FSRA proposes enhanced measures for Cyber Risk Management

      On 29 November 2023, the Financial Services Regulation Authority (“FSRA”) issued Discussion Paper No. 1 of 2023 on Information Technology Risk Management to seek views on its initiatives of enhancing information technology (“IT”) risk management practices in Authorised Persons. The paper also presents the initiatives that the FSRA is building on to enhance its supervisory oversight of IT risk management practices in Authorised Persons.

      FSRA’s proposed measures for strengthening IT risk management

      In conjunction with this, the FSRA is considering the following measures to reinforce good IT risk management practices in Authorised Persons:

      • reviewing existing rules relating to IT risk management to incorporate core requirements that would strengthen Authorised Persons’ practices;
      • requiring Authorised Persons to report material IT incidents to the FSRA in a standardised format within a prescribed timeframe; and
      • making regulatory technologies available to Authorised Persons to navigate the FSRA’s Rulebooks and guidance relating to IT risk management.

      FSRA to issue ITRMG

      The FSRA proposes to issue IT Risk Management Guidance (“ITRMG”) which will complement existing requirements and guidance and be relevant to all Authorised Persons regardless of the Regulated Activities they undertake. By issuing the ITRMG, the FSRA intends to communicate its views on how a consistent and risk-sensitive approach might be employed by Authorised Persons in managing their IT risk.

      In formulating the ITRMG, the FSRA has considered the work already completed in this area by international standard setting bodies and financial services regulatory authorities, as well as leading industry standards on IT and security.

      Four sections of the ITRMG

      The ITRMG comprises of four sections, each with several chapters that set out the FSRA’s expectations in those areas, the sections include:

      • establishing a Culture of Effective IT Risk Management: overall governance and controls for IT risk, including the management of IT third parties;
      • managing an IT Environment: how Authorised Persons should manage IT assets, infrastructure, systems lifecycle, resilience and cyber events;
      • interacting Securely: how Authorised Persons should manage access to their systems, cryptographic keys and online transaction services; and
      • leveraging Business Embedded Technologies: how Authorised Persons that use specific technologies should address the IT risks associated with those technologies.

      Each chapter of the ITRMG begins with desired outcomes that summarise the FSRA’s expectations for Authorised Persons.

      Understanding the role of ITRMG

      While the ITRMG is relevant to all Authorised Persons, it is neither a binding set of rules, nor a standard of care owed by Authorised Persons to their customers. Authorised Persons are expected to adapt the ITRMG in a manner that is commensurate with the nature, scale and complexity of their business activities carried out in ADGM.

      The FSRA is also cognisant of international developments in IT risk management and will endeavour to harmonise, where practical and appropriate, its expectations and requirements to be consistent with those published by regulatory and industry standard setting bodies.

      Upon the formalisation and launch of the ITRMG, the FSRA will refer explicitly to the ITRMG when assessing applications for authorisation and during supervisory reviews of persons. In this way, the ITRMG will provide transparency to applicants and Authorised Persons regarding the expectations of the FSRA in this area.

      Additionally, the ITRMG will be updated as and when the FSRA identifies new IT best practices or as mitigation strategies against threat actors are publicised. This approach aims to ensure that the ITRMG keeps pace with the fast-evolving IT landscape. Authorised Persons can expect for updates to the ITRMG to be published on the FSRA website.

      Authorised Persons were invited to make responses to this paper by 9 February 2024 and the FSRA have since advised that a formal Consultation Paper will be issued in this regard.

      The Discussion Paper can be found here.

      How does this impact your firm?

      IT is present and vital in all aspects of financial services and effective IT risk management is therefore a key factor in ensuring that business operations and services to customers are resilient against internal and external threats, thereby allowing them to operate when faced with such threats.

      While Authorised Persons await the release of the Consultation Paper, they should ensure that they are meeting the standards specified by the ADGM and the FSRA as per the rules and regulations concerning IT risk management and controls, in order to maintain a robust and resilient IT environment as an inherent part of their business activities.

      How Waystone Compliance Solutions can help you

      Waystone is well-positioned to support you in maintaining compliance with Cyber Risk Management requirements, providing you with the support that your in-house compliance resources need or alternatively educate and train your in-house compliance team on the regulatory requirements.

      If you have any questions or concerns on how the Cyber Risk Management rules impact your firm, please contact: Lisa Ritchie, Manager, Waystone Compliance Solutions.

      Previous post Next post
      Share

      More like this

      DFSA – Fixed Penalty Notice Regime

      On 5 April, the DFSA published a Dear SEO Letter. The purpose of this letter was to inform all Senior…
      Read more

      Exploring FSRA Supervision Fees: Everything you need to know

      The FSRA proposed amendments to its Fees Rules (“FEES”) and General Rulebook (“GEN”) to better align fees with operational costs.
      Read more

      Notice for Firms on the FCA’s improved Appointed Representatives regime

      The FCA’s new rules for Appointed Representatives (ARs) come into force on 8 December 2022.
      Read more

      It is with sadness that we mark the passing of Her Majesty The Queen

      Following the passing of Her Majesty Queen Elizabeth II, we reflect on her remarkable reign and her dedication to a…
      Read more

      The deadline for the Hong Kong SFC’s climate-related requirements is fast approaching

      The Hong Kong Securities and Futures Commission (SFC) issued Consultation Conclusions on the Management and Disclosure of Climate-related Risks by…
      Read more

      Key Compliance Updates in your region - what you need to know

      Waystone Compliance Solutions was launched at the start of this year and since then we have seen the global compliance…
      Read more