if the computer system is in Sri Lanka and it is necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace or for any other criteria as may be prescribed and the disruption or destruction of which would likely to have a serious impact on the public health, public safety, privacy, national security, international stability or on the effective functioning of the government or the economy. Once a system is designated as CII, the institution owning it (either government or otherwise) has a legal obligation to secure it, conduct risk assessments and provide necessary information to the Agency, including notification of any cyber security breaches within 24 hours of becoming aware.
- Penalties - a person whose computer system has been designated as CII and who does not comply with the requirements will first be given a warning by the Agency and if there is failure to conform with the requirements or show cause for non-compliance, shall be liable to a penalty of up to Rs. 1 million, which can be doubled if there is a subsequent non-compliance. In the event of a failure to pay such a penalty, the Authority is entitled to make an ex-parte application to the Magistrate Court of Colombo for an order requiring payment which shall be recoverable as a fine imposed by Court. Directors of, or officers responsible for the management of companies are personally liable unless they can show that they had no knowledge of the failure to comply or that they exercised all due diligence to ensure compliance.