Cyber Risk Management – Is your firm complying with the DFSA rules?
Firms are required to implement a cyber risk management programme taking into account the nature, scale and complexity of business operations, to protect against potential loss or harm stemming from a malicious attack on its information or communication systems.
How does this impact your firm?
Firms must put in place an adequate framework for the identification and mitigation of cyber risks, detection, response to and recovery from cyber incidents.
To manage the risks, all members of senior management at both board and executive level must be aware of their firm’s cyber vulnerabilities; they should therefore provide necessary resources, controls, and oversight.
DFSA cyber risk management rules
In compliance with the DFSA requirements, firms must:
- establish and maintain a cyber risk management framework to identify, assess and manage cyber risk effectively in an integrated and comprehensive manner. This should be in writing and be approved by the governing body
- draw up and maintain a robust cyber incident response plan which should be in writing and be reviewed at least annually
- identify and maintain a current inventory of its information communication technology (“ICT”) Assets
- use and maintain up-to-date anti-malware software and ensure that regular updates are applied to its anti-malware definition files
- implement network security controls, network security monitoring procedures and a user access management process
- ensure that access to its information technology (“IT”) Systems and networks are properly secured
- establish and maintain a comprehensive cybersecurity training programme
- notify the DFSA as soon as reasonably practicable, and in any event no later than 72 hours, after it becomes aware, or has information that reasonably suggests, that a material cyber incident has occurred, using the appropriate form available on the DFSA ePortal.
Firms should be aware that the list above is non-exhaustive and full details may be found in the General (GEN) Module of the DFSA Rulebook, which can be accessed here.
Is your firm aware of the Thematic Review?
On 20 February 2024, the DFSA issued a Dear Senior Executive Officer (“SEO”) letter to all Authorised Firms informing them that the 2024 Cyber Thematic Review has been published on the DFSA Portal for completion by 8 March 2024.
The Review will assist the DFSA in determining the current maturity level of each firm’s cyber risk management framework, the extent to which their cyber risk management practices comply with DFSA Cyber Risk Management Rules, and the firm’s maturity growth since the 2022 DFSA Cyber Thematic Review. The DFSA will publish the key findings upon completion of the review.
The Dear SEO letter can be found here.
How Waystone Compliance Solutions can help you
Waystone is well-positioned to support you in maintaining compliance with Cyber Risk Management requirements, providing you with the support that your in-house compliance resources need or alternatively educate and train your in-house compliance team on the regulatory requirements.
If you would like to find out more about how we can help you to assess your Cyber Risk Management requirements, please reach out to Lisa Ritchie, Manager, Waystone Compliance Solutions or contact our UAE Cyber Security Compliance Solutions team.