TATT answers questions about its cybersecurity framework for telcoms, broadcasters

Above: Aaron Simon

At CANTO’s 42nd AGM held at the Hyatt Regency from February 01 – 03, the Telecommunications Authority of TT (TATT) presented its “Cybersecurity Framework  for Public Telecommunications Networks and Broadcasting Facilities” on the second day of the event.
Kirk Sookram, Deputy CEO of TATT made that presentation, but the authority passed questions about the presentation to Aaron Simon, Manager (Ag) Networks and Services, who provided these responses.

Q: This initiative by TATT is being positioned as being a responsibility to promote and protect the interests of the public. A National Cybersecurity Strategy has evidently been under discussion since 2012. Was there any specific incident or cluster of incidents that led to the decision to make it a specific requirement of licensees?

A: The general importance being ascribed to cybersecurity at a national and global level prompted the commencement of this work by the Authority in early 2023. This was reinforced by the International Telecommunication Union’s Global Symposium for Regulators 2024, which impressed the need for regulatory measures to adopt cybersecurity standards and regulations (PDF) to safeguard against threats.

The well-publicized incident that occurred in late 2023 (TechNewsTT broke this story in October 2023), where consumer data stored by a public telecommunications services provider was maliciously accessed and published on the dark web, affirmed the Authority’s decision to develop its Cybersecurity Framework.

Q: I note the emphasis on cybersecurity considerations for telecommunications companies and broadcasting facilities, but print publishing houses. media vendors, have invested in online broadcast expansions of their offerings and operate online subscription models that also gather customer information. Is TATT considering widening the scope of its requirements to all media houses that gather customer information?

A: The Authority’s legislative oversight extends to the network operators and service providers authorised under the Act. Consequently, there is no intent from the Authority at this time to widen the scope of the Framework to all media houses that gather customer information.

Q: The consultative document (https://tatt.org.tt/wp-content/uploads/2026/01/Cybersecurity-Framework-for-Public-Telecom-Networks-and-Broadcasting-Facilities.pdf) was apparently published on January 30th, Is there a timeline established for the expected closing date and setting of schedules of reporting and review of what is being required of businesses that fall under TATT’s oversight?

A:The document published on January 30th 2026 is the approved version having gone through two rounds of public consultation in October 2024 and May 2025.
The Authority will inform the concessionaires of a suitable timeframe for submitting the conformance reports. This submission is meant to establish a baseline for monitoring the conformance of telecommunications network operators and broadcasters against the measures in the Framework. On receipt of the conformance reports, individual review sessions will be held with the concessionaires as required.

TATT’s consultative process for the Cybersecurity Framework

Q: Given the lack of legislative support for required reporting of cybersecurity incidents in Trinidad and Tobago, how confident is TATT that companies will do so under a regime of recommended measures and required measures given the challenges it has faced in enforcing measures that are actually supported by TT laws (number portability)?

A: There is legislative basis to require reporting of cybersecurity incidents by concessionaires to the Authority, specifically section 22(3)(c) of the Act, which states that every concessionaire shall provide information and reports to the Authority.
The Authority is comfortable there will be no challenges with these requirements as reporting of general outage incidents is already performed, and these requirements align with global best practice and were thoroughly ventilated during the consultation process.

Furthermore, under the monitoring and conformance section of the Framework, lack of compliance of operators with the cybersecurity measures may be shared with members of the public, which may affect whether their bids to provide services to public and private sector entities are favourably considered.

Q: TATT is asking these companies to adopt the ISO 27001, ITU-T X.1051 standard on information security requirements, and to report information gathered under those protocols among operators and incident response organisations. Is there any method of suasion that the authority expects to exercise to ensure that adoption of the standard and required reporting actually does happen?

A: The Authority encourages the adoption of ISO 27001, but it is not required. While we hope all the operators and broadcasters will aim for full adoption, we understand that it may not be possible for all.
TATT has the support of the TTBS, who is currently undertaking an assessment of the ITU-T X.1051 recommendation, also referred to as ISO 27011 standard, by a technical committee and it is expected that it will be adopted as a national standard.

Thus far, the technical committee meeting had no issues with the controls and guidelines stated in the ITU-T X.1051 recommendation.
Again, the disclosure of the level of conformance by operators is anticipated to provide additional incentive to adopt as many measures as possible, and the Authority envisages a collaborative approach with operators towards the adoption of the measures.

