DFSA Helping Firms to Counter Cyber Threats

According to the latest Cyber Thematic Review Report published by the DFSA, the combined efforts of the regulator and industry are beginning to have an impact.  Since carrying out its initial review in 2020, the DFSA has been working hard to raise cybersecurity awareness in the DIFC by encouraging information exchange about cyber threats and assisting firms with their ongoing efforts to build effective cyber resilience.  However, more work is needed in some key areas to ensure this good work continues to gather momentum.

BACKGROUND

The DFSA has published its second edition of the Cyber Thematic Review Report which summarises the advancements made by the regulated community since the initial review ended in 2020.  In this report, the DFSA states that the most recent results demonstrate the combined efforts of the regulator and industry are having an impact.

KEY FINDINGS

The study found that firms have improved in most of the control areas reviewed in the 2020 evaluation which represents a substantial improvement in overall cyber maturity. However, despite this progress there is still work to done.

The review found that in the following three categories, firms had not improved their practices:

1. IT asset identification and classification
2. Incident response testing programme
3. Vulnerability assessments and penetration testing

WHAT DOES THIS MEAN IN PRACTICE?

1. IT asset identification and classification

Firms need to identify and classify each IT asset based on its criticality and sensitivity in order to ensure that all IT assets receive an appropriate level of protection. Firms should therefore use these criteria to define and apply appropriate controls to secure their data. Whether your firm has in-house IT support or if it is outsourced, senior management are strongly advised to carry out an audit to ensure accurate and up-to-date identification and classification of all IT assets.

This is a key priority for any firm as the protection of your data is only as good as the security of the assets through which it is accessed.

2. Incident response testing programme

Firms need to develop rigorous programmes to test the resilience of their systems in the event of a cyber incident. It is crucial that incident response testing examines the effectiveness of existing controls, helps to identify any gaps in these controls, and enables firms to assess what needs to be updated and when.

Tests may be conducted in many different forms such as a table-top exercise or an incident simulation and can cover isolated or multiple procedures at any one time. However you choose to do your testing, what is crucial to ensure is that the scope of testing is determined each time a test is planned so that measurement of response is as effective as possible.

Incident response testing programmes must also be taken seriously and all aspects of a firm’s cyber incident response plan must be tested on a regular basis. The testing cycle and incident scenarios being tested need to be approved in advance by senior management to help them assess whether everything is being tested properly throughout the year.

Firms need to use the results of testing to ensure the right people are handling not only the response to the cyber incident but are also delivering closure and capturing learning from the event.

3. Vulnerability assessments and penetration testing

Firms can make use of a variety of methods to test critical IT infrastructure such as scenario-based testing, red team exercises, vulnerability assessments and penetration tests. The latter two methods enable firms to identify known cyber security vulnerabilities and see how they affect their systems and it is a good idea to undertake these aggressive tests at least once per year.

Senior management should consider instructing an independent third party vendor to undertake this testing in order to make it as effective as possible and to capture expert learning to help them fill any gaps in their current control environment.

ARE YOU CONFIDENT IN YOUR CYBER SECURITY?

In line with other regulatory bodies, the DFSA continues to view cyberattacks as a substantial concern. Working with the community it regulates to counter this threat is essential to maintain public trust in the DIFC as one of the world’s strongest financial services centres. If firms fail to invest in adequate cyber security measures, any successful cyberattack or security breaches may threaten this trust and damage the DIFC’s reputation as a centre for excellence.

This serves as a warning to start-ups in the DIFC that early investment in cyber security measures is crucial to building a successful company. Businesses that delay investment in these areas risk harming their relationships with customers and may also find it difficult to collaborate with other more cyber-resilient businesses.

It also serves as a reminder for established businesses that cyber risk is one that is constantly evolving and they cannot afford to rest on their laurels. It is vitally important that companies not only understand their cyber risk profile and how this may change over time, but also that they continue investing in and testing their controls to safeguard their operations and satisfy ever-changing regulatory requirements.

We at Clarity Solutions recognise that cyber defence is a complex and fast-moving control area and we are available to help you understand the requirements of the report and what impact this may have for your firm. Please contact us using our Contact Us page on the website or email us at [email protected] to discuss your next steps.