Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber ResilienceThe Financial Services Regulatory Authority (FSRA) has introduced comprehensive cyber risk management requirements that will reshape how financial firms in Abu Dhabi Global Market protect their operations. Announced on July 29, 2025, these binding rules apply to all Authorised Persons and Recognised Bodies, with mandatory compliance required by January 31, 2026.
Why This Matters Now
On May 15, 2024, FSRA published updated regulations introducing Chapter 3.5 (GEN 3.5) dedicated entirely to cyber risk management. For the first time, ADGM has moved beyond general technology requirements to mandate specific cybersecurity measures that financial institutions must implement.
These requirements apply to all ADGM-authorized firms except representative offices. Banks, insurers (excluding captive insurers and authorized ISPVs), and certain investment account managers face additional governance requirements, including mandatory appointments of non-executive and independent directors to oversee cyber risk.
Core Requirements Under GEN 3.5
Establishing a Cyber Risk Management Framework
Financial institutions must create and maintain a comprehensive written framework that their board of directors formally approves. This framework cannot be a generic document copied from templates, it must reflect the specific risks your organization faces based on its size, business activities, and technology infrastructure.
The framework must address four critical areas mandated by the regulations:
Risk Identification and Assessment: You need formal processes to identify what technology assets you have, classify them by importance, and regularly assess the cyber risks they face. This means maintaining a current inventory of all your technology systems, applications, and data, understanding which are critical to your operations, and evaluating what threats could affect them.
Asset Protection: Your framework must detail how you protect your technology infrastructure from cyber attacks. This includes technical controls like firewalls and encryption, as well as organizational measures like access controls and change management procedures.
Monitoring and Testing: You must continuously monitor your systems for security issues and regularly test whether your protections actually work. Internet-facing systems require testing at least once per year.
Incident Response: You need documented plans for how you’ll respond when (not if) a cyber incident occurs, including who does what, how you’ll communicate internally and externally, and how you’ll recover from the incident.
Your framework must be reviewed at least annually and updated whenever significant changes occur in your business or the threat environment.
Governance and Leadership Accountability
Senior leadership cannot delegate cybersecurity to the IT department and forget about it. Under GEN 3.5.3, the board of directors and senior management team bear ultimate responsibility for cyber risk management.
Specifically, your leadership team must:
- Understand and approve the cyber risks your organization will accept
- Ensure someone at the senior management level is specifically responsible for advising on cyber risks
- Verify that employees managing cyber risk have appropriate expertise and resources
- Define clear risk tolerance levels that align with your business strategy
- Receive regular reports on cyber risk in formats they can understand and act upon
The FSRA expects board members to participate in cyber risk training and awareness programs. If your board cannot discuss cyber risks intelligently, that’s a red flag for regulators.
Managing Third-Party Technology Providers
Most financial institutions rely on third-party vendors for cloud services, software applications, payment processing, or other technology functions. The new requirements recognize this reality and establish specific obligations for managing these relationships.
Before engaging any technology vendor, you must:
- Conduct thorough due diligence to verify they meet appropriate security standards
- Establish clear contractual terms that address security requirements
- Require vendors to notify you immediately of any cyber incidents that could affect your operations
- Retain the right to verify the vendor continues meeting security standards
- Maintain ongoing supervision of the vendor’s service delivery
Critically, outsourcing technology functions does not outsource your regulatory responsibility. You remain fully accountable for regulatory compliance even when third parties provide the services.
The regulations also require you to understand what subcontractors your vendors use and ensure security standards extend through the entire supply chain.
Building Cyber Threat Intelligence Capabilities
A critical but often overlooked aspect of compliance is developing robust Cyber Threat Intelligence (CTI) capabilities. FSRA operates within a coordinated cybersecurity ecosystem that includes the UAE Cybersecurity Council, and firms must integrate their threat intelligence functions accordingly.
