Skip links

MAP S.Platis

Your Partner in Financial Services!

Header Right

Menu
Home » News » Cybersecurity & Operational Resilience » Dubai Financial Services Authority (DFSA) undertakes inaugural crisis simulation exercise for authorised firms in collaboration with Control Risks Group

Dubai Financial Services Authority (DFSA) undertakes inaugural crisis simulation exercise for authorised firms in collaboration with Control Risks Group

DFSA crisis simulation exercise for authorised firms

By Kyriakos Christofidis
Assistant Director, Complyport

On 25 May 2023, the Dubai Financial Services Authority (DFSA) engaged Control Risks Group, a global risk and strategic consulting firm specialising in political, security and integrity risk, in the preparation and execution of an inaugural crisis simulation exercise for 17 of its DFSA-authorised firms. The purpose of this exercise was to enhance cyber resilience across the Dubai International Financial Centre (DIFC), as a result of the rapid digital transformation of the UAE’s financial services sector.

Cyber Threats to the UAE

Considering that the UAE is currently one of the world’s fastest-growing financial hubs, the rapid digital growth the sector has experienced in recent years has led to it becoming one of the most targeted countries globally by cyber threat actors. Attackers of all guises are attracted to the country’s high levels of internet penetration, mobile banking, and perceived wealth, and are even more so determined to exploit perceived low levels of cyber security awareness at a local level.

In addition, geopolitical tensions in the Middle East have contributed to the UAE being targeted by advanced state actors for espionage, disruption, and financial gain. Furthermore, the country’s sector has a strong interconnection with a global supply chain of suppliers, network providers, and partners, which has made it an attractive target for cybercriminals motivated by fraud, extortion, identity and data theft, and money laundering.

Purpose of the DFSA Exercise

The purpose of this exercise was to train and improve the collective cyber resilience and response capabilities of multiple authorised organisations within the industry. It involved bringing together various financial institutions and relevant stakeholders to assess their ability to manage large-scale cyber-attacks or incidents that could impact the entire financial market.

This exercise was the first of its kind for the DIFC, with the DFSA developing a set of objectives that were rigorous yet attainable so that the exercise could provide a solid foundation of knowledge and experience for participants to build upon. These objectives were:

  • Build participants’ awareness of the importance of cyber resilience.
  • Provide participants with the opportunity to test their systems and improve the effectiveness of their cyber crisis management capabilities.
  • Improve the DFSA’s capability to respond to a cyber incident affecting an Authorised Firm.

Exercise Overview

Control Risks, together with the DFSA, chose cyber activism, often referred to as hacktivism, as the crisis scenario for the exercise, since it could be replicated in a simulation mirroring the actual context and complexity of a real attack. It was decided that involving anti-capitalist anarchists would introduce a level of unpredictability and uncertainty to the initial stages of the exercise.

The scenario was based on the output of the European Systemic Cyber Group (ESCG). This Group is part of the European Systemic Risk Board (ESRB), which defines systemic risk as the potential for a significant event occurring within a single firm that could consequently lead to serious instability or even cause an entire industry or the broader economy to collapse.

The ESCG’s conceptual model for systemic cyber incidents comprises of four phases:

  • Context
  • Shock
  • Amplification
  • Systemic Event

This model provided the exercise with a framework to help it explore the potential systemic risks posed by cyber incidents in the financial sector. The exercise consisted of the four above phases and was based on the structure provided by the ESRB.

Exercise Findings

During the exercise, firms were requested to submit responses to a series of predetermined questions at various stages (“checkpoints”) of the process. These were designed to assess the pace and level of engagement from the Crisis Management Teams (CMTs) and regulatory requests for information (RFIs) prepared by the DFSA, to understand the firms’ responses to the scenario. Responses to these questions later formed the basis of the exercise findings.

The participating authorised firms were allowed to evaluate their performance following the exercise. The below criteria were assessed for the participant firms’ performance:

  1. Crisis Management Planning and Response
    1. Cyber Incident Response
    2. Business Recovery
    3. Roles and Responsibilities
    4. Scenario Planning
    5. Objective Setting
  2. Communication and Coordination
    1. Stakeholder Engagement
    2. Record Keeping
  3. Decision-Making
    1. Effective Decision Making

Overall, the firms expressed confidence in their ability to manage a large-scale crisis. However, some areas were identified where improvements could be made to strengthen their resilience capabilities. These included familiarising teams with crisis management protocols, mobilising resources for cyber incident response, enhancing communication within teams, identifying and prioritising affected stakeholders, and making decisions under uncertain circumstances.

MAP S.Platis can provide comprehensive advisory support to UAE-DFSA regulated firms. Please contact us for more information on our related services.