DFSA publishes Cyber Thematic Review Report
The Dubai Financial Services Authority (DFSA) has announced that it has published a thematic review report on cyber risks.
The Report, titled ‘Cyber Thematic Review 2020’, highlights a number of important opportunities for operational risk management practices of Firms operating in the Dubai International Financial Centre (DIFC), the regulator said in a press release.
Launched in July 2019 with an objective of identifying the overall maturity level of cyber security programmes of Firms authorised by DFSA, the Cyber Thematic Review assessed cyber risk governance frameworks, cyber hygiene practices, and resilience (incident preparedness) programmes. The Review was undertaken in two phases, with the first phase consisting of a questionnaire seeking high-level information on each Authorised Firm’s cyber security practices, and the second phase consisting of desk-based reviews and onsite visits to selected Firms representing a range of business models and financial services activities.
The Review found that a significant number of firms had either not implemented a comprehensive cyber risk management framework or performed only a limited cyber risk assessment. Assessing how firms have implemented cyber hygiene practices, the findings also show that a number of firms, particularly smaller firms, did not enforce encryption on devices to protect sensitive data. The most significant finding on firms’ resilience towards cyber-attacks show that at least half did not have a continuous identification and response capability for managing cyber incidents.
Although not part of this review, the new remote working protocols established in 2020 also bring new cyber risk vulnerabilities that need to be addressed by the financial services industry. The Report further summarises these key findings and observations together with the DFSA’s expectations and examples of best practices of cyber risk management. It focuses on cyber risk fundamentals which are relevant to each Authorised Firm, regardless of its size and business model.
Bryan Stirewalt, CEO, DFSA, said: “Enhancing the cyber resilience of our regulated population is one of our key priorities. Over the past two years, we have steadily increased our supervisory focus on cyber risk. We are constantly engaging with Firms in the DIFC to ensure they have sufficient safeguards in place to shield against cyber threat as well as effective processes to respond to and recover from a successful attack. Our focus also includes support for development of industry level guidance on cyber risk management practices. These intensified efforts support the UAE Cybersecurity Strategy and the Dubai Cybersecurity Strategy and are designed to strengthen the cybersecurity environment in the DIFC.”
As part of its efforts to strengthen cyber resilience in the DIFC, the DFSA launched its cyber threat intelligence platform (DFSA TIP) in January 2020. DFSA TIP aims to facilitate the development of a community of information sharing amongst financial services firms.
Recommended news