ADGM's Technology Agreements: Enhanced Cyber Risk Management Rules Unveiled
In the ever-evolving digital landscape, the Financial Services Regulatory Authority (FSRA) in the UAE has issued guidance for firms to ensure the security of their operations, particularly in relation to third-party Information and Communication Technology (ICT) Service providers.
Firstly, firms are expected to carefully evaluate the extent to which their contracts with third-party providers adequately address liability in the event of cyber incidents. This includes provisions for incident notification and management, as well as the use of subcontractors.
Secondly, the FSRA mandates that third-party providers notify firms about any cyber incidents that have a material impact on the firm. This is intended to enable prompt action and risk mitigation.
Thirdly, the FSRA expects firms to exercise control over their ICT Service providers' use of subcontractors. This includes being aware of the scope of services carried out by subcontractors and what actions are taken to mitigate cyber risk by the provider and its subcontractors.
The FSRA's guidance also encourages firms to consider the principles for outsourcing in financial services issued by international bodies such as the Basel Committee on Banking Supervision, IOSCO, and any principles or regulations applicable to the firm in its home jurisdiction.
Contracts with third-party providers should also include clear obligations for cybersecurity, risk management measures, and compliance with FSRA regulations. Ongoing monitoring and the right to audit the service provider are essential components of these contracts.
Furthermore, firms should ensure their contracts contain provisions addressing security, review and audit, incident notification and management, subcontracting, and data return or destruction. The FSRA has not mandated many specific provisions, but the importance of these topics cannot be overstated.
Firms should also consider whether their contracts address topics such as providing sufficient information and ongoing updates regarding the incident, and dealing with the incident in the manner instructed by the firm.
The FSRA's rules regarding prudential - Investment, Insurance Intermediation, and Banking - can be found in Rule 6.8 of the Prudential Rulebook. It is crucial for firms to refer to these rules to ensure compliance.
In the UAE, the Central Bank of the UAE (CBUAE) and the Securities and Commodities Authority (SCA) regulate financial services in onshore UAE, while the Dubai Financial Services Authority (DFSA) is the equivalent DIFC regulator.
In conclusion, the FSRA's guidance emphasizes the importance of due diligence, continuous monitoring, and specific contractual provisions in a firm's Cyber Risk Management Framework for third-party ICT Service providers. Firms must prioritize these aspects to maintain the security and integrity of their operations in the digital age.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Stopping Osteoporosis Treatment: Timeline Considerations
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
