Cyber Risk Thematic Review 2024-Draft

3/4/24, 2:43 PM Cyber Risk Thematic Review 2024
1. Introduction 2. General 3. Governance 4. Hygiene and resilience 5. Declaration
Cyber Risk Thematic Review 2024

Submission details
Firm Name: ASCA Capital Limited

DFSA Authorised Firm number: F007537
Name of person making the submission: Sameer Ahmed Magami

Position: Compliance Officer
Email address: sameer.magami@unitasadvisory.com
Contact telephone number: +97143207322
https://eportal.dfsa.ae/servlet/,DanaInfo=.adgud0q,SSL+survey.PreviewSurvey?i_n_f=survey134542_pg3_totpg5_rid15967351_lqid2974609_Sur… 1/3
_____________________________________________________________________________________________________________________________________________
1. Introduction
Background:
In line with its regulatory objectives, the Dubai Financial Services Authority (DFSA) is carrying out the Cyber Risk Thematic Review 2024 (Review). The Review is
designed to assist in determining:
• the current maturity level of Authorised Firms’, Authorised Market Institutions’ and Registered Auditors’ (collectively referred to as “Firms”) cyber risk
management frameworks;
• the compliance of Firms’ cyber risk management practices with the DFSA Cyber Risk Management Rules; and
• the growth in maturity following the DFSA Cyber Thematic Review 2022.
The Review will be conducted via online questionnaire consisting of mainly multiple-choice questions that seek high-level information on each Firm’s cybersecurity
practices.
The deadline for Firms to submit responses is 08 March 2024. We may also select certain Firms to obtain additional information.
The DFSA will communicate its key findings to all Firms following the Review.
Important notes:
1. Defined terms in this questionnaire are identified by the capitalisation of the first letter in a word or of each word in a phrase. These terms are either defined in
the “Glossary” below or in the Glossary module (GLO).
2. All questions must be answered completely and accurately. Some questions can be answered as “N/A”, however, this should be in exceptional cases only. For
example, if the question is not relevant for the Firm (e.g. question refers to a Group and the Firm is not a part of a Group).
3. Use of abbreviations and acronyms should be defined at first mention and used consistently thereafter.
4. You will be logged out of the questionnaire after an extended period of inactivity. Please save your responses periodically to ensure you do not lose any
information.
5. Please retain a copy of the completed form and any attachments for the Firm's records. The DFSA recommends saving as MHTML rather than PDF
6. Upon completion of the questionnaire, a person validly appointed and duly authorised to complete the questionnaire must read and sign the declarations in
section 6. These declarations, include but are not limited to, confirmations that due enquiry has been made, that the information included in the responses is
complete and correct, and that you understand the consequences if you provide the DFSA with any information which is false, misleading or deceptive, or to
conceal information where the concealment of such information is likely to mislead or deceive the DFSA.
7. Please direct any questions to cyberthematicreview@dfsa.ae.
Glossary
Means to ensure that access to assets is authorised and restricted based on the ‘least privilege’ and ‘need to know’
Access Control
principles.
In regard to an Information System, any user account that has full privileges and unrestricted access to that Information
Administrative Account
System.
A set of rules and specifications for software programs to communicate with each other that forms an interface between
Application programming Interface (API)
different programs to facilitate their interaction.
Artificial Intelligence (AI) The theory and development of computer systems able to perform tasks that traditionally use human intelligence
Using advanced analytics techniques in relation to a large volume of Data, generated by any means and stored in a digital
Big Data Analytics
format.
Automated recognition of individuals based on their biological and behavioural characteristics. It covers a variety of
technologies in which unique, identifiable attributes of people are used for identification and authentication. These include,
Biometrics
but are not limited to, a person’s fingerprint, iris print, hand, face, voice, gait or signature, which can be used to validate the
identity of individuals.
Any observable occurrence in an Information System. Cyber Events sometimes provide indication that a Cyber Incident is
Cyber Event
occurring.
An incident arising from the malicious use of information or communication technology that adversely affects an Authorised
Cyber Incident
Person’s ICT Assets.
A predetermined set of instructions or procedures providing for measures to be taken by the Authorised Person to respond to
Cyber Incident Response Plan
and limit consequences of a Cyber Incident.
Preservation of confidentiality, integrity and availability of information and/or Information Systems through the cyber medium.
Cybersecurity
In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.
Documented process or set of procedures to execute a Firm's disaster recovery processes in relation to Information Systems
Disaster Recovery Plan (DRP)
and recover and protect the IT infrastructure in the event of a disaster.
Distributed Ledger Technology (DLT) Processes and related technologies that enable Nodes in a network (or arrangement) to securely propose, validate, agree and
record state changes (or updates) to a synchronised ledger that is distributed across the network’s Nodes.
Blockchain is a type of DLT which stores and transmits Data in packages called “blocks” that are connected to each other in a
digital ‘chain’.
Firm The DIFC office of an Authorised Person.
The combination of hardware, software and telecommunication networks used to collect, process, manage and store
Information System
electronic information. The system supports a firm’s operations and processes business activities.
A Cyber Incident is considered a Material Cyber incident if it causes any of the following losses:
· impact to client data and/or client assets;
· leakage of sensitive information;
· disruption to critical business function(s) / critical Information System(s);