FSRA Advisories and Cybersecurity Council Alignment
FSRA regularly issues cybersecurity advisories through its Cybercrime Prevention portal, which serves as the primary channel for threat intelligence sharing with the financial sector. These advisories align with broader UAE Cybersecurity Council initiatives and provide actionable intelligence on:
- Emerging threat actors targeting the financial sector
- New attack techniques and vulnerabilities
- Sector-specific threat campaigns
- Recommended protective measures and countermeasures
Your CTI function must actively monitor these advisories and integrate them into your risk assessment processes. Identifying threats from cyber incidents isn’t optional; regulations mandate it, and FSRA advisories provide authoritative intelligence on relevant threats to ADGM financial institutions institutions.
Implementing an Effective CTI Function
To meet GEN 3.5 requirements and leverage FSRA advisories effectively, your CTI function should:
Establish Monitoring Processes: Designate personnel responsible for monitoring FSRA’s cybercrime prevention portal and subscribing to advisory notifications. These advisories often contain time-sensitive information requiring immediate action.
Integrate Intelligence into Risk Assessments: When conducting your annual cyber risk assessment, incorporate threat intelligence from FSRA advisories. If FSRA warns about ransomware targeting specific financial services platforms you use, that threat should inform your risk evaluation and control priorities.
Translate Intelligence into Action: Create procedures for rapidly translating FSRA advisories into protective measures. If an advisory warns about a critical vulnerability in widely-used software, your change management process and vulnerability management process must enable swift patching.
Participate in Information Sharing: FSRA encourages participation in industry forums for intelligence sharing. Consider joining sector-specific Information Sharing and Analysis Centers (ISACs) and contributing anonymized threat data that could benefit the broader financial community.
Document CTI Activities: Maintain records of which advisories you received, how you assessed their relevance to your operations, what actions you took in response, and how you validated the effectiveness of those actions. This documentation demonstrates your proactive threat management approach during regulatory examinations.
CTI and Board Reporting
Your board cyber risk reports should include summaries of relevant threat intelligence. When FSRA issues advisories about threats to your sector, brief your board on the specific threat, your exposure, and your mitigation measures. This demonstrates the board’s informed oversight of cyber risk
Third-Party Risk Takes Priority
The rules place significant emphasis on managing cyber risks from outside providers. If you use cloud services, outsource IT functions, or rely on software vendors, you remain fully responsible for the security of those arrangements.
Your obligations include:
Due diligence: Before engaging any ICT service provider, verify they meet appropriate cybersecurity standards. Don’t just accept marketing claims; ask for evidence.
Contracts: Put security requirements in writing. Require vendors to notify you about cyber incidents affecting your data or systems. Obligate them to cooperate when remediating security problems. Reserve the right to verify ongoing compliance with security standards.
Supervision: Monitor your vendors continuously. Review their control environments regularly through audits, certifications, or other means. The frequency should match how critical the service is and how sensitive the data involved.
Subcontractors: Be aware of who your vendors use as subcontractors. Understand what services those subcontractors perform. Ensure appropriate controls extend down the entire supply chain.
The Financial Services Regulatory Authority (FSRA) has introduced comprehensive cyber risk management requirements that will reshape how financial firms in Abu Dhabi Global Market protect their operations. Announced on July 29, 2025, these binding rules apply to all Authorised Persons and Recognised Bodies, with mandatory compliance required by January 31, 2026.
Why This Matters Now
On May 15, 2024, FSRA published updated regulations introducing Chapter 3.5 (GEN 3.5) dedicated entirely to cyber risk management. For the first time, ADGM has moved beyond general technology requirements to mandate specific cybersecurity measures that financial institutions must implement.
These requirements apply to all ADGM-authorized firms except representative offices. Banks, insurers (excluding captive insurers and authorized ISPVs), and certain investment account managers face additional governance requirements, including mandatory appointments of non-executive and independent directors to oversee cyber risk.
Core Requirements Under GEN 3.5
Establishing a Cyber Risk Management Framework
Financial institutions must create and maintain a comprehensive written framework that their board of directors formally approves. This framework cannot be a generic document copied from templates, it must reflect the specific risks your organization faces based on its size, business activities, and technology infrastructure.
The framework must address four critical areas mandated by the regulations:
Risk Identification and Assessment: You need formal processes to identify what technology assets you have, classify them by importance, and regularly assess the cyber risks they face. This means maintaining a current inventory of all your technology systems, applications, and data, understanding which are critical to your operations, and evaluating what threats could affect them.
Asset Protection: Your framework must detail how you protect your technology infrastructure from cyber attacks. This includes technical controls like firewalls and encryption, as well as organizational measures like access controls and change management procedures.
Monitoring and Testing: You must continuously monitor your systems for security issues and regularly test whether your protections actually work. Internet-facing systems require testing at least once per year.
Incident Response: You need documented plans for how you’ll respond when (not if) a cyber incident occurs, including who does what, how you’ll communicate internally and externally, and how you’ll recover from the incident.
Your framework must be reviewed at least annually and updated whenever significant changes occur in your business or the threat environment.
Governance and Leadership Accountability
Senior leadership cannot delegate cybersecurity to the IT department and forget about it. Under GEN 3.5.3, the board of directors and senior management team bear ultimate responsibility for cyber risk management.
Specifically, your leadership team must:
- Understand and approve the cyber risks your organization will accept
- Ensure someone at the senior management level is specifically responsible for advising on cyber risks
- Verify that employees managing cyber risk have appropriate expertise and resources
- Define clear risk tolerance levels that align with your business strategy
- Receive regular reports on cyber risk in formats they can understand and act upon
The FSRA expects board members to participate in cyber risk training and awareness programs. If your board cannot discuss cyber risks intelligently, that’s a red flag for regulators.
Managing Third-Party Technology Providers
Most financial institutions rely on third-party vendors for cloud services, software applications, payment processing, or other technology functions. The new requirements recognize this reality and establish specific obligations for managing these relationships.
Before engaging any technology vendor, you must:
- Conduct thorough due diligence to verify they meet appropriate security standards
- Establish clear contractual terms that address security requirements
- Require vendors to notify you immediately of any cyber incidents that could affect your operations
- Retain the right to verify the vendor continues meeting security standards
- Maintain ongoing supervision of the vendor’s service delivery
Critically, outsourcing technology functions does not outsource your regulatory responsibility. You remain fully accountable for regulatory compliance even when third parties provide the services.
The regulations also require you to understand what subcontractors your vendors use and ensure security standards extend through the entire supply chain.
Building Cyber Threat Intelligence Capabilities
Security teams analyzing vibe-coded applications found that roughly one in five contained exploitable vulnerabilities. These weren’t hypothetical weaknesses but actual flaws in deployed systems handling real user data.
Authentication in the Wrong Place
A common mistake involves implementing login systems entirely in browser-based JavaScript. These applications check passwords directly in code that downloads to users’ devices. Anyone with basic technical knowledge can view the source code and extract the hardcoded password.
One example included a login function that compared user input against the string “marketingdocs2025” stored in a JavaScript variable. If the values matched, the application set a flag in browser storage indicating successful authentication. An attacker could bypass this by opening developer tools and manually setting the authentication flag without knowing the password.
Another pattern involves applications that validate credentials against values embedded in client-side configuration files. The developers believed moving the password into a separate variable provided security, but the fundamental flaw remains: all authentication logic executes in an environment the user controls.
Credentials Embedded in Public Code
Research discovered numerous applications with third-party API keys hardcoded directly in JavaScript files. These included OpenAI API keys worth hundreds of dollars in usage, payment processor credentials capable of initiating transactions, and cloud service tokens with broad permissions.
When an application loads in a browser, all its JavaScript code becomes visible to anyone inspecting the page. API keys embedded this way are immediately compromised. Attackers can extract these credentials and use them for unauthorized access, running up costs on the victim’s account or accessing sensitive data through the compromised API.
Database Tables Without Access Controls
Many vibe-coded applications connect to backend database services but fail to properly configure access permissions. One gaming application exposed a database table containing player information including email addresses, IP locations, and account details. The database required no authentication for read access, allowing anyone with the connection string to query all records.
The connection details existed in client-side JavaScript, making them trivial to discover. An attacker could enumerate all database tables, identify those containing sensitive information, and extract complete datasets. From the developer’s perspective, the application worked correctly. Users could register accounts, save progress, and interact with the system. The security failure only became apparent during external review.
Internal Tools on Public Internet
Organizations use vibe coding to rapidly build internal dashboards, knowledge bases, and administrative interfaces. Many of these applications end up hosted on public URLs without authentication requirements. Attackers actively scan for applications built with specific platforms, identifying internal tools that leak proprietary information.
Examples include project management systems revealing company strategy, customer service dashboards exposing support tickets, and internal chatbots trained on confidential documents. These applications weren’t intended for public access but ended up discoverable because teams prioritized speed over security configuration.
Third-Party Risk Takes Priority
The rules place significant emphasis on managing cyber risks from outside providers. If you use cloud services, outsource IT functions, or rely on software vendors, you remain fully responsible for the security of those arrangements.
Your obligations include:
Due diligence: Before engaging any ICT service provider, verify they meet appropriate cybersecurity standards. Don’t just accept marketing claims; ask for evidence.
Contracts: Put security requirements in writing. Require vendors to notify you about cyber incidents affecting your data or systems. Obligate them to cooperate when remediating security problems. Reserve the right to verify ongoing compliance with security standards.
Supervision: Monitor your vendors continuously. Review their control environments regularly through audits, certifications, or other means. The frequency should match how critical the service is and how sensitive the data involved.
Subcontractors: Be aware of who your vendors use as subcontractors. Understand what services those subcontractors perform. Ensure appropriate controls extend down the entire supply chain.
The 24-Hour Incident Notification Rule (GEN 3.5.18)
Material cyber incidents must be reported to FSRA within 24 hours of detection under GEN 3.5.18. This timeline includes weekends and holidays, there’s no exemption for when incidents occur.
What makes an incident material? Consider these factors:
- Does it seriously affect customer information?
- Could it create material risk to client assets?
- Has it severely impacted your operations?
- Does it materially affect services you provide to customers?
- Might it lead to significant financial loss?
- Could it damage your reputation?
- Did someone gain unauthorized access to critical systems, revealing weakness in your controls?
If you’re uncertain whether an incident crosses the materiality threshold, FSRA expects you to report it. Better to over-report than miss the deadline for something that turns out to be significant.
Preparing for the January 31, 2026 Deadline
With the compliance deadline approaching, financial institutions need structured implementation plans. Here’s how to prepare:
Months 1-3: Gap Analysis and Planning
Begin with comprehensive assessment of your current state against GEN 3.5 requirements:
- Document all technology systems, applications, data stores, and third-party technology services
- Compare existing cybersecurity policies against GEN 3.5 requirements
- Assess technical security controls—firewalls, encryption, access controls, malware protection, monitoring tools
- Evaluate governance structures and board cyber risk reporting
- Review technology vendor contracts for required security terms
- Assess monitoring capabilities and testing practices
- Evaluate incident response plans against GEN 3.5.16 requirements
- Review staff cybersecurity training programs
Document all gaps in a prioritized remediation plan based on risk and implementation complexity.
Months 4-6: Framework Development
Develop your written Cyber Risk Management Framework:
- Create the master framework document explaining your approach to cyber risk management and how it integrates with overall risk management
- Develop or update required policies covering access management, change management, vulnerability management, encryption, physical security, third-party management, incident response, and training
- Create detailed procedures supporting each policy
- Document governance roles and responsibilities regarding cyber risk
- Establish your risk assessment methodology
- Set up your CTI function with procedures for monitoring and acting on FSRA advisories
Understanding cyber risk management frameworks provides detailed guidance on structuring comprehensive policies that meet regulatory expectations while remaining practical.
Present your completed framework to the board for formal approval, documenting their questions, your responses, and their approval decision.
Months 7-9: Technical Implementation
Deploy required technical controls:
- Install and configure network security devices at appropriate boundaries
- Implement identity and access management systems enforcing least privilege and supporting multi-factor authentication
- Deploy encryption for data at rest and in transit
- Ensure comprehensive anti-malware coverage with centralized management
- Implement vulnerability management tools and processes
- Deploy security information and event management (SIEM) systems
- Verify robust backup systems protecting against ransomware
Cyber risk management solutions help organizations implement technical controls efficiently through integrated platforms addressing multiple GEN 3.5 requirements simultaneously.
Months 10-12: Testing and Validation
Validate that everything works as intended:
- Conduct comprehensive testing of security controls, including vulnerability assessments of internet-facing systems
- Engage qualified third parties for penetration testing
- Conduct full-scale incident response exercises
- Review whether new processes are followed consistently
- Verify all required documentation exists and is accessible
- Address any issues identified through testing before the deadline
Beyond January 31, 2026: Ongoing Compliance
After the initial compliance deadline:
- Maintain continuous monitoring of security controls
- Conduct annual testing of internet-facing systems per GEN 3.5.14
- Review your entire framework annually and after significant changes
- Follow incident response procedures when incidents occur
- Deliver annual training to all relevant staff
- Submit required notifications to FSRA for material incidents
- Monitor and act on FSRA cybersecurity advisories promptly
The Cost of Non-Compliance
Missing the January 31, 2026 deadline or failing to maintain adequate cyber risk management under GEN 3.5 carries significant consequences:
Regulatory Enforcement: FSRA has broad enforcement powers including fines, license restrictions, or license withdrawal for firms failing to meet requirements.
Operational Risk: Without proper cyber risk management, you face increased likelihood of successful cyber attacks disrupting operations, compromising customer data, or causing financial losses.
Reputational Damage: Cyber incidents at firms with inadequate controls can severely damage reputation with customers, partners, and regulators.
Competitive Disadvantage: As cybersecurity becomes a differentiator in financial services, firms with weak programs will struggle to attract and retain customers.
Conclusion
The January 31, 2026 deadline is firm. Firms waiting until late 2025 to begin will struggle to implement comprehensive programs in time. Those starting now can implement thoughtfully, building robust cyber risk management capabilities that protect their operations and customers while meeting GEN 3.5 requirements.
FSRA’s cyber risk framework represents a maturation of financial services regulation, recognizing that cybersecurity is foundational to operational resilience and customer protection. Firms embracing these requirements as opportunities to strengthen their defenses—while integrating with FSRA’s threat intelligence ecosystem—will be better positioned for long-term success in an increasingly digital financial sector.
The 24-Hour Incident Notification Rule (GEN 3.5.18)
Material cyber incidents must be reported to FSRA within 24 hours of detection under GEN 3.5.18. This timeline includes weekends and holidays, there’s no exemption for when incidents occur.
What makes an incident material? Consider these factors:
- Does it seriously affect customer information?
- Could it create material risk to client assets?
- Has it severely impacted your operations?
- Does it materially affect services you provide to customers?
- Might it lead to significant financial loss?
- Could it damage your reputation?
- Did someone gain unauthorized access to critical systems, revealing weakness in your controls?
If you’re uncertain whether an incident crosses the materiality threshold, FSRA expects you to report it. Better to over-report than miss the deadline for something that turns out to be significant.
