Close Menu
    Subscribe
    Finance

    Third-party risk, board oversight, and cyber resilience

    Arabian Media staffBy No Comments5 Mins Read


    The FSRA’s new playbook: Third-party risk, board oversight, and cyber resilience

    Image: Supplied

    Cybersecurity is now a central pillar of regulatory strategy in the UAE. With the Financial Action Task Force’s Mutual Evaluation approaching in 2026, national and sector-level regulators are sharpening their focus on how firms manage cyber risk.

    Most recently, on July 29 earlier this year, the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) introduced a strengthened cybersecurity framework designed to elevate how financial firms manage cyber risk. These new rules are based on the guidance provided to firms and shaped by industry feedback from Consultation Paper No. 3 of 2025.

    The new rules mark a shift: cybersecurity is no longer just a technical concern; it’s a strategic imperative.

    With a compliance deadline of January 31, 2026, firms operating in or entering ADGM must act now. The FSRA’s expectations are clear, and the time to prepare is limited.

    A framework that reflects today’s risk landscape

    The cornerstone of the FSRA’s update is a documented, board-approved Cyber Risk Management Framework (CRMF). Firms’ investment exchanges and clearing houses regulated by the FSRA must implement a CRMF that is reviewed annually and tailored to the firm’s unique risk profile.

    It is important to note that the FSRA intends to apply a risk-based approach that reflects the nature, scale, and complexity of the activities conducted by the regulated entities. Where applicable, it will take into account the cybersecurity controls implemented at the group level.

    The CRMF must:

    • Identify and assess cyber risks across the organisation.
    • Define clear roles and responsibilities, including incident response protocols.
    • Protect Information and Communication Technology (ICT) assets through proportionate controls.
    • Prepare the firm to respond effectively to cyber incidents.

    The FSRA’s expectations go beyond basic compliance. Rather than offering a checklist of controls, the framework calls for a strategic, risk-based approach; one that enables firms to build resilient programs capable of adapting to evolving threats.

    Third-party risk creates accountability beyond the perimeter

    One of the most notable shifts in the FSRA’s approach is its emphasis on third-party risk.  This includes:

    • Conducting due diligence and ongoing monitoring.
    • Establishing contracts that require incident notification and cooperation.
    • Maintaining an inventory of ICT providers and assessing their risk exposure.

    This requirement aligns with a broader global shift in regulatory focus. Increasingly, regulators are holding firms accountable for the cybersecurity practices of their third-party providers.

    Cyber risk in the boardroom

    Governance matters. The FSRA’s framework places cybersecurity oversight squarely in the hands of senior leadership. Governing bodies and senior management must ensure that cyber risks are identified, addressed, and managed by qualified individuals.

    This shift highlights the growing role of cybersecurity in enterprise-wide risk management. It’s no longer confined to IT teams.

    Cyber threats are now among the top risks facing financial institutions globally.

    Boards must recognise that cybersecurity is not just a technical issue; it’s a business risk with direct implications for financial stability, reputation, and regulatory exposure.

    Effective oversight now requires active engagement from senior leadership and the board. Firms must demonstrate that their leaders are informed, accountable, and equipped to guide cyber risk strategies.

    Protecting ICT assets is a layered approach

    The FSRA outlines specific expectations for protecting ICT assets, including:

    • Anti-malware software and network security controls.
    • Access management and multi-factor authentication.
    • Encryption of data in transit, at rest, and at destruction.
    • Physical access restrictions to data centres.
    • Annual cybersecurity training for staff.

    These controls are foundational, but their effectiveness depends on how they’re implemented, monitored, and tested. The FSRA requires resilience testing, including penetration testing and vulnerability assessments, regularly, with internet-facing systems tested at least once a year. Firms are expected to remediate any issues identified.

    Incident response requires speed, structure and transparency

    Firms must establish and maintain a formal incident response plan that is tested and updated regularly. In the event of a material cyber incident, the FSRA must be notified within 24 hours of detection.

    This requirement underscores the importance of preparedness. Firms must be able to detect, contain, and recover from incidents quickly, while maintaining transparency with regulators.

    Preparing for the January 2026 deadline

    With the compliance deadline approaching, it’s recommended that firms take the following steps:

    1. Conduct a gap analysis between current practices and FSRA requirements. Identify areas for improvement and develop a remediation plan.
    2. Review third-party risk management frameworks, ensuring contracts include cybersecurity obligations and vendors are monitored appropriately.
    3. Perform a cyber risk assessment, including penetration testing and vulnerability scans, to identify weaknesses.
    4. Update and test the incident response plan, including tabletop exercises to ensure readiness for the FSRA’s 24-hour reporting requirement.

    These steps go beyond regulatory compliance, and they help strengthen stakeholder confidence and reinforce a firm’s commitment to operational resilience in line with the FSRA’s risk-based approach.

    Compliance as a catalyst for resilience

    The FSRA’s framework arrives at a time when cyber threats are escalating in scale and sophistication, with attackers increasingly using AI-enhanced phishing and deepfake technology.

    Ransomware attacks have also surged, targeting financial institutions and exploiting legacy systems and third-party vulnerabilities. These high-profile incidents are a wake-up call for boards and executive teams. Investors, regulators, and customers now expect firms to demonstrate cyber resilience.

    ESG frameworks increasingly include cybersecurity as a governance metric, and global regulations such as the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive 2 (NIS2) make board members personally accountable for cyber oversight. Cyber risk is no longer a siloed concern. It’s a key driver of stakeholder trust and enterprise-wide governance.

    The FSRA’s framework is ambitious, but it’s also achievable. With the right strategy, firms can meet the January 2026 deadline and position themselves as leaders in cybersecurity resilience.

    Clare Curtis is head of ACA Effecta, a division of ACA Group specialising in tailored support for the UAE’s unique regulatory landscape.






    Source link

    Share.

    Related Posts

    Add A Comment
    Leave A Reply