An In-Depth Look Into the ADGM’s New Cyber Risk Management Framework
Recent global data shows that financial firms were targeted in about 27% of all industry data breaches in 2023, more than any other sector. One cybersecurity survey also found that financial services organizations experienced up to 300 times more cyberattacks per year than non-financial industries.
The rising incidence of unauthorized data intrusions and malicious phishing attempts is the primary reason why regulators in major global financial centres have increased regulatory expectations for cyber preparedness and governance.
Following suit, on 29 July 2025, the Abu Dhabi Global Market (ADGM) Financial Services Regulatory Authority (FSRA) published its new Cyber Risk Management Framework (CRMF) as a formal part of the FSRA Rulebook for all regulated firms.
The new regulations will take effect on 31st January 2026 and are intended to raise the baseline for how financial organizations govern and manage cyber risk in a world where digital threats are frequent, sophisticated, and costly.
Why the FSRA Introduced the New Cyber Risk Rules
The updated cyber risk rules are the result of detailed feedback received during the consultation process for Consultation Paper No. 3 of 2025.
The feedback identified a common concern across the industry: cyber risks are rising faster than many firms are prepared for. In response, the FSRA has taken steps that reflect the UAE’s broader push to improve cyber resilience across the financial sector.
The approach also aligns with what regulators in other financial centres are doing. Initiatives such as the EU’s Digital Operational Resilience Act and recent updates from the Dubai Financial Services Authority show a shared view that cyber risk needs clearer rules and more consistent oversight.
During the consultation, regulators noted that firms operate at very different levels of cyber readiness. When some firms lag behind, the impact is rarely contained. Weak controls at one organization can create exposure for others in an increasingly connected financial system. By setting a clear minimum standard, the FSRA is aiming to reduce these gaps and create a more resilient environment for all participants.
Who the New Rules Apply To
The new CRMF applies to a broad range of entities operating in the ADGM rather than a limited subset of firms.
Within its ambit are:
- Authorized Persons, which covers most regulated financial firms in ADGM, including banks, insurers, and investment firms that carry out regulated financial activities
- Recognized Bodies, such as investment exchanges and clearing houses that are approved by the FSRA to operate within ADGM
Definitions And Scope Under the Framework
The framework assesses a cyber risk by considering both the likelihood of a cyber incident occurring and the potential impact if it does. This means firms are expected to look beyond prevention alone and think about how they would limit damage and recover if an incident were to occur.
A cyber incident is defined as any incident arising from the use of information or communication technology that negatively affects a firm’s technology assets or the information it processes, stores, or transmits.
There is no minimum threshold for what qualifies as a cyber incident. Firms are expected to consider a wide range of scenarios, regardless of scale or immediate impact, when designing controls and response plans.
The framework also adopts a wide view of what counts as ICT assets:
- Data, systems, and applications used in day-to-day operations
- Technology infrastructure such as networks and servers
- Tools and platforms provided by third-party service providers
Framework Requirements
Governance And Accountability
A defining feature of the CRMF is its strong emphasis on governance. Responsibility for cyber risk does not rest solely with IT or security teams. Instead, the framework makes it clear that boards and senior management are equally accountable for ensuring effective cyber risk management.
Moreover, firms are required to maintain a documented CRMF that is approved by the governing body and integrated into the broader enterprise risk management structure. Senior management must remain informed of evolving cyber threats, oversee the implementation of controls, and ensure that sufficient resources and expertise are allocated.
Key questions firms should ask
- Have we created a written framework that covers all cyber risk-related activities?
- Has our board reviewed and approved this framework?
- Is cyber risk documented and discussed alongside other enterprise risks?
Asset Register And Risk Assessment
Another key requirement under the CRMF is the need for firms to maintain a comprehensive inventory of ICT assets. All hardware, software, data repositories, cloud environments, network devices, legacy systems, and any tools, whether owned internally or provided by service providers, must be accounted for.
Assets must be classified based on their criticality to business operations. This classification forms the foundation for risk assessments, control design, and incident response planning. Firms are expected to conduct regular cyber risk assessments that evaluate both the likelihood and potential impact of cyber events, taking into account internal vulnerabilities and external threat landscapes.
