The Dubai Financial Services Authority requires DIFC-regulated firms to implement cybersecurity controls proportionate to their risk profile. This article covers DFSA technology risk expectations from governance through to operational security.
The Dubai International Financial Centre operates its own regulatory framework through the DFSA. For authorized firms including banks, investment companies, insurance providers, and fintech firms operating within DIFC, cybersecurity is addressed through the DFSA's Technology Risk and Business Continuity requirements.
The DFSA takes a principles-based approach to technology risk management. Rather than prescribing specific technical controls, the DFSA expects firms to demonstrate that they have identified, assessed, and mitigated technology risks proportionate to the nature, scale, and complexity of their business. This approach gives firms flexibility in how they implement controls but places the burden on them to justify their approach. Generic or templated responses to DFSA expectations are insufficient.
Firms must establish clear governance over technology risk. Senior management must take responsibility for technology risk strategy and oversight. A designated individual must be accountable for technology risk management. The board or governing body must receive regular and meaningful reporting on technology risk. Technology risk must be integrated into the firm's enterprise risk management framework rather than treated as a standalone technical concern.
DFSA expects firms to implement information security controls covering access management with multi-factor authentication for critical systems, data classification and protection including encryption requirements, network security with appropriate segmentation and monitoring, endpoint protection across all devices accessing firm systems, and secure configuration management for all technology components.
The DFSA recognizes that firms increasingly rely on cloud services and outsourced technology functions. Firms must conduct due diligence on technology service providers, ensure that outsourcing arrangements include appropriate security controls, maintain oversight of outsourced functions, and ensure that data sovereignty requirements are met particularly for customer data.
Firms must maintain business continuity plans that address technology failures and cyber incidents. Recovery time objectives and recovery point objectives must be defined for critical systems. Plans must be tested regularly and updated based on test results and changes to the business environment.
The DFSA requires firms to report material technology incidents that affect the firm's ability to conduct business, compromise the confidentiality of customer data, or indicate systemic weaknesses in technology controls. Firms must establish internal escalation procedures that enable timely regulatory reporting.
ITSEC works with DIFC-regulated firms to build cybersecurity programs that satisfy DFSA expectations while supporting business objectives. Our services include technology risk assessments, policy development, penetration testing, and ongoing compliance support. Contact ITSEC for a DFSA cybersecurity consultation.
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.