Abu Dhabi’s ADGM Updated Cyber Risk Framework: Our Cyber Team's Deep Dive & Analysis

Tightening Cyber Security Frameworks Worldwide 

Regulatory standards for cybersecurity continue to be an ever-evolving topic for the financial industry. With recent updates to the landscape, including widespread regulations like DORA in the EU   and updates to the SEC’s Regulation S-P earlier this year, financial services across the globe are seeing tighter regulation coming their way. 

Among the latest updates from July of this year include the Cyber Risk Framework under the Abu Dhabi Global Market’s (ADGM) regulatory arm, the Financial Services Regulatory Authority (FSRA).

A Brief History of the Regulation

The regulation’s justification can loosely be traced back to the establishment of the FSRA  in 2017. As with most government-backed regulatory bodies, the FSRA enacts legal requirements for standard operations of financial service entities and provides guidance for best practices for ethical action and crime prevention related to the industry. Cybercrime has been of particular interest to several regulatory bodies following the pandemic, and ADGM is no different, having taken strong initiatives against cybercrime in 2021.

In 2023, the ADGM published a discussion paper on IT Risk Management, discussing how the body considered IT Risk Management to be a key factor in managing overall business risk. Later in 2024, they established more specific guidance on risk management, providing additional details on four key best practices: Establishing a Culture of Effective IT Risk Management, Managing an IT Environment, Interacting Securely, and Leveraging Business Embedded Technologies.

This next round of requirements demonstrates the ADGM’s continued commitment to empowering the FSRA in enforcing cybercrime prevention and their alignment with increasing standards for operational resilience seen around the world.

Establishing a New Cyber Risk Management Framework

The most critical component of the new requirement is the establishment of a Cyber Risk Management Framework by relevant entities. This is a common feature among many cybersecurity-related requirements, but is often one that is not well understood from a practical perspective. 

In short, such frameworks usually include elements of formalized policies and procedures around cybersecurity threats, an approved governance structure within the firm to engage with the framework, and regular review and testing of the framework’s elements to ensure appropriateness for both the firm and FSRA.

For ADGM, we see many similar requirements, though perhaps with a more specific coat of paint for provisions such as a timeframe specification for notifications and senior-level accountability. Additional requirements more unique to ADGM include:

• Clearly defined roles and responsibilities related to cybersecurity within an organization, including board and senior management accountability
• Oversight of Third-Party Risks
• Protection of data and IT assets such as computers, networking equipment, servers, and cloud-based services
• Controls around change and patch management
• Regular assessment of risks via penetration testing, risk assessment and/or external audits
• Incident response plans with appropriate means to meet tight notification requirements, including a 24-hour notification window to the FRSA

All these requirements will be enforceable by the FSRA as of 31st January 2026. 

What Should Firms Do Now

If your organization is already beholden to other cybersecurity, information security, or operational resilience requirements, you’re in luck – the FSRA is not demanding too much beyond the norm for similar regulations and industry best practices overall.
If you’re starting from scratch, there is a fair amount of work to do - but enough time to do it. Next steps should include:

1. Establish your key stakeholders to oversee cybersecurity risks and concerns
2. Establish formalized policies and procedures around information and cybersecurity, including developing a manner of identifying and tracking cyber risks
3. Conduct an assessment (either internally or with a third-party) to identify initial risks and understand your current security posture
4. Work with your IT department or IT service provider to ensure that you have mechanisms in place to protect your firm’s data and devices
5. Solidify your security incident response and business continuity plans, and coordinate with IT personnel to meet the plans’ objectives
6. Conduct due diligence of your vendors from a cybersecurity perspective, asking questions around information protection, access control, and operational resilience plans

Although this list may seem extensive, each step is crucial to ensuring the security and compliance of your organization. Many of these efforts can be made in tandem to ensure your firm hits the January 2026 deadline. 

How Abacus Can Help

As a Managed Service Provider working with highly regulated entities, Abacus places significant focus on building security and compliance into everything we do, and ensuring our managed service offerings help our clients meet the high standards of regulatory bodies. We also offer white-glove security services for unmanaged clients with our highly-accredited offensive security and governance, risk and compliance (GRC) teams. 

To learn more about our services and how our team can help you ensure your firm's compliance with shifting ADGM requirements, contact us today.