On 29 July, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) announced an updated Cyber Risk Management Framework, a decisive step in aligning digital resilience with overall enterprise risk management. The revision reflects the regulator’s intent to move cybersecurity out of the IT silo and into the core of financial governance.
At its heart, the framework mandates that cyber risk be treated not as a standalone technical issue but as an integrated component of firms’ broader risk architecture. Boards and executive teams are now expected to demonstrate clear ownership of cyber resilience, defining risk appetite, approving policies, and ensuring that cyber threats are addressed within their overall risk frameworks. This marks a cultural shift: cybersecurity is no longer delegated downwards but embedded across governance, compliance and operational lines.
A second key enhancement targets third-party and IT service provider oversight. Firms must now implement more rigorous due diligence and continuous monitoring of outsourcing and vendor arrangements, recognising that systemic vulnerabilities often lie beyond the firm’s perimeter. The FSRA framework emphasises the need to assess service providers’ own controls and incident response capabilities, particularly where cloud or managed security services are involved.
Equally significant is the overhaul of incident reporting. Updated templates standardise how regulated entities must report cyber incidents, improving the consistency and quality of data reaching the FSRA. This will enable faster supervisory insight into emerging threat patterns and sector-wide vulnerabilities. The change moves firms toward proactive engagement, reporting not only after breaches but also when near misses reveal systemic risk.
Together, these updates strengthen the FSRA’s cyber supervisory toolkit and signal a maturing of the ADGM market. For firms, they raise expectations around documentation, board literacy and evidence of operational resilience testing. For service providers, they invite deeper scrutiny and alignment with FSRA standards.
Cyber resilience in ADGM has evolved from a compliance exercise to a strategic discipline. With this update, the FSRA has made its position clear: managing cyber risk is integral to managing business risk. Those that integrate it well will not only meet the rules, they will be better placed to withstand what the next wave of digital disruption brings.
References:
