February 3, 2020

Cybersecurity: are you “Operationally Resilient”?

On 22 January 2020, the Dubai Financial Services Authority's (DFSA) launched a Cyber Threat Intelligence Platform (CTIP) to assist businesses in the Dubai International Financial Centre (DIFC) to mitigate cyber threats and limit their impact. In this article we discuss the implications of this new initiative for regulated firms operating in the DIFC, and the importance of managing cyber risk as part of firms' operational resilience. This article is also relevant by analogy for regulated firms established in the Abu Dhabi Global Market.

The CTIP initiative is the first of its kind in the region. It is a collaboration involving a number of key UAE and foreign stakeholders[1]. The DFSA's new platform enables the sharing of information between regulated and non-regulated companies operating in the DIFC, and connects them with prominent international cybersecurity firms[2]. This initiative highlights the UAE authorities' increased effort to tackle the growing threat of cyber attacks.

Why should regulated firms take cybersecurity seriously?

Cyber attacks are increasing in number and seriousness. In a worst case scenario, a cyber-attack can bring a business to its knees or lead to insolvency. In January 2020 alone, Travelex, Gedia Automotive Group, Bird Construction and Picanol are just four examples of companies that were hit by a ransomware cyber-attack. Travelex took a month to get back to normal operational capability.

Companies which are subject to a cyber attack are generally perceived as the victim. However, for regulated firms, a cyber attack brings not only damage to the firm's business and reputation, but also potential investigation and enforcement action by the regulator if there have been failures of systems and controls. Firms may also be obligated to notify various regulatory bodies in the event of a cyber breach incident, including the DFSA and the DIFC Commissioner for Data Protection.

The launch of the CTIP initiative by the DFSA therefore provides a perfect opportunity for DFSA-regulated firms to review their operational resilience and ability to withstand a cyber attack. DFSA-regulated firms should ensure that they have proper systems and controls in place to prevent, mitigate and manage the outcome of a cyber attack. A failure in operational resilience can come at a very high cost to regulated firms and their senior management.

Regulatory liability for firms

A DFSA-regulated firm which is subject to a cyber attack, that results in downtime or loss of customer data or assets exposes itself to the risk of enforcement action by the DFSA (including large fines) for some or all of the following regulatory breaches:

  • risk management systems and controls (General Rulebook (GEN) rules 5.3.4-5.3.6);
  • business continuity and disaster recovery (GEN 5.3.23); and
  • breaches of DFSA principles for regulated firms including Principle 2 - Due skill, care and diligence (GEN 4.2.2), Principle 3 - Management, systems and controls (GEN 4.2.3), Principle 4 – Resources (GEN 4.2.4), Principle 9 - Customer assets and money (GEN 4.2.9).

Where a cyber attack exposes a DFSA-regulated firm to loss of customer data, there is also a risk of enforcement action (including fines) by the DIFC Commissioner of Data Protection under the DIFC Data Protection Law.

Regulatory liability for individuals

Where a DFSA-regulated firm is subject to a cyber attack, regulatory breaches committed by the firm may expose the firm's Authorised Individuals and employees to enforcement action by the DFSA for some or all of the following regulatory breaches:

  • knowing concern by an Authorised Individual or employee in breaches by the DFSA-regulated firm; and
  • breaches of the principles for Authorised Individuals: Principle 2 - Due skill, care and diligence (GEN 4.4.2), Principle 5 - Management, systems and controls (GEN 4.4.5).

Civil liability for firms

A cyber attack may expose a firm to civil claims by clients, employees and other persons affected by service disruption, data loss, loss of assets or lost opportunity. In particular, company directors can face shareholder litigation for breach of duty/negligence, for example, by failing to have in place effective defences or failing to have adequate insurance cover.

Reputational and other damage

A cyber attack can cause serious reputational damage for a company. For regulated firms, where customer trust is paramount, a serious cyber attack that highlights fundamental failings in the business could be a fatal blow to the firm. Customers need to know that their assets and data are protected, and will not hesitate to move their business if trust is undermined.

Ransomware attacks – where systems or data is encrypted by a third party that demands money (usually in the form of cryptocurrency) for its release – have resulted in several large payments to perpetrators of the attacks, although such payments raise a number of legal and public policy / ethical issues.

What does operational resilience look like for cyber risk?

Cyber resilience starts at the top of any company. There must be Board buy-in and commitment in terms of resources (human and financial) to manage cyber risk. The Board must then ensure that the company develops a culture that is aligned with cyber resilience.

For DFSA-regulated firms, we recommend that, at a minimum, the following matters are addressed without delay:

Board and senior management buy-in:

  • Has the Board committed sufficient human and financial resources to cyber risk?
  • Is cyber risk a regular item for discussion at the Board meeting or meeting of senior management (for branches)?
  • Has a Board committee (e.g. the Risk Committee) or, for a branch, a senior manager (e.g. Chief Risk Officer / Head of IT Security) been given overall responsibility for managing cyber risk?

Resources:

  • Is the firm getting the right expert help (from security / legal experts)?
  • Is the firm's IT function adequately resourced and does it have access to specialist advice?

Assessing blind-spots and vulnerabilities:

  • Has the firm had an external audit of its cyber-attack vulnerability or been subjected to stress testing of its systems?
  • Has the firm's hardware and software been regularly updated?
  • Does the firm have insurance, and does the policy cover cyber risk?

Training:

  • Have all staff been provided with training on identifying and mitigating cyber risks?
  • Is staff training appropriate to the employees' role within the firm?
  • Does the firm send regular communications to staff to raise awareness and notify employees of new risks or imminent threats?

Preparedness for the worst-case scenario:

  • Does the firm have a detailed cybersecurity event plan which addresses how the firm must respond to a cyber attack?
  • Has the firm run a cyber attack simulation to test the adequacy of its risk management systems and business continuity planning?
  • Does the firm have an adequate business continuity and disaster recovery plan to permit full business recovery within the shortest possible time?
  • Does the firm back up all its data securely on a regular basis?
  • Does the firm have an insurance policy which covers all cyber risks?
  • Does the firm have an emergency contact list for specialised and readily available external experts, including IT forensic service providers and legal advice?

How can we help?

Clyde & Co can assist regulated firms with the following pre and post-breach services:

  • developing compliance programmes, strategies and policies, including advice on data privacy and securing the supply chain;
  • providing staff training on how to prevent / deal with cyber attacks;
  • advising on insurance coverage;
  • providing legal representation in regulatory actions / civil claims, against firms and individuals; and
  • operating a 24/7 cyber breach response service.

[1] These are the Dubai Electronic Security Center (DESC), the National Computer Emergency Response Team for the UAE (aeCERT), the Computer Incident Response Center Luxembourg (CIRCL) and the Open Source Threat Intelligence and Sharing Platform Project (MISP).

[2] These include HelpAG, Kaspersky, Palo Alto Networks, Cofense, and Recorded Future.