The ADGM’s New Cyber Risk Management Framework: A Closer Look

On July 29, 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) announced amendments to its regulatory framework on cyber risk management, effective January 31, 2026.

The framework requires authorised persons (persons who are allowed to conduct financial activities under the General Rulebook of FSRA) to establish and maintain comprehensive cyber risk management systems.

Ronin Legal walks you through how to meet these new compliance obligations.

FRAMEWORK REQUIREMENTS

Governance and Framework Requirements

The cyber risk management framework must be documented and approved by the governing body, with systems and controls appropriate to the institution's size and complexity.

The governing body and senior management have ultimate responsibility for implementing the framework and must receive regular updates on global cyber threats and participate in cybersecurity training.

The framework must define clear roles and responsibilities for cybersecurity decision-making in both normal operations and crisis situations.

Institutions can meet this requirement by creating a RACI matrix that clearly identifies who is Responsible, Accountable, Consulted, and Informed for each cybersecurity decision. Alternatively, they can establish an incident command structure that designates specific decision-makers for different types and severity levels of cyber threats.

Third-Party Risk Management

Authorised persons must manage third-party cyber risks within their risk management framework. This includes conducting due diligence to select Information and Communication Technology (ICT) providers meeting cybersecurity standards and establishing appropriate contractual arrangements.

Compliance verification can be done through reviews of the provider's control environment, independent audit reports, or other suitable methods. Adequate controls over third-party providers' use of subcontractors are required.

TECHNICAL REQUIREMENTS

Asset Management and Assessment

Authorised persons must maintain a current inventory of ICT assets, classified by confidentiality and business criticality.

The inventory must detail each asset's location and purpose, including third-party ICT assets. ICT assets, critical operations, and supporting information must be protected based on priority, with assessments kept current.

Regular cyber risk assessments must:

· Identify threats from cyber incidents

· Assess resulting risks and control effectiveness

· Consider monitoring and testing outcomes to determine residual risk

· Analyse potential business impact

Protection Measures

Anti-malware software with regularly updated signature files must be maintained, automatically scanning ICT assets, incoming files, and storage media to detect and block malware, malicious email links, and harmful websites. Network security controls must protect network perimeters and enable timely detection of malicious activity.

Key protection concepts include:

Least Privilege Principle: Access rights limited to the minimum necessary for tasks and duration, applying to employees, customers, and third-party providers, with prompt revocation when no longer needed.

Privileged Access: Special security-related access rights must be restricted and assigned using separate credentials from regular activities.

Identity and Access Management (IAM): Robust IAM practices must include clear policies for granting, reviewing, and revoking access, with reviews detecting dormant, redundant, and unauthorised accounts.

This can be achieved through quarterly access reviews where managers certify their team's access rights, or by implementing automated de-provisioning when employees change roles or leave.

Authentication and Encryption: Strong authentication methods must secure IT system access.

For example, financial institutions commonly implement multi-factor authentication for enhanced security. Equivalent protection for internet-facing systems and privileged accounts is required, plus encryption of user-system communication.

Change and Software Management

A comprehensive change management process must assess cyber risks before, during, and after IT system or network changes. All changes require testing, approval, and prompt implementation, particularly for material cyber incidents or vulnerabilities.

Separate physical or logical environments for development, testing, and production must be maintained where required. If not feasible, task segregation must ensure that no single individual handles development, testing, and implementation of a change.

Software update management processes must identify and classify updates by criticality, ensure timely application, and prioritise critical updates. Vulnerability management processes should maintain current understanding of security vulnerabilities, potentially using automated scanning tools.

Data Protection and Access Control

Suitable encryption techniques must ensure information confidentiality and integrity at each stage, corresponding to information sensitivity. When exchanging sensitive data, secure methods such as encrypted communication channels or strong encryption with adequate key lengths must be used.

Physical access to data centres and server rooms must be restricted to individuals with legitimate business need, with formal approval processes and immediate revocation when justification ceases. Non-staff members require staff accompaniment, with all activities monitored and recorded.

OPERATIONAL REQUIREMENTS

Training and Awareness

Comprehensive cyber risk training programmes must ensure all relevant employees (with IT system/network access or cyber risk exposure) receive annual training, equipping them to detect and report cyber incidents while understanding specific responsibilities.

Monitoring and Testing

Continuous monitoring systems must assess cyber risk management effectiveness through comprehensive testing programmes for IT systems, networks, processes, and controls.

Regular resilience testing, prioritisation of adverse results, and regular reporting to senior management are required.

Testing methods may include:

· Vulnerability assessments - automated scans that identify security weaknesses such as outdated software versions, weak password policies, unpatched security patches, inadequate network segmentation, and exposed configuration files

· Scenario-based testing

· Penetration tests - simulated cyber-attacks to test real-world security defenses

· Bug bounty programmes

· Red team exercises

Incident Response

Continuous monitoring must detect cyber incidents and potential threats, with formal escalation processes for actual or suspected incidents. This includes regular reviews of system logs, warnings, errors, and security events to detect suspicious activities. All employees must understand their duty to promptly report incidents.

A written cyber incident response plan, reviewed at least annually, must outline measures to respond to and contain incident impact. The plan must ensure timely response and recovery actions, with regular testing of conditions and procedures.

Integration with overall crisis management and disaster recovery plans is required, including communication procedures for internal and external stakeholders. Testing may include tabletop exercises or simulations, with the scope tailored to the situation.

Upon detecting incidents, investigations must determine nature and scope, with immediate containment actions to prevent damage and initiate recovery.

Material cyber incidents require immediate regulatory notification (no later than 24 hours after becoming aware), covering incidents that:

· Seriously affect customer information

· Pose material risk to client assets

· Have severe operational impact

· Significantly disrupt service delivery

· May result in material financial loss

· May damage the authorised person's reputation

· Involve unauthorised access to critical systems exposing control weaknesses

GLOBAL CONTEXT

ADGM's framework aligns with international approaches while addressing specific jurisdictional needs. For example, Singapore's Cybersecurity Act targets Critical Information Infrastructure (CII) operators in key sectors (energy, water, banking, transport), public sector organisations, and cybersecurity service providers.

It is administered by the Cyber Security Agency (CSA), with powers to direct investigation, enforce mitigation, and respond to threats in proportion to the assessed risk. CII operators must implement strong security controls, report incidents, and comply with audits. Complementing this, the Cybersecurity Code of Practice (CCoP 2.0) sets minimum requirements for resilience and rapid response, while the Cybersecurity Labelling Scheme promotes Internet-of-Things (IoT) product security.

Similarly, the UK's cyber security environment features the forthcoming Cyber Security and Resilience Bill, laid before parliament in 2025, which enhances Network and Information Systems Regulations 2018 by expanding scope to managed service providers and data centres.

It strengthens incident reporting and regulatory oversight, aligning with EU's NIS2 directive while remaining UK-tailored. Oversight is provided by the National Cyber Security Centre, Information Commissioner's Office, and sector-specific regulators.

IMPLEMENTATION CHALLENGES

Despite widespread recognition of the framework's robustness and alignment with global best practices, implementation challenges have emerged. Smaller firms face particular difficulties with advanced technical controls such as privileged-access monitoring and third-party audits, often lacking the necessary resources, expertise, and infrastructure for these sophisticated measures.

Additionally, while the three-month compliance deadline accommodates entities familiar with FSRA regulations, newer or smaller firms may need extensions to develop comprehensive cyber risk management frameworks or renegotiate vendor agreements.