The Riffle
The Financial Services Regulatory Authority (FSRA) has released the findings of its Cyber Risk Survey conducted in Q3 2025, covering 315 Authorised Persons and Recognised Bodies within the Abu Dhabi Global Market (ADGM).
With an 83% response rate, the survey provides a benchmark of current cyber-risk maturity ahead of the Cyber Risk Management Rules coming into force on 31 January 2026. While foundational security controls are largely in place, the FSRA identifies material gaps in board-level accountability, asset visibility, third-party risk management, advanced testing, and incident preparedness.
The regulator’s message is clear: cyber risk must now be treated as a core operational and governance risk, not a standalone IT issue.
Key Highlights from the Survey
1. Governance & Accountability
Cyber risk governance remains inconsistent across firms.
Lack of clearly defined roles creates ambiguity during cyber incidents.
FSRA reiterates that ultimate accountability rests with the board and senior management.
2. Asset Identification & Risk Assessment
Incomplete ICT asset inventories remain a major vulnerability.
Unidentified assets and unpatched vulnerabilities are the most common attack vectors.
Asset classification is often not aligned to criticality or sensitivity.
3. Third-Party & Outsourcing Risk
Increasing reliance on external service providers has expanded cyber-risk exposure.
Many outsourcing arrangements lack:
Explicit cyber-incident reporting obligations
Defined cybersecurity standards
Ongoing monitoring mechanisms
4. Protection Controls & Human Risk
Basic controls (MFA, passwords, anti-malware) are widely implemented.
Adoption of advanced controls is uneven.
Employees remain the “first line of defense,” yet training quality and frequency vary significantly.
5. Monitoring, Testing & Resilience
Logging and monitoring exist, but advanced adversarial testing (penetration testing, red-teaming) is under-utilised.
Firms that do not regularly test controls may be unaware of critical vulnerabilities.
6. Incident Response & Recovery
Many firms have incident response plans, but testing and simulation are limited.
Untested plans risk failure during real-time cyber incidents.
Why This Matters
The FSRA is signalling a shift from checkbox compliance to demonstrable cyber resilience. As cyber threats grow more sophisticated, regulators expect firms to:
Embed cyber risk within enterprise-wide operational risk frameworks
Elevate cyber discussions to the boardroom
Move from static policies to tested, monitored, and continuously improved frameworks
This aligns with broader UAE national cybercrime prevention efforts and international supervisory expectations.
Key Actions Firms Should Take Now
Board Oversight:
Establish clear board ownership of cyber risk, with defined roles and escalation protocols.
Asset Visibility:
Maintain a complete ICT asset inventory, classified by criticality and sensitivity.
Third-Party Risk:
Embed cybersecurity and incident reporting requirements into all outsourcing arrangements.
People & Training:
Conduct regular, role-based cyber awareness and incident response training.
Testing & Intelligence:
Integrate cyber threat intelligence and adopt advanced testing methods, where appropriate.
Incident Readiness:
Maintain formal incident response plans and test them regularly.
Conclusion
The FSRA’s Cyber Risk Survey reinforces that cyber resilience is no longer optional or peripheral. With the Cyber Risk Management Rules approaching, firms operating in ADGM are expected to demonstrate clear governance, robust controls, and tested preparedness.
The regulator also encourages firms to use the survey questions outlined in Appendix A of the notice as a self-assessment tool to evaluate their cyber-risk maturity and readiness for regulatory scrutiny.