Material Cyber Incident · significant operational impact to internal users that is material to clients or business operations;
· material financial loss;
· where it is believed the root cause of the incident, and/or the incident itself, may impact external stakeholders such that
there is concern of systemic risk to the DIFC, Dubai and/or the United Arab Emirates;
· negative reputational impact is imminent (e.g. public/media disclosure).
The use of two or more of the following factors to verify a user’s identity:
· knowledge factor, “something an individual knows”;

Multi-Factor Authentication
· possession factor, “something an individual has”;
· biometric factor, “something that is a biological and behavioural characteristic of an individual”.
A test methodology in which assessors, using all available documentation (e.g. system design, source code, manuals) and
Penetration Testing
working under specific constraints, attempt to circumvent the security features of an Information System.
Security Patch In regard to an Information System, an update that can be applied to the Information System to address a Vulnerability;
Any weakness, susceptibility or flaw of the Information System that can be exploited, including but not limited to by allowing
Vulnerability an unauthorised person to access the Information System, or to compromise the security configuration settings of the
Information System.
Systematic examination of an Information System, and its controls and processes, to determine the adequacy of security
Vulnerability Assessment measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures
and confirm the adequacy of such measures after implementation.
_____________________________________________________________________________________________________________________________________________
I, Sameer Ahmed Magami, confirm that I have carefully read and understood the instructions displayed above. I further understand that the DFSA can take regulatory
action if the above instructions are not followed.
Yes
No
Please click here to return to the portal
Page 1 of 5

2. General
1. Please indicate the number of Material Cyber Incidents identified by the Firm in the past 12 months.
0
1–3
4–9
10 and more
The Firm does not have Cyber incident identification capabilities
2. Does the Firm or a Group / Parent entity subscribe to any Cybersecurity threat intelligence platform(s)?
Yes
No
Please select the name of the platform (select more than one answer if applicable).
DFSA TIP
UAE Banking Federation Tasharuk
FS-ISAC
Other (please provide the name of the platform)
3. Please indicate the Firm's reliance on IT systems for the conduct of its business operations:
Minimal or no reliance on IT systems and technology
Medium level reliance on IT systems and technology
Full reliance on IT systems and technology
4. Please indicate all options that are relevant to the Firm's IT environment:
The Firm uses off-the-shelf software and simple IT systems
The Firm uses vendor-provided information systems with infrequent or minimal customisation by the Firm.
The Firm uses in-house information systems which are developed and maintained internally.
Other (please specify)
5. Is any client data stored on a cloud?

