50,000 riyals maximum reward for whistleblowers...

New rules for monitoring and verifying cybersecurity violations

The National Cybersecurity Authority begins implementing rules for monitoring and investigating cybersecurity violations.

The new rules clarified that inspectors, collectively or individually, are responsible for monitoring and inspecting places and activities related to cybersecurity to detect violations and investigate them. To that end, they may enter places, access networks, information technology systems, operational technology systems, and their components including devices, equipment, and software, review data and documents including backups and other sites, inspect, examine, and seize them, search for and collect necessary evidence and information related to the violation, examine any documents, data, information, or records, and take copies. They may also document, by any legal means, any evidence or clues they observe.

3- Seizing any documents, records, information technology systems, operational technology systems, devices, equipment, software, data, or similar items that were used in the violation or suspected of being used during the commission of the violation. These are to be seized and recorded in the inspection report, along with any other action the inspector deems important within the legally granted powers.

Regarding procedures for handling urgent and necessary cases, the rules stated that if any violation is committed, the Authority may, in urgent and necessary cases to preserve cybersecurity, by a decision from the Governor or his delegate, suspend or stop any cybersecurity-related activities, networks, information technology systems, operational technology systems, or their components (devices, equipment, software) that are the subject of the violation, according to procedures specified by the Authority.

The rules also clarified the inspector's responsibilities regarding confidentiality while performing his duties, including the confidentiality of documents, information, data, evidence, written and oral statements, and other matters he becomes aware of by virtue of his work. He may not, even after the end of his assignment, disclose them to any other party except with the written approval of the Authority. He must prepare an inspection report and document all procedures carried out during the inspection, according to the form specified by the Authority. Cases of prevention or obstruction of his work are to be documented in the report. If the inspector suspects, during his tasks, the occurrence of a cybersecurity-related crime, he must seize related items and submit them to the Authority for referral to the relevant authorities.

The rules specified the eligibility conditions for receiving the reward for whistleblowing. The Authority grants the whistleblower a reward at its discretion, provided that several conditions are met: the violation reported must be proven; the whistleblower must be a natural person; the whistleblower must not be an employee of the Authority; the whistleblower must not be a spouse, in-law, or relative up to the fourth degree of any employee of the Authority or of entities contracted by the Authority that perform main or operational tasks for the Authority; the violation must not have been previously reported or rewarded by the Authority; the disclosure of the violation must not result from the whistleblower's job duties; the whistleblower must not disclose any information related to the report to others; the report must be submitted using legitimate means and must not involve any illegal practices, including any unauthorized access to the systems of the entity or others; the reported violation must be one punishable by a financial fine; and the Authority must have collected the fine amount.

Regarding the determination of the reward amount, the rules stated that the reward shall not exceed (50,000) fifty thousand Saudi riyals, or the equivalent of (1%) of the collected financial fine, whichever is lower, taking into account the role of the report in proving the violation, including the importance, accuracy, and completeness of the information it contains; the severity and significance of the violation; the difficulty of discovering the violation and the effort made by the whistleblower in discovering it; the extent of damages that would have resulted from the effects of the violation had it not been reported; the availability of the information in the report and whether it was publicly available; and the whistleblower's cooperation, if contacted, and his contribution in persuading other parties to cooperate regarding the subject of the report, if any.