j. awan & partners > Knowledge hub > Insights > DFSA’s Thematic Review on Cyber Security Controls

DFSA’s Thematic Review on Cyber Security Controls

Insights

DFSA’s Thematic Review on Cyber Security Controls

Background

Last week, the DFSA published the 2nd edition of its Cyber Thematic Review Report, a document which summarised the improvements Firms have made since their first review concluded in 2020. The DFSA has been looking to improve cybersecurity awareness in the Dubai International Financial Centre (DIFC) by promoting the sharing of cyber threat information and supporting the continued development of cyber resilience within Firms in the DIFC. Overall, the DFSA has said they believe the latest results demonstrate that their efforts are paying off.

Key Findings
The Review identified a “material improvement in overall cyber maturity in that Firms have made improvements in most of the control areas assessed in the 2020 review”. However, despite this improvement, it was felt that all of the 14 key findings from the Cyber Thematic Review in 2020 continue to require the attention of Firms.

The Review identified that Firms did not improve their practices in three areas:

  1. Incident response testing programme
  2. Vulnerability Assessments and Penetration Testing
  3. IT asset identification and classification
What this mean for firms now?
Consistent with other financial regulators around the world, the DFSA is continuing to see the incoming threat from cyber-attacks as a material risk. This is critical for the regulator to achieve its objectives of, “maintaining confidence in the financial services industry in the DIFC” as well as, “preventing, detecting and restraining conduct that causes or may cause damage to the reputation of the financial services industry”. Firms that do not invest in appropriate cyber security controls will be seen as a risk to market confidence should they experience a cyber-attack or security breach.
For start-ups in the region, this is a reminder that investing in cyber security controls at the out-set is key contributor to creating a sustainable business. Firms that delay investment in these areas put themselves, their clients and other organisations they work with at risk.

For existing or more mature firms, it is a reminder that cyber is a risk that continues to evolve and there is a need to ensure businesses not only understand their cyber risk profile, but that they continue to invest in controls to protect their business and meet regulatory expectation.

How can firms respond to the 3 key improvements areas?
  1. Incident response testing
  • Ensure roles and responsibilities for the management of IT and cyber incidents is clearly defined, both in terms of their identification, management and closure
  • Ensure all incidents are subject to thorough root cause analysis
  • Consider possible trends that may emerge from seemingly small, innocuous events – use these to inform how IT improvements are prioritised
  • Test response plans to an agreed schedule and based upon the likely scenarios that could impact the firm
  1. Vulnerability Assessments and Penetration Testing
  • Use a wide range of assessment tools and processes, such as vulnerability assessments, scenario-based testing, penetration tests as well as formal exercises
  • Consider the extent the firm has the appropriate skills -in-house to adequately identify and apply the right tooling based upon the firm’s risk profile
  • Consider independent third party assurance to confirm the arrangements in place are fit-for-purpose
  1. IT asset identification and classification
  • Review asset registers for completeness to ensure it captures areas such as applications, software, data, etc.
  • Ensure the asset register is maintained to an agreed schedule given the risks to the firm
  • Ensure the process used to classify assets is based on a recognised standard (e.g. ISO/IEC 19770-1:2017)
  • Conduct a Business Impact Analysis (BIA) to determine their criticality of these assets, based upon the firm’s business processes
How we can help ?

Whilst the DFSA does not require Firms to adhere to one cyber framework or standard, the regulator appreciates that there are many different standards and frameworks related to IT and cyber risk that Firms can benefit from. Some of the more commonly used frameworks/standards include:

  • CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures
  • ISO/IEC 27000 set of standards
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls for Effective Cyber Défense
  • CSA Cloud Controls Matrix

At J. Awan & Partners, our cyber security and risk management teams are comprised of experts whose primary goal is to help you identify and manage cyber and other related risks.

Please contact us at [email protected]  for any cyber security related needs.

Categories
Social

Related articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Let's talk

Please complete the short request form below and we will get right back to you.
+971 4 327 1020