On 22 January 2020, the Dubai Financial Services Authority's (DFSA) launched a Cyber Threat Intelligence Platform (CTIP) to assist businesses in the Dubai International Financial Centre (DIFC) to mitigate cyber threats and limit their impact. In this article we discuss the implications of this new initiative for regulated firms operating in the DIFC, and the importance of managing cyber risk as part of firms' operational resilience. This article is also relevant by analogy for regulated firms established in the Abu Dhabi Global Market.
The CTIP initiative is the first of its kind in the region. It is a collaboration involving a number of key UAE and foreign stakeholders. The DFSA's new platform enables the sharing of information between regulated and non-regulated companies operating in the DIFC, and connects them with prominent international cybersecurity firms. This initiative highlights the UAE authorities' increased effort to tackle the growing threat of cyber attacks.
Cyber attacks are increasing in number and seriousness. In a worst case scenario, a cyber-attack can bring a business to its knees or lead to insolvency. In January 2020 alone, Travelex, Gedia Automotive Group, Bird Construction and Picanol are just four examples of companies that were hit by a ransomware cyber-attack. Travelex took a month to get back to normal operational capability.
Companies which are subject to a cyber attack are generally perceived as the victim. However, for regulated firms, a cyber attack brings not only damage to the firm's business and reputation, but also potential investigation and enforcement action by the regulator if there have been failures of systems and controls. Firms may also be obligated to notify various regulatory bodies in the event of a cyber breach incident, including the DFSA and the DIFC Commissioner for Data Protection.
The launch of the CTIP initiative by the DFSA therefore provides a perfect opportunity for DFSA-regulated firms to review their operational resilience and ability to withstand a cyber attack. DFSA-regulated firms should ensure that they have proper systems and controls in place to prevent, mitigate and manage the outcome of a cyber attack. A failure in operational resilience can come at a very high cost to regulated firms and their senior management.
A DFSA-regulated firm which is subject to a cyber attack, that results in downtime or loss of customer data or assets exposes itself to the risk of enforcement action by the DFSA (including large fines) for some or all of the following regulatory breaches:
Where a cyber attack exposes a DFSA-regulated firm to loss of customer data, there is also a risk of enforcement action (including fines) by the DIFC Commissioner of Data Protection under the DIFC Data Protection Law.
Where a DFSA-regulated firm is subject to a cyber attack, regulatory breaches committed by the firm may expose the firm's Authorised Individuals and employees to enforcement action by the DFSA for some or all of the following regulatory breaches:
A cyber attack may expose a firm to civil claims by clients, employees and other persons affected by service disruption, data loss, loss of assets or lost opportunity. In particular, company directors can face shareholder litigation for breach of duty/negligence, for example, by failing to have in place effective defences or failing to have adequate insurance cover.
A cyber attack can cause serious reputational damage for a company. For regulated firms, where customer trust is paramount, a serious cyber attack that highlights fundamental failings in the business could be a fatal blow to the firm. Customers need to know that their assets and data are protected, and will not hesitate to move their business if trust is undermined.
Ransomware attacks – where systems or data is encrypted by a third party that demands money (usually in the form of cryptocurrency) for its release – have resulted in several large payments to perpetrators of the attacks, although such payments raise a number of legal and public policy / ethical issues.
Cyber resilience starts at the top of any company. There must be Board buy-in and commitment in terms of resources (human and financial) to manage cyber risk. The Board must then ensure that the company develops a culture that is aligned with cyber resilience.
For DFSA-regulated firms, we recommend that, at a minimum, the following matters are addressed without delay:
Clyde & Co can assist regulated firms with the following pre and post-breach services:
 These are the Dubai Electronic Security Center (DESC), the National Computer Emergency Response Team for the UAE (aeCERT), the Computer Incident Response Center Luxembourg (CIRCL) and the Open Source Threat Intelligence and Sharing Platform Project (MISP).
 These include HelpAG, Kaspersky, Palo Alto Networks, Cofense, and Recorded Future.