The ninth annual Cyber Security Summit, held at Colombo’s Cinnamon Grand and organised by the Daily FT with CICRA Holdings Ltd., attracted over 300 participants including IT professionals, risk managers, corporate staff, and students aiming for careers in information technology. The flagship forum brought together local and international experts to discuss the evolving cybercrime landscape, data protection, and strategies to safeguard organisations and individuals in Sri Lanka’s digital age.
Central Bank of Sri Lanka (CBSL) Assistant Governor CSP Bandara emphasized cybersecurity as a strategic imperative beyond mere compliance, urging businesses to adopt proactive cyber orchestration to combat rising threats. With global cybercrime costs projected to hit $10.5 trillion annually by 2025 and millions of unfilled cybersecurity roles worldwide, he warned that breach containment averages 70 days, exposing systemic vulnerabilities.
Data Protection Authority Chairman-Designate Rajeeva Bandaranaike highlighted Sri Lanka’s Personal Data Protection Act (PDPA) No. 9 of 2022 as a comprehensive legal framework empowering citizens with data rights and imposing responsibilities on data controllers and processors. The newly formed Data Protection Authority (DPA) will focus on education, enforcement, and guidance, underscoring privacy as a public responsibility integral to the nation’s digital ecosystem.
Telecommunications Regulatory Commission (TRC) Chairman Waruna Dhanapala noted telecom operators’ obligations under the PDPA and the need for coordinated enforcement with the DPA, especially regarding unsolicited communications and SIM card data privacy. He also acknowledged the entry of international satellite internet providers under a modernized regulatory framework.
In the financial sector, CBSL Deputy Director Dr. Kanchana Ambagahawita outlined robust privacy measures embedded in banking regulations and highlighted challenges around ethical data sharing and customer trust, supported by recent Financial Consumer Protection Regulations aligned with PDPA principles.
Legal and cybersecurity experts emphasized practical compliance, recommending proactive risk assessments, privacy by design, and technical safeguards such as penetration testing and Software Bill of Materials (SBOM). The evolving role of Data Protection Officers (DPOs) was discussed as requiring leadership beyond legal expertise to embed privacy culture across organisations.
The summit panelists urged organisations to move beyond over-reliance on consent, implementing layered privacy notices and incident management plans, and fostering cross-functional collaboration and executive buy-in to build sustainable data protection programs. The consensus was that privacy compliance is an ongoing journey requiring continual awareness and adaptation.
Speakers also stressed the importance of breach response readiness, including rapid incident containment, regulator notification within 72 hours, transparent communication, and strong supply chain security through vendor assessments and contractual protections.
The event concluded that effective PDPA implementation demands a cohesive approach integrating people, processes, and technology, with early adoption offering a competitive advantage. Supporters included Agility Innovation, Mastercard, Orin, MullenLowe Sri Lanka, and Cinnamon Lakeside.
