Featured Product

    Dubai FSA Publishes Key Findings from Review of Cyber Risk Frameworks

    June 24, 2020

    Dubai FSA published the key findings from its thematic review on the cyber risk management frameworks of firms operating in the Dubai International Financial Center. The review, which was launched in July 2019, assessed cyber risk governance frameworks, cyber hygiene practices, and incident-preparedness programs of firms authorized by Dubai FSA. The review found that a significant number of firms had either not implemented a comprehensive cyber risk management framework or performed only a limited cyber risk assessment.

    The review shows that a significant number of firms perform only a limited cyber risk assessment. In many instances, neither the board nor senior management oversight of cyber risk management was sufficient. This was especially prevalent where firms outsourced their IT infrastructure and cyber security functions to an IT service provider. This was also evident in the fact that there was a lack of senior management review of cyber security audits, reviews, and tests. Only half of all firms have a due diligence process to assess whether third-party service providers meet the cyber security requirements and even fewer firms periodically test whether third-party service providers satisfy the cyber security requirements. 

    The majority of firms have implemented some form of a cyber incident response plan to respond to, and limit the consequences of, a cyber incident. However, in many cases, the cyber response procedures are addressed in general terms as components of the business continuity plan and are not tailored specifically to cyber threats. Less than half of all firms have implemented a crisis management communication plan that addresses external stakeholders while more than half of firms’ cyber incident response plans do not include a formal requirement for periodically testing the response to a cyber incident. Where firms do have a periodic testing requirement, it was identified that a significant number of firms have not tested any component of their cyber incident response plans in the past year. The published report summarizes such key findings and observations, along with the expectations of Dubai FSA and examples of best practices of cyber risk management. 

    The review was undertaken in two phases, with the first phase consisting of a questionnaire seeking high-level information on the cyber security practices of each authorized firm and the second phase consisting of desk-based reviews and onsite visits to selected firms representing a range of business models and financial services activities. Although not part of this review, the new remote working protocols established in 2020 also bring new cyber risk vulnerabilities that need to be addressed by the financial services industry. According to Mr. Bryan Stirewalt, the Chief Executive of the Dubai FSA, enhancement of the cyber resilience of regulated population is one of the key priorities of Dubai FSA, which has steadily increased the supervisory focus on cyber risk and is constantly engaging with firms in the Dubai International Financial Center to ensure they have sufficient safeguards in place to shield against and to respond to and recover from cyber incidents. The focus of Dubia FSA also includes support for development of industry-level guidance on cyber risk management practices. 

     

    Related Links

    Keywords: Middle East and Africa, UAE, Dubai, Banking, Cyber Risk, DIFC, Operational Risk, Cyber Testing, Outsourcing Arrangements, Third-Party Arrangements, Dubai FSA

    Related Articles
    News

    APRA Sets LAC for D-SIBs, Proposes to Enhance Crisis Preparedness

    APRA issued a letter on the loss-absorbing capacity (LAC) requirements for domestic systemically important banks (D-SIBs) and published a discussion paper, along with the proposed the prudential standards on financial contingency planning (CPS 190) and resolution planning (CPS 900).

    December 02, 2021 WebPage Regulatory News
    News

    EC to Review Macro-Prudential Rules while ESRB Assesses Policy Stance

    The European Commission (EC) launched a call for evidence, until March 18, 2022, as part of a comprehensive review of the macro-prudential rules for the banking sector under the Capital Requirements Regulation (CRR) and Directive (CRD IV).

    December 01, 2021 WebPage Regulatory News
    News

    FSB Sets Out Good Practices for Crisis Management Groups

    The Financial Stability Board (FSB) published a report that sets out good practices for crisis management groups.

    November 30, 2021 WebPage Regulatory News
    News

    APRA Penalizes Heritage Bank for Incorrect Reporting of Capital

    The Australian Prudential Regulation Authority (APRA) found that Heritage Bank Limited had incorrectly reported capital because of weaknesses in operational risk and compliance frameworks, although the bank did not breach minimum prudential capital ratios at any point and remains well-capitalized.

    November 29, 2021 WebPage Regulatory News
    News

    OSFI Releases Annual Report 2021-2022

    The Office of the Superintendent of Financial Institutions (OSFI) released the annual report for 2020-2021.

    November 29, 2021 WebPage Regulatory News
    News

    OSFI Updates Timeline for Implementation of Certain Basel Rules

    Through a letter addressed to the banking sector entities, the Office of the Superintendent of Financial Institutions (OSFI) announced deferral of the domestic implementation of the final Basel III reforms from the first to the second quarter of 2023.

    November 29, 2021 WebPage Regulatory News
    News

    EC Defers Adoption of Regulatory Standards for Disclosures Under SFDR

    EIOPA recently published a letter in which EC is informing the European Parliament and Council that it could not adopt the set of draft regulatory technical standards for disclosures under the Sustainable Finance Disclosure Regulation (SFDR) within the stipulated three-month period, given their length and technical detail.

    November 29, 2021 WebPage Regulatory News
    News

    FCA Releases MIFIDPRU Application Forms and Third Set of Rules on IFPR

    The Financial Conduct Authority (FCA) published the third in a series of policy statements that set out rules to introduce the UK Investment Firm Prudential Regime (IFPR), which will take effect on January 01, 2022.

    November 29, 2021 WebPage Regulatory News
    News

    APRA Finalizes Capital Adequacy Standards for Banks

    The Australian Prudential Regulation Authority (APRA) published, along with a summary of its response to the consultation feedback, an information paper that summarizes the finalized capital framework that is in line with the internationally agreed Basel III requirements for banks.

    November 29, 2021 WebPage Regulatory News
    News

    CPMI-IOSCO Seek Comments on Access to Central Clearing and Portability

    The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) issued a consultative report focusing on access to central counterparty (CCP) clearing and client-position portability.

    November 29, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7751