Key questions firms should ask
- Have we identified and documented all ICT assets relevant to business operations?
- Are critical systems clearly defined and classified by risk level?
- Are cyber risk assessments updated annually or whenever major changes occur?
Preventive And Detective Controls
Once assets are identified, firms must put in place controls to protect systems and data. The regulation does not prescribe specific products, but it requires that controls be appropriate and effective for the firm’s risk profile.
A few common examples of controls are:
- Access management and authentication systems
- Encryption for critical data
- Secure configuration and patch routines
- Event monitoring and detection tools
Key questions firms should ask
- Have we implemented controls that match our risk profile?
- Is there evidence of regular testing for vulnerabilities?
- Do we track and act on indicators of compromise?
Controls should be tested regularly to confirm they function as expected. Also, testing should be proportionate to the firm’s size, operational complexity, risk exposure, and the importance of the systems and data being protected, with outcomes and remediation actions clearly documented. It’s imperative that the firms demonstrate not just the existence of controls but that they perform as intended.
Third-Party And Outsourcing Risk
Given the extensive use of external ICT and cloud service providers across the financial sector, the CRMF places particular emphasis on third-party risk management.
Firms must conduct due diligence before engaging ICT service providers, understand where data is stored and processed, and ensure that contractual arrangements include appropriate security, audit, and incident notification provisions.
Oversight does not end at onboarding though. Continuous monitoring of service providers and their subcontractors is necessary, especially where services support critical or important business functions. Contracts must define security requirements, escalation procedures, audit rights, and notification timelines in the event of a breach. Firms may also need to consider how subcontractors are vetted when they are used by primary vendors.
Key questions firms should ask
- Do we understand which third parties access or process our critical systems or data?
- Are cyber security obligations and performance standards clearly written into vendor contracts?
- Do we regularly review third-party performance and compliance with agreed security terms?
Monitoring, Testing And Reporting
The FSRA framework requires firms to implement workflows to detect potential cyber events, assess whether controls are operating as intended, and respond effectively when incidents occur.
They usually comprise:
- Continuous monitoring to identify unusual or suspicious activity across systems and networks in a timely manner
- Event logging to record, retain, and review security-relevant actions, alerts, and system events for investigation and audit purposes
- Periodic penetration testing or simulation exercises to evaluate how systems, controls, and incident response processes perform under realistic threat scenarios
Key questions firms should ask
- Is there a structured process for monitoring unusual activity or security events?
- Have we conducted penetration tests or scenario exercises in the last 12 months?
- Does our reporting process ensure key risk indicators reach senior leadership?
Incident Response And Regulatory Notification
Alongside the above risk detection and testing measures, firms must maintain a documented incident response and recovery plan, with defined escalation paths, communication protocols, and recovery objectives.
Testing these plans is essential as well. Table-top exercises, simulations, and post-incident reviews help ensure that roles are understood and that response measures remain effective under real-world conditions.
Importantly, the framework mandates that material cyber incidents must be reported to the FSRA within 24 hours of discovery. This requirement reinforces the need for strong detection capabilities and internal escalation processes.
Key questions firms should ask
- Is there a documented cyber incident response process in place?
- Have response procedures been tested against realistic scenarios?
- Can we detect, classify, and escalate incidents quickly enough to meet the 24-hour reporting requirement?
Training And Awareness
Cyber risk is a challenge for people as much as systems. Firms are required to provide role-based awareness and training programmes so staff understand their responsibilities and typical threat vectors.
Key questions firms should ask
- Do all employees receive basic cyber awareness training?
- Do staff with privileged access or responsibility receive specialized training?
- Are training programmes updated based on current trends and incidents?
Ongoing training will ensure that personnel across the organization understand not only cyber risks but how their behaviour influences risk exposure.
Work With Paragon Consulting Partners
Preparing for the ADGM FSRA cyber regulatory changes can involve complex decisions around governance, documentation and technical controls.
Paragon Consulting Partners helps firms understand where they stand today and what they need to achieve by the deadline.
We’ll work with your team to translate regulatory requirements into practical, tailored solutions. Whether your firm is early in its compliance journey or refining existing processes, we’ll provide a clear pathway toward regulatory readiness and operational resilience.
