Technology contracts in the ADGM: New requirements under the Cyber Risk Management Framework

ICT Services versus technology outsourcing

Where a firm relies on a third party for the provision of ICT Services, that firm remains responsible for compliance with the FSRA’s Regulations and Rules in relation to the activities performed by the third party.¹ This principle is consistent with the FSRA’s approach to outsourcing of both technology and non-technology functions, as well as that of the financial regulators in onshore UAE and the Dubai International Financial Centre (DIFC)².

However, the Third-Party Cyber Risk requirements in the new FSRA framework apply more broadly than just to technology outsourcing arrangements. 

ICT Services is widely defined as an information and communication technology (ICT) related service, such as the hosting, maintenance or provision of repair services of ICT Assets or any other service that involves accessing an Authorised Person’s IT Systems or Networks or accessing or processing an Authorised Person’s data.

Outsourcing is not defined in the FSRA’s Rules but is generally characterised by two elements: (i) being provided on an ongoing basis, such as the provision of access to an online platform or the hosting of data; and (ii) something that the firm would otherwise do itself.

The relevant FSRA guidance includes cloud services and the maintenance of a firm’s servers as examples of ICT Services. The former would likely also be considered outsourcing, while the latter would not. Where an ICT Services arrangement constitutes an outsourcing, firms will also need to comply with the FSRA’s Rules for outsourcing arrangements.³

The extension of third-party risk management principles beyond outsourcing follows a global regulatory trend of focussing on financial entities’ operational resilience and risk profiles more broadly. FSRA-regulated firms who also operate in the European Union will be familiar with the Digital Operational Resilience Act (DORA), which applies third-party risk management requirements to the provision of (widely-defined) “ICT services”, albeit limited to those that are provided on an ongoing basis. Interestingly the Third-Party Party Cyber Risk requirements introduced by the FSRA will also apply to technology service arrangements that are provided on a one-off or infrequent basis and would therefore not be within scope for DORA-compliance. The DORA requirements are however far more prescriptive in terms of required contractual provisions for example. The FSRA’s expectations for ICT Service contracts are discussed below.

Requirements for managing Third-Party Cyber Risk

FSRA-regulated firms will need to include at least the following measures in their Cyber Risk Management Frameworks⁴:

• Due diligence: Undertaking due diligence to ensure the selection of suitable third-party providers of ICT Services that comply with appropriate cyber security standards.
• Contracting: Entering into appropriate contracts with these third party-providers. Further details on this aspect are below.
• Continuous monitoring: Effectively supervising the provision of ICT Services.

Provisions for ICT Service contracts

The FSRA has not mandated many specific provisions for inclusion in contracts with third-party providers of ICT Services. This aligns with its general approach on outsourcing contracts, where the FSRA’s guidance is to consider the principles for outsourcing in financial services issued by the Basel Committee on Banking Supervision, IOSCO or equivalent international bodies and any principles or regulations applicable to the firm in its home jurisdiction.⁵

A key change from the proposals in Consultation Paper No. 3 of 2025 is that firms are no longer required to include contractual obligations on providers to “comply with the [firm’s] Cyber Risk requirements” in a general sense. Instead, firms will need to ensure that their ICT Service contracts contain provisions addressing the topics below as a minimum.

• Security
  
  Once a firm has determined that a third-party provider complies with appropriate security standards as part of its pre-contractual due diligence, it would be prudent to impose those standards on the provider in terms of clear contractual security obligations so that there is potential contractual recourse (by way of termination or a claim for damages) should those obligations not be met.
• Review and audit
  
  Effective supervision of third-party providers must include regular verification that the provider complies with appropriate security requirements and the contract must allow for this to be done. The FSRA’s guidance on this requirement is that: (i) verification can be done by the firm (or its auditors) reviewing the provider’s control environment, by the provider supplying independent audit reports or by “other suitable means”; (ii) the frequency, scope and nature of the verification will depend on how critical the systems are and whether they contain sensitive information; and (iii) in some cases it may not be appropriate to rely on verifications conducted or procured by the third party (i.e. firms will need to conduct their own audits).
  
  The fact that the FSRA does not require firms to have contractual rights to conduct on-site audits on all of its ICT Service providers is helpful for both firms and their providers. On-site audits are often a contentious issue, largely due to the operational, administrative and cost burdens imposed on providers in supporting varying audit requests from multiple customers. This would have been difficult (if not impossible) for firms to achieve in relation to all in-scope ICT Service arrangements. However there will be certain circumstances in which on-site audits are appropriate based on the risk profile of the ICT Service arrangement. This is typically the case for arrangements classified by a firm as material outsourcing.
• Incident notification and management
  
  Firms must require third-party providers of ICT Services to notify them about all Cyber Incidents it experiences that, have or are likely to have, a material impact on the firm.  Firms have a corresponding requirement to notify the FSRA of such incidents within 24h of becoming aware of them.⁶ There is guidance on determining the materiality of Cyber Incidents – for more details see our article Cyber risk management in the ADGM: an analysis of the new regulatory framework.
  
  Providers must also be required to cooperate with the firm in remediating the impact of those Cyber Incidents. The extent of this cooperation is not prescribed, but firms should consider whether their contracts address topics such as providing sufficient information and ongoing updates regarding the incident and, depending on the nature of the service, dealing with the incident in the manner instructed by the firm.
• Subcontracting
  
  The FSRA expects firms to apply “adequate controls” on its ICT Service providers’ use of subcontractors. As a minimum, the firm should be aware of the scope of services carried out by subcontractors and what actions are taken to mitigate Cyber Risk by the provider and its subcontractors.
  
  While it is prudent for firms to be aware of who is performing subcontracted services and where they are located, it is worth noting that this does not necessarily translate into a requirement for the firm to have approval rights over subcontracting. Subcontracting is another contentious topic in technology contracts, particularly in a cloud context where providers typically structure their services in a uniform manner across all of their customers and need to maintain the operational freedom to do so. Among other things, firms will need to consider whether approval rights over subcontracting generally, and/or the use of specific subcontractors, are appropriate. In some cases the decision may be informed by regulatory requirements in other jurisdictions which are covered by a group-wide service contract. For example, the Saudi Arabian Monetary Authority (SAMA) requires that the subcontracting of material outsourced functions is approved by the firm and receives a “no objection” from SAMA in advance of implementation.
  
  An alternative, and increasingly common, approach to subcontracting is to require the provider to: (i) disclose its current subcontracting arrangements on entering into the contract; (ii) notify the firm sufficiently in advance of introducing a new subcontractor or making other material changes to existing subcontracting arrangements: (iii) allow the firm an opportunity to object where it believes that the new or changed subcontracting arrangements present a significant risk; and (iv) allow the firm to terminate the contract should its objections not be resolved and the provider wishes to proceed.
  
  Firms should also consider the extent to which they require direct rights of audit over subcontractors or whether supervision of the ICT Services (as required by the FSRA) can be achieved via other methods such as requiring the provider to procure audit reports and certifications.
• Data return / destruction
  
  Contracts with third-party providers of ICT Services should also set out appropriate requirements for the deletion or return of the firm’s information at the end of the contract.

Although not mandatory under the Cyber Risk Management Framework, firms may also wish to consider the extent to which their contracts adequately address the liability of third-party providers in relation to cyber incidents. We discuss this further in our article Do your technology and outsourcing contracts properly address liability for cyber incidents?