The Riffle
The Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) has issued a revised framework for IT and cyber incident reporting, introducing stricter timelines, standardised reporting templates, and an incremental disclosure model.
Effective 31 January 2026, all FSRA Authorised Persons must comply with the updated Cyber Risk Management (CRM) Rules under GEN 3.5, including a non-negotiable 24-hour reporting backstop for suspected material cyber incidents.
Regulatory Context
The revised framework was formally communicated through FSRA Notice No. FSRA/FCCP/22/2026, issued on 29 January 2026 to Senior Executive Officers and Principal Representatives.
Key drivers behind the update include:
Alignment with the Financial Stability Board (FSB) April 2025 cyber incident reporting standards
Feedback received during public consultations on ADGM’s CRM Rules
A supervisory push towards earlier regulatory visibility, even where facts are still evolving
The framework applies uniformly to all FSRA Authorised Persons, regardless of size or business model.
Incident Reporting Timelines: What Has Changed
The FSRA has introduced a dual-layered reporting timeline, reinforcing urgency and consistency:
Immediate Notification
Required upon discovery of an incident under GEN 8.10
24-Hour Backstop (New)
Mandatory reporting no later than 24 hours after becoming aware of information suggesting a suspected material cyber incident, even if internal investigations are ongoing (GEN 3.5.18)
Progressive Updates
Follow-up reporting frequency to be determined by the FSRA supervisor based on severity and complexity
This removes discretion around “waiting for confirmation” and shifts firms toward early, good-faith disclosure.
Standardised Reporting Mechanism
To support this accelerated approach, the FSRA has replaced free-form notifications with two mandatory reporting templates:
Template A – Initial IT & Cyber Incident Report
Submitted via email to [email protected]
Template B – Progressive / Final Incident Report
Used for interim updates and final closure reporting
All submissions must copy the firm’s FSRA lead supervisor or pooled supervision team. Procedural queries are directed to [email protected].
Template A: Initial Incident Report (Early-Stage Disclosure)
Template A is intentionally streamlined to enable rapid supervisory assessment. Required disclosures include:
Firm and reporting contact details, plus a unique Incident Reference Number
Date/time of discovery versus actual occurrence, and how the incident was identified
Incident categorisation (system outage, cyber-attack, data compromise)
Initial business, operational, and customer impact
Immediate containment measures taken
Any external communications (law enforcement, media, public disclosure)
The emphasis is on what is known at the time, not forensic completeness.
Template B: Progressive & Final Reporting
Template B significantly expands disclosure expectations as investigations mature, including:
Threat actor identification and motive analysis
Contagion risk to other ADGM firms or infrastructure
Severity classification across financial, operational, reputational, legal, and regulatory impact
Client impact metrics, including affected clients and value of assets impacted
Financial consequences and balance-sheet implications
Root cause analysis, remediation steps, and control enhancements
Identification of any regulatory breaches, including capital or prudential failures
This positions cyber incidents as enterprise-wide risk events, not just IT issues.
Parallel Legal & Regulatory Obligations
The FSRA has explicitly clarified that submitting Templates A and B does not replace other statutory reporting duties. Depending on the nature of the incident, firms may also need to notify:
The Financial Intelligence Unit (FIU)
The Commissioner of Data Protection
Relevant law enforcement authorities, including Abu Dhabi Police
Incident response planning must therefore account for multi-regulator coordination, not just FSRA engagement.
Why This Matters
The revised framework signals a clear supervisory expectation:
Speed over certainty
Transparency over internal comfort
Governance ownership over technical delegation
Boards, SEOs, and control function heads will need to ensure incident response playbooks, escalation thresholds, and internal reporting lines are fully aligned ahead of January 2026.
Next Steps for Firms
Authorised Persons should:
Re-map incident escalation triggers to the 24-hour backstop
Train senior management on Template A vs Template B expectations
Align cyber, compliance, legal, and data protection reporting workflows
Stress-test incident simulations against the new timelines
Early preparation will be critical as the FSRA moves toward more consistent, data-driven cyber supervision across ADGM.