Q: What will TATT accept as “suitable independent certification” of an acceptable cybersecurity plan? Is there a panel or agency within TATT that will review these plans if they are submitted to the authority?

A: The Authority will accept certification from accredited independent organisations that perform such information security management systems assessments and audits. Examples include but are not limited to PricewaterhouseCoopers and Ernst & Young Limited.

As the Authority receives certifications, it will validate that the organisation supplying the certification is suitably accredited to provide the certification supplied. As for the method of review, while the Authority’s resources can review submitted plans for the purposes of the framework, the Authority can engage support from TT-CSIRT and iGovTT as required.
If necessary, a consultant with the requisite expertise can be contracted to review plans that are submitted.

Q: The consultative document lists numerous technical requirements for telecommunications companies and broadcasters. It cannot be enough to accept all statements of compliance by licensees at face value. How will TATT verify that statements given by licensees are, in fact, in place?

A: Verification checks will be conducted, as demonstrated in the last column of its conformance reporting template of its framework. The Authority has adopted a trust but verify approach to conformance reporting. Various methods of verification will be used, including technical reporting and on-site audits.

Q: There is a mix of commonsense precautious and deeply technical information in the consultative document, should citizens be concerned that TATT feels it necessary to point to preventive measures that amount to “don’t put your hand in a blazing fire” to telecommunications and broadcast professionals?

A: Conversely, we expect consumers to support the Framework. We expect consumers to feel reassured that this Framework was established to ensure their information is secured and consumer interests are protected. Furthermore, consumers will be empowered to choose the operators that they feel are most secure based on summary information provided by the Authority.

While some of the measures may seem commonsense precautions and many operators already follow cybersecurity best practices, the Framework establishes a common baseline and consistency across the industry, ensuring no critical security steps are overlooked.

Q:There are several requirements in the consultative document that leave critical decisions about equipment and systems to licensees, given oversight by the TT Bureau of Standards. How proficient is the TTBS likely to be in setting standards for highly technical, rapidly evolving purchases of that nature and how and by whom will they be reviewed?

A: Regarding vendor management, concessionaires are encouraged to ensure that procurement systems and procedures meet security standards defined by the concessionaire and relevant national authorities, including the TTBS. The TTBS has a very robust standards development process, including using expert technical committees, public consultation, and continual review, and therefore, is a trusted source for standards on vendor management to which concessionaires can look.

Q: The acquisition of customer information is a foundation of business data mining and targeting. How does TATT propose to monitor the level of PII gathering done by licensees?

A: The Telecommunications Act clearly define the purposes for which operators of public telecommunications networks should collect and use customer information, including PII. We currently have no reports or evidence of misuse that would warrant proactive monitoring of PII volumes, but we will continue to review complaints and conduct audits where required to ensure compliance. The use of PII to validate customers is becoming increasingly critical to ensure telecommunications connections are not abused.

Q: Is there some benchmarking by TATT of what constitutes a “meaningful cybersecurity incident” that merits reporting to the authority?

A: Meaningful cybersecurity incidents are those that result in loss or degradation of services, whether isolated or widespread, due to compromised network elements or that result in the compromise of user information. It is important to note that in the Framework, the measures for reporting of cyber incidents cover notification, reporting, and information sharing.

Information sharing between operators and broadcasters would include meaningful cyber incidents, but importantly, near misses or close calls that do not result in actual compromise of network elements or user information should be shared between operators. This is crucial to ensure proactive risk management and improvement in threat response.

Q: “Failure to submit the annual conformance report or comply with a required cybersecurity measure may be deemed as a breach of concession and the Authority shall act as prescribed under the concession or the Act.” What does this mean exactly? What punitive measures are available to TATT in the event of non-compliance? So far the authority has only spoken firmly and in a voice demonstrating annoyance despite court backing of its cases.

A: Currently, concessionaires who commit a material breach of a concession obligation commit an offence and may face the penalties stipulated under section 65 of the Act ($250,000 fine and imprisonment for five years). Also, a breach of the Act can give rise to an offence under section 71 of the Act ($25,000 fine). The Authority can also recommend the suspension/ termination of the concession, in accordance with section 30 of the Act. Furthermore, operators will be incentivised to meet the measures established through the availability and disclosure of their level of conformance with the framework.