ADGM's Financial Services Regulatory Authority enforces technology risk requirements for firms operating in Abu Dhabi Global Market. This article covers the FSRA's cybersecurity expectations including governance, controls, cloud usage, and reporting obligations.
Abu Dhabi Global Market is the UAE's second major international financial centre, regulated by the Financial Services Regulatory Authority (FSRA). Firms operating within ADGM must comply with technology risk and cybersecurity requirements that reflect international best practices while addressing the specific risk landscape of the region.
The FSRA's approach to technology risk is aligned with international standards including NIST and ISO 27001. Firms must implement a technology risk management framework that is proportionate to their business activities and commensurate with the risks they face. The framework must address information security governance and strategy, risk assessment and management, access control and identity management, data protection and privacy, network and infrastructure security, application security, business continuity and disaster recovery, and third-party technology risk.
FSRA requires clear accountability for technology risk at the senior management level. The firm's governing body must approve the technology risk strategy, ensure adequate resources are allocated, and receive regular reporting on the state of technology risk controls. A designated senior individual must be responsible for the day-to-day management of technology risk.
ADGM has published specific guidance on cloud computing that reflects a pragmatic approach to cloud adoption. Firms can use cloud services provided they conduct adequate due diligence on the cloud service provider, ensure that data sovereignty requirements are met with particular attention to where customer data is stored and processed, implement appropriate security controls over cloud environments including access management and encryption, maintain the ability to migrate data and services if the cloud provider relationship needs to change, and include the cloud environment in their security monitoring and incident response capabilities.
FSRA expects firms to conduct regular security testing of their technology environment. This includes external and internal penetration testing at least annually, web application security testing for customer-facing platforms, vulnerability scanning on a continuous basis, and remediation of identified vulnerabilities within defined timeframes based on severity.
Firms must notify the FSRA of material technology incidents within prescribed timeframes. Notification requirements cover incidents that affect the firm's ability to operate, compromise customer data, or indicate systemic weaknesses in controls. Firms must establish procedures to ensure timely and accurate regulatory notification.
ITSEC supports ADGM-regulated firms with comprehensive cybersecurity compliance services including technology risk assessments, penetration testing, cloud security reviews, and regulatory reporting support. Contact ITSEC for an ADGM cybersecurity consultation.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.