Yes
No
Please indicate the cloud service provider (select more than one answer if applicable).
Amazon Web Services
Drop-Box
Google (Google Cloud Platform, Google Workspace)
Microsoft (Azure, OneDrive, Office 365)
Salesforce Cloud
Private cloud (managed by the Firm, Group or Parent)
6. Does the Firm use enabling technology (e.g. Artificial Intelligence, biometrics, DLT, etc.) in delivering its products or services?
Yes
No
7. Please make a selection below to indicate the Firm’s online presence:

No internet facing applications
Serves as an informational web-site or social media
Internet facing applications that enables clients to receive a range of financial services
8. Please make a selection below to indicate the Firm’s mobile presence in delivering its services to clients:
No Mobile presence
SMS text alerts or notices; Browser-based access
Mobile applications that enables clients to receive a range of financial services (e.g. Mobile Banking Application)

3. Governance
9. Does the Firm have a written information security policy in place approved by the Firm’s management?
Yes
No
10. Has the information security policy been communicated to employees and operationalised?
Yes
No
11. Has the Firm defined roles and responsibilities for individuals and bodies involved in cyber risk management during business-as-usual operations, including accountability for
decision making?
Yes
No
12. Has the Firm defined roles and responsibilities for individuals and bodies involved in cyber risk management during emergencies and in crisis situations, including accountability
for decision making?
Yes
No
13. Have cyber risks related to the Firm and its business activities been formally identified and assessed?
Yes
No
14. Please indicate a frequency of Cybersecurity oversight activities.

Not Annually/ Quarterly/
performed semi-annually monthly Weekly Daily N/A
The Firm’s Governing Body receives information on cyber risks
and relevant mitigating controls
The Firm’s Governing Body receives management reports on
identified Cyber Incidents
The Firm’s Governing Body receives management reports on
Cybersecurity audits, reviews and tests
Group / Parent company is informed about cyber risks relevant
to the Firm and mitigating controls
Group / Parent company receives management reports on
identified Cyber Incidents affecting the Firm
Group / Parent company is informed about results of
Cybersecurity audits, reviews and tests relevant to the Firm
The Firm’s senior management assesses cyber risks and related
mitigating controls
The Firm’s senior management reviews reports on identified
Cyber Incidents
The Firm’s senior management reviews results of Cybersecurity
audits, reviews and tests
The Firm’s senior management reviews test results of third-party
service provider(s) adherence to the Firm’s cybersecurity
requirements
The Firm’s senior management review summary(ies) / results of
cyber awareness campaigns and trainings
The Firm’s senior management receive regular briefings on
cyber issues
The Firm’s senior management plan / adjust cybersecurity
related funding and resources
a. Please provide additional comments below [optional].
15. Does the Firm have a due diligence process to ensure that third-party service providers (TPSP) meet Cybersecurity requirements, as defined by the Firm, before that TPSP can
access the Firm’s data or Information Systems?
Yes
No
16. Does the Firm include Cybersecurity requirements in agreements with TPSPs?
Yes
No
17. Does the Firm include cyber incident notification requirements in agreements with TPSPs to ensure that TPSPs notify the Firm, in a timely manner, about any Cyber Incidents
related to the Firm’s Information Systems and data?
Yes
No
18. Does the Firm periodically verify TPSPs compliance with the Firm’s Cybersecurity requirements?
Yes
No
19. Does the Firm identify and classify IT assets (hardware and software) based on their criticality and sensitivity?
Yes
No

