Cyber risk management – resilience of information technology systems

      In recent years, the United Arab Emirates (“UAE”) has, in recent years, emerged as the centre for technology and all related businesses. This, coupled with its growing economy and its position as home to some of the world’s leading corporations, makes it a prime target for cyber attacks.

      According to a recent IBM Cost of Data Breach report, the Middle East ranked second for the region with the highest average cost of data breaches in 2023 at just over $8 million.

      The financial services industry is one of the most targeted industries by cyber criminals and, as a result, avoiding such cyber attacks has been a top priority for firms for a number of years. Regulators from around the world have now increased efforts to manage cyber risks by implementing rules and regulations.

      DFSA cyber risk management rules

      As of 1 January 2024, the Dubai Financial Services Authority (“DFSA”) formulated new cyber risk management rules and guidance. All Authorised Firms (“AF”, or “firms”) under the Dubai International Financial Centre (“DIFC”) are now required to implement an appropriate framework to identify and mitigate cyber risks and to detect, respond to, and recover from cyber incidents.

      One of the focus areas under the new rules is in relation to the assessment and testing of the resilience of firms’ Information Technology (“IT”) systems, networks, processes and controls implemented to satisfy all the cyber risk management rules.

      The DFSA requires the testing of internet facing systems to be carried out regularly, at least annually. The DFSA also requires firms to ensure there is a process in place to prioritise and remedy any adverse findings resulting from such testing.

      This article will examine one of the most well-known ways to implement this requirement; Vulnerability Assessment & Penetration Testing (“VAPT”).

      Vulnerability Assessment & Penetration Testing (VAPT)

      VAPT provides an inclusive security evaluation, that includes both the identification of vulnerabilities and an understanding of their exploitability and impact. This enables firms to have a thorough assessment of the security posture and helps them effectively manage and mitigate risks, in addition to satisfying any DFSA regulatory requirements.

      VAPT covers all IT internal and external components such as firewalls, routers, switches, servers, and security management systems.

      High level phases of VAPT

      High level phases for VAPT typically include:

      Preliminary planning and strategic design

      In this phase of VAPT, the cyber security consultant works with the firm to develop a comprehensive testing strategy that reflects the firm’s needs, concerns, and security objectives. The understanding of the environment and business enables a consultant to create a plan that targets key areas of concern and provides a roadmap for the assessment and testing process. This involves identifying all necessary testing details such as target URLs and IPs, securing application credentials, and arranging testing window agreements. This phase may also set further activities such as team mobilisation, the agreement of ongoing communication protocols, and defining roles and responsibilities, along with management reporting and incident handling.

      Scheduling and coordination

      Effective coordination is crucial for minimising disruptions to a firm’s business while ensuring thorough testing coverage. Suitable times are scheduled whilst ensuring that all necessary stakeholders are informed and prepared.

      Threat surface evaluation and testing

      Cyber security consultants apply tools and techniques to simulate a diverse array of potential attacks on firms’ systems, identifying vulnerabilities and assessing the landscape. Testing could incorporate both automated and manual methods. Tests should be rigorous, thorough and adhere to recognised industry standards such as OWASP, NIST, and ISSAF. Specific approaches are employed for different types of tests, ensuring a comprehensive evaluation of firms’ systems.

      Reporting and remediation

      In the final phase, all findings, including an analysis of uncovered cyber vulnerabilities, potential business impacts, and proposed remediation measures are reported.

      How can Waystone help?

      Waystone is dedicated to providing its clients with the highest quality of information security and data protection advisory and support services and is certified to both the ISO/IEC 27001:2013 standard for its own Information Security Management System and to the ISO/IEC 27701:2019 Privacy Information Management System extension for its data protection scheme.

      In addition to the VAPT capabilities, Waystone offers further IT system resilience testing such as scenario-based testing, social engineering, phishing assessments, Microsoft Office 365 risk assessment and threat assessments/research.

      Our cyber security services

      Waystone also offers several bespoke, cyber security services, including:

      • policy review and development
      • cyber awareness training for leadership teams and staff
      • incident response planning and cyber crisis support
      • cyber security governance and resilience assessments
      • cyber security hygiene assessments
      • Chief Information Security Officer (CISO) as a service
      • NESA compliance assessments.

      If you would like to find out more about how to mitigate your cyber security risk, please reach out to our Middle East Solutions team, or contact us.

      Contact us

      Previous post Next post
      Share

      More like this

      Regulatory Compliance Updates September 2024 – ME Region

      This edition includes – Abu Dhabi Finance Week: Top Finance Leaders to Speak at 2024 Edition, New Initiatives for Wealth…
      Read more

      Regulatory Compliance Updates August 2024 – ME Region

      This edition includes – DFSA Publishes Consultation Paper on Client Assets Regime, DFSA and HKMA Co-host Climate Finance Conference, 100…
      Read more

      Achieving a culture of compliance

      Employee misconduct can have far-reaching consequences for both financial firms and the broader market, leading regulators to promote a "culture…
      Read more

      Regulatory Compliance Updates July 2024 – ME Region

      This edition includes – DFSA Issues Dear SEO Letter on CIR Reporting Requirements, UAEFIU Publishes Updated Strategic Analysis Report, DFSA…
      Read more

      Client classification in the ADGM – a comprehensive guide

      The Abu Dhabi Global Market (“ADGM”) Financial Services Regulatory Authority (“FSRA”) emphasises the importance of correctly categorising clients to ensure…
      Read more

      Regulatory Compliance Updates June 2024 – ME Region

      This edition includes – DFSA Issues Dear SEO Letter, ADGM RA Issues Consultation Paper, FATF Plenary Outcome.
      Read more