Dubai FSA published the key findings from its thematic review on the cyber risk management frameworks of firms operating in the Dubai International Financial Center. The review, which was launched in July 2019, assessed cyber risk governance frameworks, cyber hygiene practices, and incident-preparedness programs of firms authorized by Dubai FSA. The review found that a significant number of firms had either not implemented a comprehensive cyber risk management framework or performed only a limited cyber risk assessment.
The review shows that a significant number of firms perform only a limited cyber risk assessment. In many instances, neither the board nor senior management oversight of cyber risk management was sufficient. This was especially prevalent where firms outsourced their IT infrastructure and cyber security functions to an IT service provider. This was also evident in the fact that there was a lack of senior management review of cyber security audits, reviews, and tests. Only half of all firms have a due diligence process to assess whether third-party service providers meet the cyber security requirements and even fewer firms periodically test whether third-party service providers satisfy the cyber security requirements.
The majority of firms have implemented some form of a cyber incident response plan to respond to, and limit the consequences of, a cyber incident. However, in many cases, the cyber response procedures are addressed in general terms as components of the business continuity plan and are not tailored specifically to cyber threats. Less than half of all firms have implemented a crisis management communication plan that addresses external stakeholders while more than half of firms’ cyber incident response plans do not include a formal requirement for periodically testing the response to a cyber incident. Where firms do have a periodic testing requirement, it was identified that a significant number of firms have not tested any component of their cyber incident response plans in the past year. The published report summarizes such key findings and observations, along with the expectations of Dubai FSA and examples of best practices of cyber risk management.
The review was undertaken in two phases, with the first phase consisting of a questionnaire seeking high-level information on the cyber security practices of each authorized firm and the second phase consisting of desk-based reviews and onsite visits to selected firms representing a range of business models and financial services activities. Although not part of this review, the new remote working protocols established in 2020 also bring new cyber risk vulnerabilities that need to be addressed by the financial services industry. According to Mr. Bryan Stirewalt, the Chief Executive of the Dubai FSA, enhancement of the cyber resilience of regulated population is one of the key priorities of Dubai FSA, which has steadily increased the supervisory focus on cyber risk and is constantly engaging with firms in the Dubai International Financial Center to ensure they have sufficient safeguards in place to shield against and to respond to and recover from cyber incidents. The focus of Dubia FSA also includes support for development of industry-level guidance on cyber risk management practices.
Keywords: Middle East and Africa, UAE, Dubai, Banking, Cyber Risk, DIFC, Operational Risk, Cyber Testing, Outsourcing Arrangements, Third-Party Arrangements, Dubai FSA
Previous ArticleUS Agencies Amend Covered Fund Provisions of Volcker Rule
EBA finalized the two sets of draft regulatory technical standards on the identification of material risk-takers and on the classes of instruments used for remuneration under the Investment Firms Directive (IFD).
EC published, in the Official Journal of the European Union, a notification that the European Court of Auditors (ECA) has published a special report on resolution planning in the Single Resolution Mechanism.
BoE published a scenario against which it will be stress testing banks in 2021, in addition to setting out the key elements of the 2021 stress test, guidance on the 2021 stress test, and the variable paths for the 2021 stress test.
PRA published a consultation paper (CP3/21) proposes rules regarding the timing of identity verification required for eligibility of depositor protection under the Financial Services Compensation Scheme (FSCS).
FSB published the work program for 2021, which reflects a strategic shift in priorities in the COVID-19 environment.
FCA announced that 50% firms have started using the new data collection platform RegData, which is slated to replace the existing platform known Gabriel.
Bundesbank published Version 5.0 of the derivation rules for completeness check at the form level, with respect to the data quality of the European harmonized reporting system.
FED finalized a rule that updates capital planning requirements to reflect the new framework from 2019 that sorts large banks into categories, with requirements that are tailored to the risks of each category.
ECB published results of the quarterly lending survey conducted on 143 banks in the euro area.
ESAs published the final draft implementing technical standards on reporting of intra-group transactions and risk concentration of financial conglomerates subject to the supplementary supervision in EU.