Preparing for the January 31, 2026 Deadline
With the compliance deadline approaching, financial institutions need structured implementation plans. Here’s how to prepare:
Months 1-3: Gap Analysis and Planning
Begin with comprehensive assessment of your current state against GEN 3.5 requirements:
- Document all technology systems, applications, data stores, and third-party technology services
- Compare existing cybersecurity policies against GEN 3.5 requirements
- Assess technical security controls—firewalls, encryption, access controls, malware protection, monitoring tools
- Evaluate governance structures and board cyber risk reporting
- Review technology vendor contracts for required security terms
- Assess monitoring capabilities and testing practices
- Evaluate incident response plans against GEN 3.5.16 requirements
- Review staff cybersecurity training programs
Document all gaps in a prioritized remediation plan based on risk and implementation complexity.
Months 4-6: Framework Development
Develop your written Cyber Risk Management Framework:
- Create the master framework document explaining your approach to cyber risk management and how it integrates with overall risk management
- Develop or update required policies covering access management, change management, vulnerability management, encryption, physical security, third-party management, incident response, and training
- Create detailed procedures supporting each policy
- Document governance roles and responsibilities regarding cyber risk
- Establish your risk assessment methodology
- Set up your CTI function with procedures for monitoring and acting on FSRA advisories
Understanding cyber risk management frameworks provides detailed guidance on structuring comprehensive policies that meet regulatory expectations while remaining practical.
Present your completed framework to the board for formal approval, documenting their questions, your responses, and their approval decision.
Months 7-9: Technical Implementation
Deploy required technical controls:
- Install and configure network security devices at appropriate boundaries
- Implement identity and access management systems enforcing least privilege and supporting multi-factor authentication
- Deploy encryption for data at rest and in transit
- Ensure comprehensive anti-malware coverage with centralized management
- Implement vulnerability management tools and processes
- Deploy security information and event management (SIEM) systems
- Verify robust backup systems protecting against ransomware
Cyber risk management solutions help organizations implement technical controls efficiently through integrated platforms addressing multiple GEN 3.5 requirements simultaneously.
Months 10-12: Testing and Validation
Validate that everything works as intended:
- Conduct comprehensive testing of security controls, including vulnerability assessments of internet-facing systems
- Engage qualified third parties for penetration testing
- Conduct full-scale incident response exercises
- Review whether new processes are followed consistently
- Verify all required documentation exists and is accessible
- Address any issues identified through testing before the deadline
Beyond January 31, 2026: Ongoing Compliance
After the initial compliance deadline:
- Maintain continuous monitoring of security controls
- Conduct annual testing of internet-facing systems per GEN 3.5.14
- Review your entire framework annually and after significant changes
- Follow incident response procedures when incidents occur
- Deliver annual training to all relevant staff
- Submit required notifications to FSRA for material incidents
- Monitor and act on FSRA cybersecurity advisories promptly
The Cost of Non-Compliance
Missing the January 31, 2026 deadline or failing to maintain adequate cyber risk management under GEN 3.5 carries significant consequences:
Regulatory Enforcement: FSRA has broad enforcement powers including fines, license restrictions, or license withdrawal for firms failing to meet requirements.
Operational Risk: Without proper cyber risk management, you face increased likelihood of successful cyber attacks disrupting operations, compromising customer data, or causing financial losses.
Reputational Damage: Cyber incidents at firms with inadequate controls can severely damage reputation with customers, partners, and regulators.
Competitive Disadvantage: As cybersecurity becomes a differentiator in financial services, firms with weak programs will struggle to attract and retain customers.
Conclusion
The January 31, 2026 deadline is firm. Firms waiting until late 2025 to begin will struggle to implement comprehensive programs in time. Those starting now can implement thoughtfully, building robust cyber risk management capabilities that protect their operations and customers while meeting GEN 3.5 requirements.
FSRA’s cyber risk framework represents a maturation of financial services regulation, recognizing that cybersecurity is foundational to operational resilience and customer protection. Firms embracing these requirements as opportunities to strengthen their defenses—while integrating with FSRA’s threat intelligence ecosystem—will be better positioned for long-term success in an increasingly digital financial sector.
See also:
Dubai