Practice Area
Cybersecurity
We advise businesses on the legal side of security: the obligations before an incident, the decisions during one, and the regulatory and criminal proceedings after. Clients range from banks and payment companies under SBP rules to enterprises whose only cyber law is the contracts they have signed.
Cybersecurity law in Pakistan is not one law. For a bank or a payment company it is the State Bank's technology governance and outsourcing frameworks. For a telecom licensee it is the PTA's security regulations. For everyone it is PECA 2016 — the statute that supplies both the remedy when you are attacked and the charge when someone alleges the breach was your fault. And for most private businesses, the strictest security obligations they carry are contractual: the security schedule an enterprise customer attached to the deal, read carefully by neither side at signing.
Our practice covers the three phases of that landscape. Before an incident, we build the legal infrastructure: response plans with names and hours in them, security policies a regulator can be shown, customer and vendor contracts whose promises match each other and match reality. During an incident, we sit inside the response — privilege over the forensics, preservation, the ransom question, the notification decisions, the interface with the NCCIA. Afterward, we run the tail: regulator reporting, PECA proceedings, warranty claims, insurance recovery and insider litigation, coordinated as one matter.
The criminal dimension deserves plain words. PECA reaches ordinary commercial life — a breach becomes a complaint, a complainant becomes an accused, an officer is named personally — and since the 2025 amendments the investigating agency is new and still settling its own practice. Companies that treat a cyber incident as a technical event and meet the criminal system unprepared consistently fare worse than those whose first call included counsel. We would rather be in the room on day one than instructed at the show-cause stage.
We are equally plain about what the law does not yet require. As of mid-2026 there is no general breach-notification statute of universal application; the CERT rules under PECA are recent and their reach is still being worked out, and the anticipated data-protection statute — which every draft suggests will add notification duties — is not in force. We tell clients which obligations are binding, which are contractual, and which are coming, and we do not dress guidance up as mandate.
This page is stated as of mid-2026. The instruments in this field are new or changing, and our advice carries its date.
When Businesses Need This
The moments this practice exists for.
- 01You are in a live incident — ransomware, a compromised server, a fraudulent transfer — and need counsel on notification, preservation and law enforcement within hours, not weeks.
- 02You are SBP-regulated, or supply someone who is, and must evidence technology governance, incident reporting and outsourcing controls that your current documents do not show.
- 03An enterprise customer's contract asks for security warranties, audit rights and breach notification within fixed hours, and nobody legal has read the security schedule.
- 04A former employee or insider has accessed systems or taken data, and you want the criminal complaint, the injunction and the employment response run as one matter.
- 05You have received a notice, summons or FIR arising from a cyber incident — as complainant turned accused, or as the platform where someone else's offence occurred.
- 06Your vendor was breached and your customers' data was inside it, and you need to know what your contracts upstream and downstream now require of you.
- 07Your board wants cyber risk mapped as a legal and governance matter — who is exposed, what must be reported, and what the company's paper trail should look like.
How It Works
The process, stage by stage.
1
Exposure map
We identify the legal sources of your cyber obligations: your regulator if you have one, the security clauses in your customer and vendor contracts, PECA's offence provisions, and any foreign law reaching you through counterparties. Most companies discover their strictest security law is a contract they signed without legal review.
2
Governance and policy build
We prepare the incident-response plan, the internal security and access policies, and the board-level reporting line — documents written to be followed under pressure, with named decision-makers and realistic timeframes. For regulated clients, these are matched to the regulator's framework so the same documents serve both purposes.
3
Contract layer
We negotiate security schedules in customer agreements and flow the obligations down to vendors, so a promise made upstream is covered downstream. We also align contractual notification windows with your insurance policy's terms, because mismatches there are found only during a claim.
4
Incident counsel
During an incident we advise on preservation, privilege over the forensic investigation, notification decisions, engagement with the NCCIA, and communications. The first seventy-two hours determine most of what follows; our role is to keep decisions deliberate while everything else is on fire.
5
Aftermath
After containment comes the legal tail: regulator reporting and follow-up, PECA proceedings for or against the company, customer claims under security warranties, insurance recovery and, where an insider was involved, employment and civil action. We run the tail as a single coordinated matter rather than five separate ones.
The Legal Framework
The law this work runs on.
- Prevention of Electronic Crimes Act, 2016
- PECA is the criminal spine of this field — unauthorised access, unauthorised copying, interference with systems and data, and electronic fraud. It cuts both ways: it is your remedy against an attacker or insider, and the statute invoked against companies and officers when a complainant alleges the breach was your doing. The 2025 amendments moved investigation to the National Cyber Crime Investigation Agency.
- Computer Emergency Response Team Rules, 2023
- Rules made under PECA establishing a national CERT structure with sectoral response teams. The scope of any mandatory incident-reporting obligations under this regime is still settling in practice [SCOPE — TO BE VERIFIED BY REVIEWING LAWYER], and we advise on it as of the current subordinate legislation.
- State Bank of Pakistan technology and outsourcing frameworks
- Banks, DFIs, EMIs and payment businesses operate under SBP's enterprise technology governance and risk management requirements, including incident reporting to SBP and controls over outsourcing and cloud [INSTRUMENT REFERENCES — TO BE VERIFIED BY REVIEWING LAWYER]. For regulated financial businesses these frameworks are the operative cybersecurity law.
