Cybersecurity and its growing role in the DIFC’s financial ecosystem: Implications for insurers

Cybersecurity is central to the Dubai Financial Services Authority’s (“DFSA”) mission to safeguard the financial ecosystem within the Dubai International Financial Centre (“DIFC”). In line with this commitment, the DFSA recently announced the publication of its 2024 Cyber Thematic Review (“CTR”), which provides an in-depth analysis of the cybersecurity maturity levels across authorised firms, authorised market institutions and registered auditors (“Firms”) operating within the DIFC.

The CTR serves multiple purposes: assessing the maturity of Firms’ cyber risk management frameworks, evaluating compliance with the DFSA’s rulebook (“Rules”) focusing specifically on cybersecurity risk management, and measuring progress since the 2022 Cyber Thematic Review (“2022 CTR”). The findings highlight the growing importance of cybersecurity maturity, not only for Firms within the DIFC, but also for the broader risk environment affecting insurers in the region.

In the announcement, the DFSA has reported strong compliance with baseline best practices, resilience requirements and governance across the sector. On average, Firms have implemented 90% of the essential best practices outlined in the Rules, demonstrating significant progress in strengthening their cyber defences. This increase in cybersecurity maturity offers insurers a clearer picture of operational stability, reducing the perceived risk of underwriting cyber policies within the DIFC.

In addition to best practices, the CTR emphasises the importance of resilience programs, which include continuous monitoring, advanced detection capabilities, and robust incident response testing. These measures are designed to help Firms prevent, withstand, and recover from cybersecurity incidents. Despite improvements, the implementation of resilience requirements remains at approximately 80%, suggesting that some vulnerabilities remain. For insurers, this underscores the need to track these remaining weaknesses and potentially tailor policies to address specific areas of risk.

Governance practices, which ensure accountability, transparency, and compliance, are another area of focus in the CTR. On average, 80-90% of Firms have implemented the governance best practices mandated by the Rules. This signals a strong commitment to managing cyber risks responsibly, ensuring that Firms are not only aware of their obligations but are also actively adhering to them. For insurers, this could mean a more stable underwriting environment, with clear governance structures supporting more predictable risk assessments.

In the coming years, the market for cyber insurance in the DIFC and the broader region is expected to grow. The CTR indicates significant strides in cybersecurity maturity within the DIFC, but it also highlights areas where progress is still needed. The evolving cyber risk landscape will likely lead insurers to refine their offering, balancing risk mitigation with regulatory compliance. Insurers must be prepared to address the remaining vulnerabilities in their underwriting process.