The DFSA's latest technological initiatives
Chris Hamblin, Editor, London, 21 July 2020
The Dubai Financial Services Authority has inducted 16 firms - some of which are developing AI-supported wealth management platforms - into its 2020 Summer Innovation Testing Licence (ITL) Cohort, the largest figure ever. Its ITL regime or 'programme' helps firms to test innovative financial software in and from the Dubai International Financial Centre (DIFC), which the regulator polices. It has also completed a cyber-security thematic review.
The ITL provides firms with something the DFSA calls "temporary flexibility to test and develop concepts within a restricted regulatory environment." The 16 firms can now begin the tortuous process that leads to an application for an ITL, with the first batch of licences expected to be issued in October. A total of 34 firms applied for the summer batch or 'cohort,' the largest pool of applicants to date, while the DFSA accepted the largest ever batch to benefit from the scheme. This is a clear indication that the DIFC's policy is bearing some fruit.
In April, the DFSA announced it was accepting applications from international technology-driven companies. It required applicant-firms to be clear in their explanations of their planned business models and the innovative products or services that they were proposing. Of the 16 that passed this test, 13 propose to provide or arrange money services, which falls under the new regime that the DFSA commenced in April. These include payroll software, payments and cross-border money transfer platforms, E-wallet providers and AI-supported wealth management platforms.
The DFSA began the ITL in 2017 and has seen interest grow steadily each year. In all, 82 companies have applied to join the ITL scheme, of which 38 have been accepted. Many of them started as participants in the DIFC FinTech Hive’s Scale-up and Accelerator programmes. To date, the Scale-up and Accelerator programmes have accepted 70 companies and 140 start-up companies have used the hive’s "co-working space."
The Cyber Thematic Review
On a related note, the DFSA has published the results of a report that summarises the lessons that it has drawn from its Cyber Thematic Review that began in July last year. The idea was to gauge the maturity of cyber-security policies at authorised firms. It assessed IT/cyber-risk governance, IT/cyber-hygiene practices and operational resilience (readiness for incidents). It occurred in two phases - the first consisting of a questionnaire sent to 490 firms that contained relatively broad questions about their cyber-security practices in multiple-choice format, generating an 80% response rate, the second consisting of desk-based reviews and onsite visits, including document reviews and interviews with staff, a phase that took place at 20 firms. The DFSA wants firms to use the report as instructive information only.
Summary of findings
A significant number of firms have not set up cyber-risk-management 'frameworks' and therefore do not manage cyber-risks in a properly co-ordinated way but on an ad hoc basis instead. Many assess cyber-risks to a limited degree only, tending to spot such risks only in relation to the availability of IT systems and without looking closely enough to the sensitivity of processed data. Some say that their cyber-risks are 'low' without saying why. In many instances, the DFSA thought that neither the board nor the senior managers were overseeing cyber-risk management sufficiently. This was especially prevalent at firms that outsourced their IT infrastructures and cyber-security functions to IT service providers. Senior managers often did not review cyber-security audits, reviews and tests. Only half of all firms have a background-checking process that sees whether third-party service providers meet their cyber-security requirements and even fewer firms conduct periodic tests. The vast majority of firms declared that they did identify and classify their IT assets. A significant number have not established comprehensive cyber-security training policies, although two-thirds have.
'Hygiene' is another consideration, with many firms not having assessed their weaknesses or performed penetration or 'pen' tests of their "critical information systems" in the past year. Firms using off-the-shelf systems do not recognise the necessity of performing such tests as they see it as the responsibility of the system vendors. In cases where critical information systems are accessible from the Internet, some firms rely on basic user authentication using usernames and passwords and some lack strong password policies (e.g. minimum password length, required password complexity and account lockout threshold after a defined number of unsuccessful logon attempts). A significant number of small and medium-sized Firms do not enforce encryption of workstation hard drives and portable devices to protect sensitive data.
On the subject of 'resilience,' the DFSA says that "half of all firms do not have continuous identification and response capabilities for managing cyber incidents in regard to all Critical Information Systems." Small and medium-sized financial firms rely mainly on manual processes to monitor their infrastructure only during working hours or do not have monitoring capacity at all. The majority of firms have drawn up cyber incident response plans but, in many cases, they have couched the procedures in general terms. Less than half of all firms have set up crisis management communication plans that keep clients, the media, the providers of crucical services, regulators and law enforcers informed and even fewer firms have drawn up internal crisis communication plans (designed for relevant business units, senior managers, boards of directors, etc). More than half of firms’ cyber-incident response plans do not include formal requirements for periodically testing their usual responses to 'cyber-incidents.' Some small and medium-sized firms use professional fora or groups to get information about particular cyber-threats but tend not to share information about cyber-incidents, one main factor here being the fear of reputational harm - the DFSA takes a rather dim view of this. Most large firms use cyber threat intelligence platforms to share or access information about current cyber-threats. Some small and medium-sized Firms use professional forums or groups to get information about particular cyber threats but tend not to share information about cyber incidents at all. It is encouraging firms to register to access the DFSA Cyber Threat Intelligence Platform (TIP) on the DFSA ePortal. TIP is available to all DFSA-regulated firms.
The perfect plan
In the DFSA's eyes, a robust cyber incident response plan should contain at least:
- procedures for detecting, monitoring, analysing and responding to cyber incidents;
- well-defined incident management jobs and responsibilities;
- an internal communication plan that includes communication protocols for important internal people (e.g. relevant business units, senior managers, the board of directors);
- an external communication plan that includes communication protocols for the benefit of external people (e.g. clients, media, important service providers, regulators and the police);
- a recovery plan and/or references to a disaster recovery plan;
- procedures for reviewing things after the incident; and
- a cyber-incident response plan that contains periodic testing requirements.