DFSA | THE INDEPENDENT REGULATOR OF FINANCIAL SERVICES

Summary

The financial services industry is one of the most targeted industries by cyber criminals. The increased vulnerability coupled with the responsibility for protecting customer and investor assets establishes the need for robust Information Technology (IT) systems, internal controls and governance arrangements to ensure effective management and preparedness.

In considering the increasing risk of cybercrime, a key priority of the DFSA is to ensure that firms have in place an appropriate framework for the governance and management of cyber risks. Firms of all sizes should take cyber risks into consideration and implement adequate measures to become more resilient to cyber attacks.

Applicability

The DFSA’s cyber supervision activities apply to all DFSA Authorised Firms, Registered Auditors, Credit Rating Agencies and Authorised Market Institutions (collectively referred to as Firms).

Overview of DFSA Expectations

The DFSA expects all Firms to implement an appropriate framework to identify and mitigate cyber risks and to detect, respond to, and recover from cyber incidents. All members of senior management at both the board and executive levels need to be aware of their Firm’s cyber vulnerabilities, and accordingly, provide the necessary resources, control and oversight to manage the risk.

The manner in which a Firm manages the cyber risk will largely depend on the nature, scale and complexity of its business operation. The DFSA does not require Firms to follow one particular cyber framework/standard or set of guidelines. The DFSA considers that it may be more effective to point Firms to existing standards prepared by experts and recognized professional institutions rather than to create a bespoke framework specifically for DIFC entities. We appreciate that there are many different standards and frameworks related to IT and cyber risk that Firms in DIFC can benefit from. Some of the more commonly used frameworks/standards include:

  • CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures
  • ISO/IEC 27000 set of standards
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls for Effective Cyber Defense

Cyber Risk Principles 

Although we do not prescribe a specific framework, we do expect Firms to implement a framework that is consistent with the eight principles outlined below. The principles are adopted from the G7 Fundamental Elements of Cybersecurity for the Financial Sector. The Elements were developed by the G7 Cyber Expert Group (CEG) and are designed for financial sector entities, both private and public, to be tailored to their specific operational and threat landscapes, role in the sector, and legal and regulatory requirements. The elements serve as the building blocks upon which an entity can design and implement its cybersecurity strategy and operating framework, informed by its approach to risk management and culture. These elements are as follows (the full text is available here):


Principle 1: Cybersecurity Strategy and Framework
Establish and maintain a cybersecurity strategy and framework tailored to specific cyber risks and appropriately informed by international, national, and industry standards and guidelines.

Element 2: Governance
Define and facilitate performance of roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework to ensure accountability; and provide adequate resources, appropriate authority, and access to the governing authority (e.g., board of directors or senior officials at public authorities).

Element 3: Risk and Control Assessment
Identify functions, activities, products, and services—including interconnections, dependencies, and third parties—prioritize their relative importance, and assess their respective cyber risks. Identify and implement controls—including systems, policies, procedures, and training—to protect against and manage those risks within the tolerance set by the governing authority.

Element 4: Monitoring
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.

Element 5: Response
Timely (a) assess the nature, scope, and impact of a cyber incident; (b) contain the incident and mitigate its impact; (c) notify internal and external stakeholders (such as law enforcement, regulators, and other public authorities, as well as shareholders, third-party service providers, and customers as appropriate); and (d) coordinate joint response activities as needed. 

Element 6: Recovery
Resume operations responsibly, while allowing for continued remediation, including by (a) eliminating harmful remnants of the incident; (b) restoring systems and data to normal and confirming normal state; (c) identifying and mitigating all vulnerabilities that were exploited; (d) remediating vulnerabilities to prevent similar incidents; and (e) communicating appropriately internally and externally.

Element 7: Information Sharing
Engage in the timely sharing of reliable, actionable cybersecurity information with internal and external stakeholders (including entities and public authorities within and outside the financial sector) on threats, vulnerabilities, incidents, and responses to enhance defenses, limit damage, increase situational awareness, and broaden learning.

Element 8: Continuous Learning
Review the cybersecurity strategy and framework regularly and when events warrant—including its governance, risk and control assessment, monitoring, response, recovery, and information sharing components—to address changes in cyber risks, allocate resources, identify and remediate gaps, and incorporate lessons learned.

For better web experience, please use the website in portrait mode