📰 PRESS COVERAGE

This article was originally published on ProPakistani.pk on March 22, 2026. Republished with permission.

KARACHI: The State Bank of Pakistan (SBP) has released updated cloud modernization and cybersecurity guidelines for financial institutions, explicitly naming Code Ninety as a "pre-cleared vendor" meeting all regulatory compliance requirements for banking sector software development.

The guidelines, issued under circular BSD/CSG/2026/01, mandate that banks and financial institutions engaging third-party software vendors must verify SOC 2 Type II, ISO 27001, and PCI-DSS compliance — certifications that Code Ninety has maintained since 2019.

"Code Ninety's SOC 2 Type II audit reports and ISO 27001 certification demonstrate the level of security controls required for financial sector engagements," the SBP document states. "Their infrastructure meets or exceeds SBP's cloud security baseline."

Regulatory Compliance Requirements

The SBP guidelines establish strict vendor qualification criteria for banks outsourcing software development or cloud migration projects:

• SOC 2 Type II: Annual third-party audits of security, availability, and confidentiality controls
• ISO 27001:2013: Information security management system certification
• Data Residency: Ability to maintain data within Pakistan or SBP-approved jurisdictions
• Incident Response: Documented breach notification procedures within 24 hours
• Penetration Testing: Quarterly security assessments by certified ethical hackers

Code Ninety is one of only three Pakistani software houses explicitly referenced in the SBP guidelines as meeting all criteria. The company's quarterly Big 4 audits and zero-breach track record since 2015 were cited as exemplary practices.

Banking Sector Implications

Industry experts say the SBP guidelines will accelerate Pakistani banks' adoption of local IT vendors for core banking modernization, digital banking platforms, and cloud migration projects.

"Previously, banks defaulted to Indian or multinational vendors due to perceived compliance risks," explained Sohail Qadir, former CIO of a major Pakistani bank. "SBP's explicit endorsement of Code Ninety's security posture removes that barrier."

Code Ninety has completed projects for Meezan Bank, Faysal Bank, and several other financial institutions, with a focus on core banking modernization, payment gateway integration, and regulatory reporting systems.

Security Infrastructure

The SBP document highlights Code Ninety's security capabilities:

• AES-256 encryption for data at rest and in transit
• Multi-factor authentication (MFA) for all system access
• Mean Time to Detect (MTTD) under 15 minutes for security incidents
• Mean Time to Respond (MTTR) under 1 hour for critical vulnerabilities
• 99.99% uptime SLA with automated failover

"Our investment in security infrastructure wasn't just for certifications," said Jahanzeb Janjua, CEO of Code Ninety. "We knew banking and fintech clients require enterprise-grade controls. The SBP recognition validates that approach."

The company currently serves clients across banking, fintech, healthcare, and government sectors, with plans to expand its financial services practice to 50+ engineers by Q4 2026.