ADGM's Technology Agreements: Imperative Cybersecurity Measures under the Cyber Risk Management Regimen
The Financial Services Regulatory Authority (FSRA) in Abu Dhabi Global Market has announced a new Cyber Risk Management Framework, which will apply to regulated firms within the region. The framework, effective in six months, aims to manage Third-Party Cyber Risks, risks that may arise from the use of Information and Communication Technology (ICT) Services provided by a third party or its subcontractors.
Under the new framework, firms are responsible for ensuring compliance with the FSRA's Regulations and Rules, even when ICT Services are outsourced to third parties. This responsibility extends to the activities performed by these third parties. Firms should ensure that their contracts with ICT service providers contain provisions addressing security, review and audit, incident notification and management, subcontracting, and data return/destruction, among other things.
The FSRA's new framework extends beyond traditional outsourcing, following a global regulatory trend. Firms are required to include due diligence, contracting, and continuous monitoring in their Cyber Risk Management Frameworks for third-party providers of ICT Services. This includes requirements for managing Third-Party Cyber Risks, which are risks that may arise from the use of ICT Services provided by a third party or its subcontractors.
Importantly, firms must require third-party providers to notify them about all Cyber Incidents that have a material impact on the firm. Firms should also be aware of the scope of services carried out by subcontractors and what actions are taken to mitigate Cyber Risk by the provider and its subcontractors.
The framework applies to technology service arrangements that are provided on a one-off or infrequent basis, and not just those provided on an ongoing basis. Key third-party ICT service providers operating in Abu Dhabi Global Market who are likely compatible with the new framework include major IT and cybersecurity firms such as Injazat Data Systems, Alpha Data, Microsoft, Accenture, Cisco, Oracle, Fortinet, Palo Alto Networks, and du (telecom and digital services provider).
The FSRA expects firms to apply "adequate controls" on its ICT Service providers' use of subcontractors. Contracts with third-party providers of ICT Services should also set out appropriate requirements for the deletion or return of the firm's information at the end of the contract.
Firms operating in the European Union are already familiar with similar third-party risk management requirements due to the Digital Operational Resilience Act (DORA). However, the FSRA's framework applies more broadly than just to technology outsourcing arrangements. Where an ICT Services arrangement constitutes an outsourcing, firms will also need to comply with the FSRA's Rules for outsourcing arrangements.
In summary, the FSRA's new Cyber Risk Management Framework is a significant step towards enhancing cybersecurity in the Abu Dhabi Global Market. Firms are expected to take a proactive approach in managing Third-Party Cyber Risks and ensure that their contracts with ICT service providers adequately address these risks.