Page 3 of 5

4. Hygiene and resilience
20. Please indicate the status of implementation of the following controls.

Substantially implemented
(>80% of IT Partially implemented (<80% of
Fully implemented systems/users/locations) IT systems/users/locations) Not implemented
Strong passwords
Multifactor Authentication for external access (e.g. VPN, webmail,
etc.)
Anti-malware software installed on workstations
Anti-malware software installed on servers
Controls to ensure that all new user accounts and their access rights
must be approved by an appropriate person
Controls to ensure that all changes to existing user accounts and
their access rights must be approved by an appropriate person
Controls to ensure that third-party access to the Firm’s Information
Systems must be approved by an appropriate person
Controls to ensure that access rights of employees or third-party
users are removed upon termination of their employment, contract or
agreement
Restrictions to limit access to Administrative Accounts to IT
personnel only
Physical Access Controls to limit access to the office to employees
and authorised guests
Physical Access Controls to limit access to data centre(s) to
authorised IT personnel only
Controls to ensure that changes to Information Systems must be
tested and approved by an appropriate person
Information Systems production environments are segregated from
development and testing environments
Firewall at Firm’s network perimeter to restrict unauthorised network
traffic
Intrusion prevention / detection system
Data loss prevention system
Security information and event management system (SIEM)
Workstations’ hard drive encryption
Encryption of data stored on portable devices
Encryption of sensitive data transferred outside the Firm’s
infrastructure
Backup copies are made at a frequency corresponding to the
criticality of data
Controls to ensure that Security Patches are tested and deployed in
a timely manner
24/7 identification and response capabilities for Cyber Incident
management
Disaster Recovery Plan (DRP)
21. How many times in the past 12 months have the following activities been performed?
0 1-2 times 3-5 times >5 times
Review of the Firm’s IT / information security policy
Review of the Firm’s IT asset inventory
Review of user access privileges
Review of Administrative Accounts
Testing of IT controls performed by internal/external auditors
Vulnerability Assessment
Penetration Testing
Testing of the Firm’s Cyber Incident Response Plan (e.g. table-top
exercise, simulation)
Testing of backup copy restoration processes
Testing of the Firm’s Disaster Recovery Plan
Cybersecurity training for employees
Cybersecurity training for the Firm’s Governing Body
22. Has the Firm implemented a Cyber Incident Response Plan?

Yes
No
Please specify if the Cyber Incident Response Plan addresses the following:
Substantially implemented
(>80% of IT Partially implemented (<80% of
Fully implemented systems/users/locations) IT systems/users/locations) Not implemented
Procedures for detecting, monitoring, analysing and responding to
Cyber Incidents
Definitions of incident management roles and responsibilities
An internal communication plan that includes communication
protocols for key internal stakeholders (e.g. relevant business units,
senior management, the Board)
An external communication plan that includes communication
protocols for key external stakeholders (e.g. clients, media, critical
service providers, regulators, law enforcement)
A disaster recovery plan and/or references to a disaster recovery
plan
Procedures for post-incident review
Cyber Incident Response Plan periodic testing requirements

Page 4 of 5
5. Declaration
Name: Sameer Ahmed Magami

Position: Compliance Officer/MLRO
Date reviewed:
I declare that, to the best of my knowledge and belief, having made due and careful enquiry, the information given in this form, including any supplementary or supporting information and
attachments, are complete, current and correct.
I understand that it is a contravention under Article 66 of the Regulatory Law 2004 (as amended) to provide to the DFSA any information which is false, misleading or deceptive or to conceal
information where the concealment of such information is likely to mislead or deceive the DFSA.
For the purposes of complying with DIFC Data Protection Law, DIFC Law No. 5 of 2020 (as amended), I understand that any Personal Data provided to the DFSA will be used to discharge its
regulatory functions under the Regulatory Law 2004 and other relevant legislation and may be disclosed to third parties for those purposes.
I agree to provide to the DFSA more detailed information upon request. I consent to the DFSA contacting any professional organisation or any other body, authority or organisation, to verify any
of the information contained in this form.
I confirm that I have the legal capacity and authority to complete this form, to make these declarations as specified and sign this form for and on behalf of the firm for which it is submitted. I also
confirm that I have the authority to give any consent specified above, if applicable.
Signature
Clear
Mar 04, 2024
Please check if you want to upload a file (non electronic signature)

Page 5 of 5

Cyber Risk Thematic Review 2024-Draft

Uploaded by

Copyright:

Available Formats

Cyber Risk Thematic Review 2024-Draft

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber Risk Thematic Review 2024-Draft

Uploaded by

Copyright:

Available Formats

3/4/24, 2:43 PM Cyber Risk Thematic Review 2024

1. Introduction 2. General 3. Governance 4. Hygiene and resilience 5. Declaration