Abu Dhabi boasts first-class infrastructure and unparalleled global connectivity, making it a premier international destination. Its exceptional qualities make it an ideal location to live, work, and conduct business.
A financial centre that provides transparency, efficiency, and integrity, through its progressive frameworks, future focused infrastructure, all within a familiar independent legal jurisdiction – ADGM is the perfect platform for success.
ADGM, the centre for a transparent and thriving sustainable finance ecosystem.
Our community of business professionals, entrepreneurs, and investors can depend on ADGM to provide timely news and reliable insights.
At ADGM, we offer various support options, including contact details, FAQs, enquiry forms, and a whistleblowing form.
The increased reliance on technology has exposed financial institutions to new digital vulnerabilities for financial crime purposes, (e.g. data breaches, hacks, misuse of customer information and identities etc).
Considering the evolving cyber threat landscape with the digital transformation, it is the responsibility of all stakeholders to be able to recognize the threat before it becomes an emergency and defeat sophisticated cyber techniques through proactive regulatory compliance, advanced protection strategies against threats, as well as scalability. This will help ADGM’s ecosystem to avoid financial, reputational, operational and regulatory risks.
A key priority for the FSRA is to ensure firms of all sizes have in place an effective cybercrime prevention programme.
FSRA’s Relevant Persons are required to establish and maintain an effective and robust cybercrime prevention programme to prevent opportunities for financial crime on an ongoing basis and to ensure that control measures are appropriate and proportionate considering any vulnerabilities relating to the use of new or developing technologies.
Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes which took effect on January 2022 establishes a comprehensive legal framework to address the concerns relating to the misuse and abuse of online technologies.
The English translated versions of the UAE Federal Laws and Regulations should not be relied upon to interpret or referred to in the event of a legal dispute. The Arabic documents are the original and official source of reference.
The FSRA Governance Principles and Practices to Mitigate Cyber Threats and Crime provide guidelines to firms with practical illustrations on how the principles should be interpreted without divulging into technical specificities, noting that there are varying levels of sophistication and reliance on technology.
The FSRA is mindful that the inherent cybercrime vulnerabilities and adopted cybersecurity measures may vary by firm due to different levels of sophistication and variance in reliance on technology. Firms are therefore required to tailor their cybercrime prevention programme by following a risk-based assessment methodology to identify the cyber threats their businesses are exposed to. This approach will help firms develop a structured and thought through strategy to combat cybercrime by effectively allocating resources, defining clear responsibilities, and implementing risk-based controls tailored to their inherent cyber risks. These strategies will also need to outline how they intend to prepare for, respond and recover from cyber-attacks should they occur.
As a foundation, the FSRA expects firms to implement a framework that covers the following eight guiding principles. Hence, these principles will provide firms with supplementary guidelines that should be leveraged in conjunction with firms’ existing risk management practices. The following is a summary of the FSRA Governance Principles and Practices to Mitigate Cyber Threats and Crime.
Principle 1: Cybersecurity Governance and Risk Management Framework
Firms should have in place a robust system of cybersecurity governance with clearly defined roles and responsibilities where cyber risk is managed through a risk management framework set at the top comprising a series of well documented and understood policies, procedures and processes that define how the firms’ information assets are managed and protected.
Principle 2: Cyber Risk Assessment
Firms should know what information assets they have, including the locations of where their sensitive data is stored, as well as the inherent vulnerabilities and threats they are exposed to. Firms therefore needs to take stock of their information assets and perform periodic cyber risk assessments.
Principle 3: Management of Cyber risks associated with Third Party Service Providers
Firms should evaluate all relevant cybersecurity risks that may stem from placing reliance on third party service providers who manage or store confidential customer and/or financial information. Firms should adopt a risk-based approach prior to and during the lifecycle of their engagement with third party service providers.
Principle 4: Incident response planning
Firms are expected to plan their responses to cyber incidents in advance by developing an incident response plan that outlines how firms will respond to an unplanned disruption to services brought about by a cyber security event by limiting disruption and potential damage. There should be a clear set of instructions with defined roles and responsibilities and criteria to escalate to senior management. In essence, the plan should detail how the firm will prepare for, respond to and recover from a cybersecurity incident.
Principle 5: Cybersecurity awareness and training
Firms should aim to create an appropriate level or cybersecurity awareness amongst their employees. Employees are the major sources of cybersecurity risk. These risks can often take the form of social engineering tactics. In such scenarios, even the best technical controls can be undermined. Conversely, employees can also be one of the firms’ most effective resources in preventing incidents or detecting when an incident has occurred. Cybersecurity awareness and training is thus an essential component to a robust cybersecurity risk management framework.
Principle 6: Protective controls
Firms are expected to demonstrate that they have adopted suitable protective controls that are commensurate with their identified risk, complexity and size of the firms’ operations encompassing identity and access management, system architecture and configuration as well as vulnerability management.
Principle 7: Detection systems and processes
Firms should create and implement a robust detection system with the aim of identifying vulnerabilities and threats and ensuring the necessary countermeasures are adopted before they can be exploited. In doing so, firms, should define and differentiate between ‘normal’ and/or ‘expected’ activity, as well as suspicious activities. The detection and identification processes should be used to improve the firms’ response capabilities.
Principle 8: Collaboration and cyber threat intelligence
Information sharing is an effective way for firms to improve their understanding of the threats, tactics and procedures (TTP’s) of criminal actors. Firms should therefore consider participating in information sharing arrangements with other financial institutions, security and law enforcement agencies. Additionally, firms should consider participating in industry forums that provide an opportunity for intelligence sharing.
The FSRA has signed in May 2024 a Memorandum of Understanding (MoU) with the UAE Cyber Security Council to strengthen collaboration between both parties on cybercrime prevention.
The FSRA is committed to prioritise cybercrime prevention initiatives and promote a safe and secure ecosystem. In addition, the FSRA is dedicated to safeguarding the financial stability and data integrity of licensed entities while actively contributing to the national strategy for cybercrime prevention.
U.A.E Cyber Security Council Alerts
As part of its commitment to keep FSRA’s Relevant Persons abreast of inherent and emerging cyber security threats, the Financial & Cyber Crime Prevention regularly publishes alerts as communicated by the Cyber Security Council. These alerts are aligned with efforts to foster a culture of cybercrime prevention and create a safer and more resilient financial environment. By sharing these alerts, the Financial & Cyber Crime Prevention helps FSRA’s Relevant Persons take proactive measures to enhance their systems and maintain effective and robust controls against potential cyber threats.
We use cookies and similar technologies that are necessary to operate the website. Additional cookies are used to perform analysis of website usage. By continuing to use our website, you consent to our use of cookies. For more information, please read our Cookies Policy.