A new regulation on cybersecurity requirements for companies has been endorsed by Presidential Resolution No. PP-167 dated May 31, 2023, “On additional measures to improve the system of cybersecurity of critical information infrastructure facilities of the Republic of Uzbekistan”. The full text of the Resolution is available here (in Uzbek).
Below we provide a brief overview of the key changes. As cybersecurity legislation is a relatively new concept in Uzbekistan, you may also find relevant our previous alerts on cybersecurity available here and here.
Is it relevant for your company and business?
Currently, the exact qualification criteria for classification as a “critical facility” is not yet available—we expect more clarity to be provided by October 2023. That said, these changes will likely be relevant if you or your clients in Uzbekistan have important information systems in the field of agriculture, banking and finance, chemicals, defense and national security, energy, IT, mining, public health, telecoms as well as some other sectors.
Who are sectoral regulators?
The State Security Service of the Republic of Uzbekistan is the regulator in the field of cybersecurity. The Office of the President of the Republic of Uzbekistan sets out a unified public policy related to cybersecurity. Also, the Inspectorate for Control in the Sphere of Information and Telecommunications under the Ministry of Digital Technologies (the Inspectorate) is the executive body of the regulator.
How can the changes affect your business?
The new regulation brought more light to key compliance requirements for critical facilities. Companies classified as critical facilities will have the following obligations:
- Promptly notify regulators of a cybersecurity incident
- Assist regulators in detecting and preventing cyberattacks, remedying their consequences, and identifying the causes and conditions of cybersecurity incidents
- Notify the regulator of appointments and dismissals and of the certification of personnel responsible for ensuring cybersecurity
- Have the regulator certify cybersecurity personnel
- Ensure the operation of facilities designed to detect and prevent cyberattacks, participate in the investigation of cybersecurity incidents
- Provide access to critical facilities to State Security Service personnel and the Inspectorate in performing their powers
- Prevent possible cyber threats to critical facilities and develop plans to restore stable functioning of critical facilities in the event of a cyberattack
The regulation sets out the following key requirements for critical facilities:
- A cybersecurity system is established.
- The system can prevent unauthorized use (destruction, modification, blocking, copying, provision and distribution) of information, as well as actions leading to disruption / termination) of critical facilities.
- The critical facility complies with the technical cybersecurity requirements.
- A system is established to ensure a rapid recovery after a cyberattack.
- An effective system of monitoring, auditing and analyzing cyberattacks is established, allowing for corrective measures to be taken and for the elimination of the consequences of a cyberattack.
- The critical facility establishes the relevant cybersecurity policies, registries and other documents.
Any devices used for processing confidential and critical information must have the following measures (among others):
- The ability to identify and authenticate device users at each stage before they gain access to subsystem elements or other systems
- The ability to check access to files, systems and devices
- Restricting the software environment so that unauthorized users cannot manage the information infrastructure
- Protection for facilities hosting confidential and critical information
- Performing cybersecurity audits of systems, programs, including software and software and hardware resources
- Protecting critical facilities of information assets from malicious software
- Ensuring security of technical means of information protection
- Timely management of software updates
- Timely response to cybersecurity incidents
- Performance in emergency situations as required
- Backup storage of critical information, the integrity, confidentiality and availability thereof related to the operation and security of the critical facilities
- Implementation of rapid data recovery mechanisms
- Certification of the critical facilities for compliance with cybersecurity requirements
What actions should you take?
If you think your business may qualify as a critical facility, you need to be prepared with an action plan in the event the regulator lists your business in the single register of critical facilities. This qualification may come with certain financial costs (e.g., buying hardware and software approved by the regulator) as well as organizational changes (e.g., creating a special cybersecurity team, liaising with the regulator, revising internal policies) for your company in the short run.
If you have any questions, we will be happy to discuss in more detail with you how these changes might impact your business and how best to achieve compliance.