Cyber Risk Management – Is your firm complying with the DFSA rules?

      On 1st January 2024, the Dubai Financial Services Authority (“DFSA”) Cyber Risk Management Rules came into force and for firms regulated by the DFSA, compliance is mandatory.

      Firms are required to implement a cyber risk management programme taking into account the nature, scale and complexity of business operations, to protect against potential loss or harm stemming from a malicious attack on its information or communication systems.

      How does this impact your firm?

      Firms must put in place an adequate framework for the identification and mitigation of cyber risks, detection, response to and recovery from cyber incidents.

      To manage the risks, all members of senior management at both board and executive level must be aware of their firm’s cyber vulnerabilities; they should therefore provide necessary resources, controls, and oversight.

      DFSA cyber risk management rules

      In compliance with the DFSA requirements, firms must:

      1. establish and maintain a cyber risk management framework to identify, assess and manage cyber risk effectively in an integrated and comprehensive manner. This should be in writing and be approved by the governing body
      2. draw up and maintain a robust cyber incident response plan which should be in writing and be reviewed at least annually
      3. identify and maintain a current inventory of its information communication technology (“ICT”) Assets
      4. use and maintain up-to-date anti-malware software and ensure that regular updates are applied to its anti-malware definition files
      5. implement network security controls, network security monitoring procedures and a user access management process
      6. ensure that access to its information technology (“IT”) Systems and networks are properly secured
      7. establish and maintain a comprehensive cybersecurity training programme
      8. notify the DFSA as soon as reasonably practicable, and in any event no later than 72 hours, after it becomes aware, or has information that reasonably suggests, that a material cyber incident has occurred, using the appropriate form available on the DFSA ePortal.

      Firms should be aware that the list above is non-exhaustive and full details may be found in the General (GEN) Module of the DFSA Rulebook, which can be accessed here.

      Is your firm aware of the Thematic Review?

      On 20 February 2024, the DFSA issued a Dear Senior Executive Officer (“SEO”) letter to all Authorised Firms informing them that the 2024 Cyber Thematic Review has been published on the DFSA Portal for completion by 8 March 2024.

      The Review will assist the DFSA in determining the current maturity level of each firm’s cyber risk management framework, the extent to which their cyber risk management practices comply with DFSA Cyber Risk Management Rules, and the firm’s maturity growth since the 2022 DFSA Cyber Thematic Review. The DFSA will publish the key findings upon completion of the review.

      The Dear SEO letter can be found here.

      How Waystone Compliance Solutions can help you

      Waystone is well-positioned to support you in maintaining compliance with Cyber Risk Management requirements, providing you with the support that your in-house compliance resources need or alternatively educate and train your in-house compliance team on the regulatory requirements.

      If you would like to find out more about how we can help you to assess your Cyber Risk Management requirements, please reach out to Lisa Ritchie, Manager, Waystone Compliance Solutions or contact our UAE Cyber Security Compliance Solutions team.

      Contact us

      Previous post Next post
      Share

      More like this

      Regulatory Update: Middle East Edition – February 2024

      This edition includes – DIFC Celebrates 20th Anniversary with Finance Events, ADGM Fines 6 Firms for Breaching CRS Regulations, DFSA…
      Read more

      UAE’s success - exiting the FATF ‘Grey List’

      On 23 February 2024, the Financial Action Task Force (FATF) removed the United Arab Emirates (UAE) from The FATF “grey…
      Read more

      Regulatory Update: Middle East Edition – January 2024

      This edition includes – DIFC Inaugural Hedge Fund Event, DFSA Issues Consultation Paper 153 on Updates on the Regulation of…
      Read more

      Data Protection Enforcement Action on the Rise

      In recent years, updates to the data protection laws and regulations in the UAE have brought the regimes more in…
      Read more

      Regulatory Update: Middle East Edition – December 2023

      This edition includes – DFSA waives fees for ESG listings; DFSA issues ‘Dear SEO Letters - Thematic review findings -…
      Read more

      Regulatory Update: Middle East Edition – November 2023

      This edition includes – FSRA publishes 2024 Business Plan, ADGM hosts Abu Dhabi Finance Week, DFSA issues Dear SEO Letter…
      Read more