DFSA’s Cyber Risk Management Guidelines: A Blueprint for Cyber Resilience?

Written by: Lisa Forte

Categorized: Blog

During 2023 the United Arab Emirates was busy. Very busy in fact. They implemented a significant number of legislative reforms in the areas of cyber security, data protection, corporate accountability, virtual asset regulation and whistleblowing.

Cyber security in particular has become the hot topic in the U.A.E and just like in Europe their financial services sector is leading the way when it comes to regulation and best practice.

I want to talk about one particular development, although there are many, that is the Dubai Financial Services Authority (DFSA)  cyber risk management guidelines which came into force in Jan 2024. All “licensed” firms are expected to implement them. The rules address several key areas especially:

  • The maintenance of a cyber risk management framework that identifies and assesses cyber risk;
  • The maintenance of a comprehensive resilience testing program for IT systems that includes a robust cyber incident response plan; and
  • New notification obligations on licensed firms after becoming aware of an incident.

The DFSA cyber risk management guidelines really show a keen focus on resilience so much so that in May licensed firms all took part in a DFSA run cyber crisis simulation exercise.

They lay out the minimum components that should be found in a firm’s cyber incident response plan. These include:

  • Procedures for detecting, monitoring, analysing and responding to cyber incidents;
  • Defined roles and responsibilities for incident management roles;
  • An internal communication plan that includes protocols for key internal stakeholders including business units, the Board etc;
  • An external communications plan that includes protocols for key external stakeholders;
  • A recovery plan;
  • Documented procedures for post-incident review; and
  • A plan for the periodic testing of your cyber incident response plans.

The DFSA cyber risk management guidelines go on to note that the plan has to be a living document and should undergo periodic review but also needs to be reviewed based on recent attacks or cyber threat intelligence findings. They also note that firms need to have pre-approved communications templates that are developed for the most likely scenarios that you may face.

In their 2023-2024 business plan that was published in late Jan they emphasised the importance of cyber resilience stating that for firms to continue meeting the “regulatory expectations” they needed to, amongst other things, ensure that they are undertaking regular cyber security testing that must include testing of their incident response plans.

Cyber resilience has most certainly become a major component in the image countries want to project out to the world that “this is a safe place to do business” and the U.A.E is no different.

The DFSA seems to be pursuing a “firm but fair” enforcement strategy when it comes to the rules and guidelines it sets but it is hard not applaud the rapid development of standards that will no doubt continue to be refined over the coming years. Their attitude to cyber resilience in particular is impressive and proactive and it clearly acknowledges the “multi-disciplinary” nature of cyber incidents.

Guidelines in full: https://365343652932-web-server-storage.s3.eu-west-2.amazonaws.com/files/2916/0855/0499/Cyber_Risk_Management_Guidelines_Final_20_Dec_2020.pdf

Related Content

Key risk indicators in cyber security

Understanding key risk indicators (KRIs) in cybersecurity In the constantly evolving landscape of cybersecurity, key risk indicators (KRIs) play a crucial role in measuring and […]

Read more