The Dubai Financial Services Authority (DFSA) has published a thematic review report on cyber risks. The review assessed cyber risk governance frameworks, cyber hygiene practices and resilience (incident preparedness) programmes.
The work was undertaken in two phases: the first phase consisted of a questionnaire seeking high-level information on each authorised firm’s cyber security practices, and the second phase involved desk-based reviews and onsite visits to selected firms representing a range of business models and financial services activities.
The review found that a significant number of firms had either not implemented a comprehensive cyber risk management framework or had performed only a limited cyber risk assessment. The DFSA’s report highlighted what it calls “a number of important opportunities for operational risk management practices of firms operating in the Dubai International Financial Centre (DIFC)”. In other words, numerous areas where firms’ cyber risk management could be improved.
The thematic review found 14 major issues which have been grouped into governance, hygiene and resilience. The DFSA identified “significant room for improvement in all three areas”.
- A significant number of firms have failed to implement a cyber risk management framework. As a consequence, many firms’ cyber risk management activities tend not to be properly coordinated and are performed on an ad hoc basis.
- Many firms perform only a limited cyber risk assessment. They tend to identify cyber risks only in relation to availability of IT systems, without sufficient attention to the sensitivity of processed data. Some firms assess cyber risk as low without providing a rationale for the low rating.
- In many instances, neither the board’s nor senior managers’ oversight of cyber risk management was sufficient. This was especially prevalent where firms outsourced their IT infrastructure and cyber security functions to an IT service provider. The DFSA also found that some senior managers failed to carry out adequate cyber security audits, reviews and tests.
- Only half of all firms have a due diligence process to assess whether third-party service providers meet the firm’s cyber security requirements and even fewer firms periodically test whether third-party service providers satisfy the firm’s cyber security requirements.
- The vast majority of firms said they identify and classify their IT assets. The DFSA identified, however, that firms mostly focus on IT equipment only, and do not identify and classify information and IT systems, or do so in an informal manner on an ad hoc basis.
- A significant number of firms have not established a comprehensive cyber security training programme or a cyber awareness campaign to enhance the overall level of awareness. Moreover, the cyber training offered to employees by small and medium-sized firms tends to be ad hoc rather than taking place at regular intervals.
7. A significant number of firms have failed to perform vulnerability assessments or penetration tests of their critical information systems in the past year. Firms using off-the-shelf systems do not recognise the necessity of performing such tests as they see it as a responsibility of the system vendors.
8. In cases where critical information systems are accessible from the internet, some firms rely on basic user authentication using usernames and passwords. In addition, some firms have failed to implement strong password policies (e.g., minimum password length, required password complexity and account lockout threshold after a defined number of unsuccessful logon attempts).
9. A significant number of small and medium-sized firms do not enforce encryption of workstation hard drives and portable devices to protect sensitive data.
10. Half of all firms do not have continuous identification and response capabilities for managing cyber incidents with regard to all critical information systems. Small and medium-sized firms rely mainly on manual processes to monitor their infrastructure only during working hours, or do not have monitoring capabilities at all.
11. The majority of firms have implemented some form of cyber incident response plan to respond to, and limit the consequences of, a cyber incident. In many cases, however, the cyber response procedures are addressed in general terms as components of the business continuity plan and are not tailored specifically to cyber threats.
12. Less than half of all firms have implemented a crisis management communication plan that addresses external stakeholders (e.g., clients, media, critical service providers, regulators, law enforcement) and even fewer firms have implemented an internal crisis communication plan (designed for relevant business units, senior management, board of directors, etc.).
13. More than half of firms’ cyber incident response plans do not include a formal requirement for periodically testing the firm’s response to a cyber incident. Moreover, where firms do have a periodic testing requirement, the DFSA identified that a significant number have failed to test any component of their cyber incident response plans in the past year.
14. Some small and medium-sized firms use professional forums or groups to get information about particular cyber threats but tend not to share information about cyber incidents. Firms noted a lack of sufficient detection capabilities and potential reputational harm as the main reasons for failing to share information about cyber incidents.
Compliance tips and next steps
The report gives further detail on the findings and sets out the DFSA’s expectations as to good and better practice in cyber risk management. Firms would be well-advised to review the report and benchmark their own approaches against the problems identified.
Firms should note, in particular, the expectations placed on senior managers. Cyber security should not be seen as the responsibility of the IT department alone. Managing this risk area is seen as requiring a holistic view of vulnerabilities in an organisation, large or small. It also includes looking at risks associated with outsourced services providers. Cyber security should be seen as everyone’s problem, including the board of directors, senior managers and the business units. Cyber resilience should be embedded into a firm’s strategy with the objective of limiting the negative consequences of successful cyber attacks. The DFSA has said this will mean changing the focus of activities from reactive to proactive actions, and will involve planning a firm’s response on an organisational level.
The DFSA strongly encourages firms to cooperate and share information about cyber threats. The regulator itself takes a proactive approach to sharing knowledge, educating stakeholders and supporting companies in building their cyber resilience. The DFSA has reiterated that technological developments and technology risks will be a permanent element of future business plans.
There is further detail about the expectations placed on boards and senior managers with regard to cyber risks. The DFSA identified many instances where the board and/or senior managers fail to maintain sufficient oversight of cyber risk management processes. Neither the board nor senior managers are informed of current cyber issues or emerging risks and are given insufficient information to assess the appropriateness of mitigating actions. In addition, the results of cyber security audits, reviews and tests are not reviewed by senior managers on a regular basis.
In some cases, where firms outsource their IT infrastructure and cyber security functions to an IT service provider, board and senior managers have limited or no oversight of cyber risk issues. Firms attributed this to a lack of board understanding of cyber risks and to having placed their trust in the expertise of service providers.
The DFSA has stated that the board and senior managers are ultimately responsible for setting the cyber risk management framework and ensuring that it is followed. Even if the firm’s IT infrastructure and cyber security activities are outsourced to a specialised vendor, the board and senior managers continue to be responsible for cyber risk management oversight. They should be regularly updated on cyber risks and the efficacy of attempts to offset them. For example, senior managers should be informed where a key performance indicator signals that a cyber risk control(s) may be underperforming or failing and where a key risk indicator signals an increase in the level of the firm’s exposure.
In addition, the DFSA expects management information to be presented to the board in a way that can be easily understood and analysed. Board members are expected to have a good understanding of cyber risks and to keep up-to-date with cyber trends.
The DFSA has said it expects firms to improve their approach to cyber risk management and that a firm’s board and senior managers must lead and oversee that approach. Any firms that ignore the DFSA’s stated expectations will find themselves more vulnerable to cyber attack and their senior individuals will be more likely to be held personally liable for the lack of an appropriate risk management framework.