The financial services industry is one of the most targeted industries by cyber criminals. The increased vulnerability coupled with the responsibility for protecting customer and investor assets establishes the need for robust Information Technology (IT) systems, internal controls and governance arrangements to ensure effective management and preparedness.
In considering the increasing risk of cybercrime, a key priority of the DFSA is to ensure that firms have in place an appropriate framework for the governance and management of cyber risks. Firms of all sizes should take cyber risks into consideration and implement adequate measures to become more resilient to cyber attacks.
The DFSA’s cyber supervision activities apply to all DFSA Authorised Firms, Registered Auditors, Credit Rating Agencies and Authorised Market Institutions (collectively referred to as Firms).
The DFSA expects all Firms to implement an appropriate framework to identify and mitigate cyber risks and to detect, respond to, and recover from cyber incidents. All members of senior management at both the board and executive levels need to be aware of their Firm’s cyber vulnerabilities, and accordingly, provide the necessary resources, control and oversight to manage the risk.
The manner in which a Firm manages the cyber risk will largely depend on the nature, scale and complexity of its business operation. The DFSA issued a set of cyber risk management guidelines to provide information on good practices to assist Firms in:
• establishing a sound and robust cyber risk management framework; and
• strengthening system security, reliability, resiliency, and recoverability.
The Guidelines are statements of industry best practices which Firms may adopt, taking into account the complexity of operations and the diversity, scale and scope of business activities in which the Firm engages.
The DFSA does not require Firms to follow one particular cyber framework/standard. We appreciate that there are many different standards and frameworks related to IT and cyber risk that Firms in DIFC can benefit from. Some of the more commonly used frameworks/standards include:
Although we do not prescribe a specific framework, we do expect Firms to implement a framework that is consistent with the eight principles outlined below. The principles are adopted from the G7 Fundamental Elements of Cybersecurity for the Financial Sector. The Elements were developed by the G7 Cyber Expert Group (CEG) and are designed for financial sector entities, both private and public, to be tailored to their specific operational and threat landscapes, role in the sector, and legal and regulatory requirements. The elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. These elements are as follows (the full text is available here):
Principle 1: Cybersecurity Strategy and Framework
Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.
Element 2: Governance
Define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).
Element 3: Risk and Control Assessment
Identify functions, activities, products, and services—including interconnections, dependencies, and third parties—prioritize their relative importance, and assess their respective cyber risks. Identify and implement controls—including systems, policies, procedures, and training—to protect against and manage those risks within the tolerance set by the governing authority.
Element 4: Monitoring
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.
Element 5: Response
Timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and (d) coordinate joint response activities as needed.
Element 6: Recovery
Resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.
Element 7: Information Sharing
Engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.
Element 8: Continuous Learning
Review the cybersecurity strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.
For better web experience, please use the website in portrait mode