- Critical Telecom Data and Infrastructure Security Regulations, 2020
- PTA regulations imposing security, audit and data-protection obligations on telecom licensees. Businesses built on licensed telecom infrastructure often inherit parts of this regime contractually.
- Electronic Transactions Ordinance, 2002
- The ETO governs the legal status of electronic records and signatures, which is where evidence questions in cyber matters begin — whether logs, records and forensic images will carry weight in proceedings depends on how they were kept and preserved.
- National Cyber Security Policy, 2021
- A policy instrument rather than a statute, but it signals the direction of regulation — sectoral CERTs, critical infrastructure designation, audit expectations — and helps predict what regulators will ask for next.
Statutory references are stated as of the page’s as-of date and flagged where verification is pending; the law moves, and the current position should be confirmed before relying on it.
Common Mistakes
The errors we see most — and their price.
- Having no incident-response plan until the incident, so the first day is spent deciding who decides.
- Treating a breach as purely an IT problem and commissioning the forensic report without counsel, losing any claim to privilege over its findings.
- Paying a ransom without legal analysis of the payment itself, including anti-money-laundering exposure and whatever your insurer's terms require first.
- Signing customer contracts with security warranties and notification deadlines the security team has never seen.
- Notifying no one, or notifying everyone — both are decisions with consequences, and both are usually made in the first hours without advice.
- Forgetting that under PECA the company can move from complainant to accused within the same investigation, and speaking to investigators accordingly.
- Leaving vendor contracts without security obligations, audit rights or breach-notification duties, so a vendor's incident becomes legally yours alone.
- Assuming cyber insurance covers the loss without checking the policy's notification windows and counsel-appointment terms against what was actually done.
Representative Scenarios
The shape of the work.
Illustrative scenarios, not case reports — composites drawn to show how matters of this kind run.
- —A manufacturer was hit by ransomware that halted dispatch for a week. We advised on the ransom decision, preservation and privilege over the forensic work, notifications to affected enterprise customers under their contracts, and the complaint to the NCCIA.Illustrative
- —An EMI suffered an intrusion into a customer-facing system. We managed the incident reporting to the State Bank, the remediation undertakings that followed, and the redrafting of its outsourcing contracts that the post-incident review demanded.Illustrative
- —A departing engineer retained access credentials and downloaded a client database. We obtained interim injunctive relief, filed the PECA complaint, and ran the employment proceedings in parallel so the three tracks reinforced rather than contradicted each other.Illustrative
- —A logistics company's software vendor was breached, exposing shipment data belonging to the company's customers. We mapped what its upstream contracts required it to disclose, enforced the vendor's indemnity, and repapered the vendor stack with security schedules.Illustrative
Questions, Answered
What clients ask about cybersecurity.
As of mid-2026 there is no single general statutory duty covering all businesses. Reporting duties come from specific sources: SBP's frameworks for regulated financial businesses, PTA regulations for telecom licensees, the developing CERT regime under PECA, and — most commonly — your own contracts with customers. The first question in any incident is which of these apply to you.
That is a legal and commercial decision, not just an operational one. Payment can raise anti-money-laundering and sanctions questions depending on the recipient, may breach your insurance terms if made without insurer consent, and rarely ends the disclosure obligations the incident created. We advise on the decision; we do not treat it as foregone in either direction.
Since the 2025 amendments to PECA, the National Cyber Crime Investigation Agency — successor to the FIA Cybercrime Wing — investigates PECA offences. It is a new institution and its practice is still settling, which affects how complaints are framed and how quickly they move.
Yes. PECA criminalises unauthorised access, copying and interference, and a complaint to the NCCIA is the criminal route. In insider cases we usually pair it with civil injunctive relief and the employment-law process, because the criminal track alone is rarely fast enough to protect the data.
Exposure is realistic in specific situations: officers of regulated businesses answering to their regulator, cases where PECA allegations are made against management personally, and claims that governance failures caused the loss. A documented governance trail — policies, board reporting, tested response plans — is the practical protection.
Only if the investigation is structured for it. A report commissioned by IT from a vendor in the ordinary course is a discoverable business record; an investigation directed by counsel for the purpose of legal advice stands on much stronger ground. This must be set up on day one — it cannot be retrofitted.
Only if you can do it. Notification clocks usually start on awareness, and 24 hours is achievable only with a rehearsed plan and a named decision-maker. We negotiate these clauses against your actual capability, and where the customer will not move, we build the process that makes the promise true.
Rules made under PECA in 2023 establish a national computer emergency response team structure with sectoral teams. How far mandatory reporting extends to private businesses is still taking shape [SCOPE — TO BE VERIFIED BY REVIEWING LAWYER], and the honest answer today depends on your sector; we advise on the current position and flag it as one that is moving.
Who To Call
Related Insights
Prepared by The First Counsel · As of 2026-07-12 · Pending professional review — statements flagged in the text are being verified
This publication is provided for general information only. It is not legal advice, and neither reading it nor corresponding with the firm about it creates a lawyer–client relationship. The position stated must be verified against current law before it is relied upon.
