DFSA Cyber Thematic Review: A Practitioner’s Perspective

Written by Khurem Ali, Senior GRC Analyst at Abacus Group

Cybersecurity compliance requirements for the financial industry have matured significantly in recent years, and firms need to be adaptable, capable, and most important of all trustworthy to succeed in the fast-moving financial industry. Truly meeting compliance standards is both key and currency when standing against competitors, especially in emerging markets like the UAE. Recently, the Dubai Financial Services Authority (DFSA) released its 2024 Cyber Thematic Review. This report made it clear: Firms that can’t or won’t demonstrate their resilience and invest in managing risk are not ready for the future and will fall behind.

Cyber Thematic Review Methodology & Findings

The DFSA is the independent regulator for the Dubai International Financial Centre (DIFC). Overseeing a wide range of financial services, from banks to asset managers to insurance firms, DFSA’s mission is to ensure the financial marketplace operates with integrity, resilience and transparency. Within the 2024 Cyber Thematic Review, the DFSA demonstrated its preference for a risk-based approach that ensures proactive oversight rather than reactive enforcement across regulated firms. Evident in how the regulator assessed firms’ cyber risk systems and controls through its supervisory methodology, the DFSA assessed three key dimensions:

Governance: Leadership, monitoring & accountability
Hygiene: Technical controls & day-to-day security practices
Resilience: Ability to respond to & recover from cyber incidents

Each of these categories is further divided into detailed subtopics, reflecting the depth and seriousness of the DFSA’s expectations. Outlined below are details for each of these categories and key concerns from the regulator noted within the report.

Assessing: Cyber Risk Management

Cyber risk management framework
Cyber risk identification and assessment capabilities
Board and senior management responsibilities and understanding of cyber risks
Third-party cyber risk management
IT asset identification and classification
Cyber training and awareness campaigns

Concern: Third-party risk management practices continue to remain below 70% implementation.

Assessing: Cybersecurity Operations

Anti-malware protection
Network security
Access controls
User access management
Remote access and mobile devices
Change management
Patch management
Backup management
Encryption
Physical security
Cybersecurity testing

Concern: Encryption, cybersecurity awareness & testing requirements practices need improvement.

Assessing: Incident Management & Resilience

Continuous monitoring and detection capabilities
Cyber incident response planning and preparation
Cyber incident response and recovery
Cyber incident notification
Information sharing

Concern: Resilience requirements continue to remain below 90% implementation, particularly relating to Cyber Incident Response Plans details and its testing.

While firms have made great progress meeting compliance standards and applying critical strategies and processes to reduce risk, the report highlighted ongoing issues that remain prevalent, including:

Third-Party Risk Management – Weak oversight of vendors and service providers
Encryption Practices – Gaps in protecting sensitive data at rest and in transit
Cybersecurity Awareness – Inconsistent training and cultural engagement across organizations
Testing and Validation – Insufficient regular testing of cyber defenses and incident response plans
Resilience Planning – Limited maturity in business continuity and disaster recovery (BCDR) capabilities

Cyber risk is a global issue for financial firms, and other regulatory guidelines, like those set by the Digital Operational Resilience Act (DORA) within the European Union, similarly highlight the importance of third-party risk management and resilience planning. These areas continue to represent systemic risks that firms must address to meet regulatory expectations and, more importantly, to build the resilience required to thrive in a competitive emerging global market. including the UAE.

What This Means for Your Firm

Meeting DFSA expectations isn’t just about having a strategy, it’s about executing it correctly, testing it regularly, and improving it continuously. To stay compliant, competitive, and trustworthy, firms must understand and implement the requirements assessed within each of DFSA’s supervisory methodology categories: Governance, Hygiene, and Resilience.

Governance
The report makes it clear: governance has to start with IT best practices. An important first step is ensuring your firm has an accurate asset inventory reflecting your current environment. It is impossible to identify and mitigate vulnerabilities and risks to your environment if you do not have full visibility. Additionally, third-party risk management remains one of the DFSA’s highest priorities as failure to manage these risks can result in supply chain attacks, possibly leading to data breaches, service interruptions, and reputational damage. Finally, it is noted in the report that it is the responsibility of senior management to establish, maintain compliance to, and document a cyber risk management framework. Furthermore, there has to be a top-down approach to making cybersecurity best practices a part of the firm culture. Everyone must participate in cybersecurity awareness trainings and regular phishing tests on at least an annual basis.

Hygiene
Cyber hygiene includes the practices and strategies that help firms maintain the health and security of their digital systems, networks, and data. Common controls like patch management, user access management, and encryption build a foundational defense for firms, in addition to activities such as regular cybersecurity assessments and penetration tests. The DFSA emphasizes in the report that automated vulnerability scans are not enough to test critical infrastructure and IT systems. It is recommended that firms implement scenario-based tests, pentests, and red team exercises to comprehensively simulate a real-world attack. These methods identify exploitable vulnerabilities and evaluate the effectiveness of a firm’s security measures.

Resilience
Firms must know their ability to anticipate, withstand, respond to, and recover from cyber threats. Continuous monitoring, detection, and response (MDR) capabilities must be implemented to detect potential cyberattacks in real-time. In the report, the DFSA also noted a key weakness in the lack of detail of many firms’ incident response (IR) plans and playbooks in addition to a lack of regular reviewing, testing, or updating of their plans. Cybersecurity is a 24x7x365 effort, and firms have to continuously take steps forward to remain resilient and ahead of shifting threat actor tactics.

Trust is the ultimate currency in financial services, and compliance is the mechanism through which that trust is demonstrated and reinforced. For DIFC regulated firms, alignment with DFSA expectations is not just about compliance—it’s about maintaining visibility, credibility, and resilience in a competitive marketplace.

The DFSA provides practical and clear guidelines and minimum expectations for firms. The themes observed and areas for improvement are not isolated to the region and observed throughout our global client base.

Connect with our experts to hear more about other key findings in the report and to learn how our trusted advisors can help you build a cybersecurity strategy that meets shifting compliance standards across the globe.