Cyber risk management in the ADGM: an analysis of the new regulatory framework

Applicability and scope

The Cyber Risk Management Framework has been implemented by way of amendments to various FSRA Rules that are applicable to:

• Authorised Persons, being the wide range of financial sector firms (including banks, insurers and investment firms) licensed to conduct regulated financial activities in the ADGM; and
• Recognised Bodies, being investment exchanges and clearing houses permitted by the FSRA to operate in the ADGM.

Most of the content appears in a new Cyber Risk Management section of the General Rulebook⁴. The key requirement is for firms to establish and maintain a written cyber risk management framework to identify, assess and manage its Cyber Risks effectively.

• Cyber Risk is defined with reference to both the probability and impact of Cyber Incidents occurring. A firm’s framework will therefore need to consider both prevention and mitigation measures.
• Cyber Incident is widely defined as an incident arising from the use of information or communication technology that adversely affects an Authorised Person’s ICT Assets or the information it processes, stores or transmits. There is no materiality threshold with respect to the types of incidents or their impact that should be considered.
• ICT Assets include the full range of data and technology (both infrastructure and applications) used by a firm, whether belonging to the firm or its service providers.

Systems and controls

As with risk management generally, it is the responsibility of a firm’s board of directors (or other governing body) and its senior management to ensure the effective management of cyber risk.

A firm’s cyber risk management framework must be integrated with its overall risk management framework and include systems and controls that are proportionate to the nature, scale and complexity of its activities and to its Cyber Risk. It will need to cover the following broad areas:

• Cyber Risk identification and assessment: Firms must maintain a current inventory of their ICT Assets and conduct regular, at least annual, assessments of Cyber Risk associated with those assets.
• Prevention: Firms must implement appropriate measures to prevent and mitigate Cyber Incidents. There are comprehensive requirements relating to:
  • technical, physical and operational security;
  • change management;
  • staff training / awareness; and
  • third party oversight. For more information on the requirements of the framework in relation to ICT service providers, see our article Technology contracts in the ADGM – new requirements under the Cyber Risk Management Framework.
• Monitoring and testing: Firms must implement a system to conduct ongoing monitoring and regular testing of systems and controls, such as vulnerability assessments and scenario-based testing. The scope and frequency will depend on the nature, scale and complexity of their businesses and associated Cyber Risks.
• Response and recovery: Firms must establish, maintain and regularly test a robust cyber incident response plan to ensure timely recovery from incidents, mitigation of consequences and compliance with the incident notification requirements (more details on this requirement are below). The plan should be integrated into the firm’s overall crisis management and disaster recovery plans.

In developing their cyber risk management frameworks, firms are guided to take account of regulations and guidance published by other UAE federal authorities and recognised international standards. Once established, firms are expected to review their frameworks at least annually.

Incident notification

The amendments to the FSRA Rules also establish a new Cyber Incident notification requirement⁵. Firms will be required to notify the FSRA immediately (and no later than 24 hours) after becoming aware that a material Cyber Incident has occurred, or having information that reasonably suggests that this is the case.

The FSRA has provided guidance on factors to be considered in determining the materiality of a Cyber Incident, including:

• the financial, operational and reputational impact of the incident on the firm and its customers;
• whether or not the incident is reportable to another regulator; and
• whether or not the incident falls within the other events that require immediate notification to the FSRA, such as an event which could result in serious adverse financial consequences to the ADGM financial system or other regulated firms in the ADGM⁶.

Next steps

The amendments to the FSRA Rules will take effect on 31 January 2026. Impacted firms will need to assess the extent to which existing policies, processes, governance structures and third-party contracts require updating (or overhauling) to meet the requirements.

In the meantime, the FSRA is planning to update its cyber incident notification template before the end of 2025 to facilitate the reporting process.

At a national level, the UAE is preparing for its next Financial Action Task Force Mutual Evaluation in 2026, which includes a focus on cybercrime prevention⁷.

With thanks to Sea-won Baek.