Regulators in the UAE have been releasing regulations addressing cybersecurity and technology risks for over 10 years, but the last two years has seen a sudden increase in the regulations with an added stringent adherence clause. The list below shows just some of the regulations and initiatives enacted in the UAE between 2020 and 2022 that have an impact on banks and BFSI sector.
- Federal Law No 15 of 2020 on Consumer Protection (Consumer Protection Law)
- Federal Decree Law No. 45 of 2021 on the Protection of Personal Data
- Central Bank UAE: Stored Value Facilities Regulation 2020
- DIFC and ADGM have recently enacted updated data protection in 2020 and 2021 respectively
- Central Bank of UAE (CBUAE), vide Circular No.15/2021 dated 06.06.2021, issued the Retail Payment Services and Card Schemes (RPSCS)
- Establishing UAE Cybersecurity Council in 2020 to develop comprehensive cybersecurity strategy
With critical entities and organizations throughout the Middle East’s BFSI sector widely adopting newer technologies, regulators are pushing the release of more regulations, some of which may not be very clear or mature.
For example: In certain cases, Central Bank of UAE requires banks to seek CB UAE’s approval for data stored outside the region. This may not be a sustainable model considering changes that banks in the regions are going through, such as some larger banks switching to cloud computing. It is likely that this approval process will be replaced with stronger and mature regulations in the future, but for now, this requirement from Central Bank has introduced delays and uncertainty in DevOps cycles and is impacting agile working methodologies.
The manual-tracking issue
With most countries in the Middle East embarking on digitalization initiatives and new business propositions gaining popularity, organizations can expect more regulations to be rolled out. This could pose a challenge because businesses are already struggling to keep up with all these new regulations due to outdated approaches, such as manually tracking regulatory requirements using a spreadsheet-based repository.
Such manual approaches have several shortcomings:
Siloed and difficult to maintain
Spreadsheet-based repositories are generally built as a onetime effort by individual teams with limited access or communication with each other. These registers are often ignored because manually tracking new regulations and updating the registers requires extensive effort.
Repositories are generally built to mainly capture regulation requirements, with little to no analysis of the applicability of the clauses or mapped controls.
Lack of visibility
If the applicable regulation registers are not regularly updated or if access is limited, organizations and technology functions cannot know their true level of compliance with regulatory requirements, leaving them vulnerable to hackers and penalties from regulators.
A common noncompliance reported by internal audits is lack of regulatory adherence or use of outdated regulations, and lack of awareness of new applicable regulations.
How to address this challenge
To keep up and remain compliant, organizations can no longer rely on manual regulatory monitoring; they need the support of a strong regulatory compliance program that is specific to technology and cybersecurity.
At a minimum, this program should:
- Continuously checks for changes in the regulations
- Establish mapping between the regulations and organizational structures/controls
- Be easily accessible for teams and functions
- Clearly describe the requirements of each regulation
- Track timelines where applicable
To establish and maintain a program like this, organizations first need to build a robust, well-maintained regulatory repository, then embed those regulatory requirements into normal operations by linking them to the organization’s common control framework, as shown in the diagram below.