A routine software update by cybersecurity giant CrowdStrike recently triggered a cascading global IT outage. A flaw in CrowdStrike's antivirus software update targeted specifically at Windows devices inadvertently disrupted critical systems worldwide. Payment systems faltered, banks struggled to process transactions, and airports faced operational disruptions.
The incident serves as a stark reminder of the vulnerabilities in our system and the potential for malicious actors to exploit such vulnerabilities. In today's interconnected world, the consequences of a cybersecurity breach can be devastating. A breach in one sector can quickly spread to others, causing a domino effect of disruptions where a single vulnerability can have far-reaching consequences.
Such an event is an opportunity to reflect on the various legislations enacted in the UAE which may apply to some if not all entities operating in the country. We have highlighted some of the most important ones below which aim to fortify the UAE's defences against cyber breaches and maintain the trust and stability in its digital ecosystem.
Federal Decree-Law No. 34/2021 concerning the Fight Against Rumors and Cybercrime (the "Cybercrime Law")
- Hacking
The Cybercrime Law details severe penalties for hacking offenses, targeting both general and state institution information systems. Article 2 stipulates fines ranging from AED 100,000 to AED 300,000, along with potential detention for hacking activities that disrupt or damage electronic systems, disclose confidential information, or serve illegitimate purposes. For more egregious breaches involving state institutions under Article 3, penalties escalate to provisional imprisonment and fines between AED 200,000 to AED 500,000, with sentences extending up to 5 years for causing significant harm or up to 7 years for data capture offenses.
- Intentional data breaches
Specific provisions in the Cybercrime Law address breaches involving personal data, government information, and data from financial or commercial entities. Article 6 of the Cybercrime Law stipulates that unauthorized acquisition, modification, or disclosure of personal electronic data carries penalties of detention for a minimum of six months and fines ranging from AED 20,000 to AED 100,000. Enhanced penalties apply if the breached data includes medical records, bank accounts, or e-payment information. Article 7 imposes severe penalties for unauthorized access to confidential government data, with offenders facing provisional imprisonment for at least seven years and fines ranging from AED 500,000 to AED 3,000,000. If such breaches compromise national security or military operations, the penalty escalates to at least ten years' imprisonment and fines ranging from AED 500,000 to AED 5,000,000. Article 8 mandates provisional imprisonment for a minimum of five years and fines from AED 500,000 to AED 3,000,000 for unauthorized access to data from financial, commercial, or economic establishments.
The National Electronic Security Authority ("NESA") Guidelines and Policies
NESA is the federal body which regulates cybersecurity in the UAE. It establishes comprehensive requirements aimed at ensuring the security and resilience of electronic systems and information. Key aspects of NESA's regulations include but are not limited to:
- Regulatory Framework: NESA provides a structured regulatory framework governing electronic security across all sectors, emphasizing compliance and adherence to established standards.
- Cybersecurity Guidelines: NESA issues detailed cybersecurity guidelines and standards that organizations must implement to protect against cyber threats and vulnerabilities. These guidelines cover areas such as network security, data protection, incident response, and risk management.
- Incident Reporting and Response: NESA mandates incident reporting protocols for organizations to promptly report cybersecurity incidents. It also outlines requirements for incident response plans to mitigate the impact of cyber incidents and restore normal operations swiftly.
Requirements for regulated companies/financial institutions:
- Mainland: UAE Central Bank ("UAECB")
Circular on Consumer Protection for financial institutions
The UAECB enforces various controls relevant to consumer data protection on licensed financial institutions. These include implementing robust security and monitoring measures to detect and track unauthorized internal access or use of consumer information, recording any breaches and assessing the resulting harm for future UAECB review.
Significant breaches of consumer data must be promptly reported to the UAECB, with affected consumers notified without delay if the breach poses financial or personal security risks, and financial institutions are liable for reimbursing direct costs incurred by affected consumers.
Financial institutions must proactively prevent misuse of consumer information and data and uphold sound security practices as part of their primary defence, continually investing in technology to mitigate risks. They must ensure their security systems are updated and capable of adapting to new cyber security challenges, while also conducting consumer awareness initiatives to educate the public about safeguarding against financial crimes.
- Dubai International Financial Centre
("DIFC"): DFSA Cyber Risk Management
Guidelines
The Dubai Financial Services Authority (the "DFSA") - the financial regulator in the DIFC - sees the threat of cyberattacks as a material risk. It has therefore urged all DFSA Authorised Firms to establish robust frameworks for governing and managing cyber risks.
The DFSA's oversight activities encompass adherence to Cyber Risk Management Rules outlined in its General Module of the DFSA Rulebook. The implementation of these rules varies depending on the nature, scale, and complexity of each Firm's business operations. A fundamental requirement of these rules mandates that every Firm adopt a suitable framework to identify and mitigate cyber risks, as well as to promptly detect, respond to, and recover from cyber incidents.
Senior management, at both the board and executive levels, must possess a comprehensive understanding of their Firm's cyber vulnerabilities and allocate requisite resources, controls, and oversight to manage these risks effectively.
- The Abu Dhabi Global Market
("ADGM"): FSRA Financial &
Cybercrime Prevention Objectives
The Financial Services Regulatory Authority (the "FSRA") - the financial regulator in the ADGM - has issued a guideline on Governance Principles and Practices to mitigate cyber threats for financial institutions emphasizing eight core principles and practices. These include (1) establishing robust governance frameworks with clear roles and responsibilities for managing cyber risks, (2) conducting regular and thorough cyber risk assessments to prioritize vulnerabilities and threats, (3) managing risks associated with third-party service providers through due diligence and contractual obligations, (4) developing and testing comprehensive incident response plans, (5) fostering cybersecurity awareness and training across all levels of the organization, (6) implementing protective controls such as identity and access management, encryption, and secure password practices, (7) establishing effective detection systems, and (8) promoting collaboration and information sharing with industry peers and law enforcement to enhance threat intelligence and response capabilities.
Federal Decree-Law No. 14/2023 on Trading by Modern Technological Means (the "E-Commerce Law")
Under the E-Commerce Law, digital merchants bear specific
obligations towards consumers to ensure secure transactions and
protect against cyber threats. This includes providing adequate
measures that enable consumers to buy goods and services in a
secure manner.
Merchants must also establish a secure environment for trading
services, meeting e-security standards, cyber safety and guidelines
set by the competent authority in the UAE. This ensures safe
browsing and purchasing experiences for consumers.
Additionally, digital merchants involved in logistics and digital
payment services may offer insurance coverage to manage risks
arising from trading such as electronic fraud, cyberattacks, and
any other potential hazards.
The Telecommunications and Digital Regulatory Authority (the "TDRA") framework
The TDRA – the telecom and digital sector regulator in the UAE - has developed the national cybersecurity strategy for the UAE which includes the below:
- Regulatory Framework: The TDRA has established comprehensive cybersecurity laws and regulations that address all types of cybercrimes in the telecommunications and digital sectors.
- Incident Reporting: Entities are required to report cybersecurity incidents to the TDRA promptly.
- Security Audits: The TDRA conducts regular security audits of telecommunications and digital service providers to ensure compliance with cybersecurity standards.
- Partnerships: The TDRA collaborates with other government agencies, law enforcement bodies, and international cybersecurity organizations to share information, intelligence, and best practices in combating cyber threats.
- Education and Awareness: The TDRA promotes cybersecurity education and awareness programs among consumers and businesses.
- Penalties and Enforcement: The TDRA imposes penalties on entities that fail to comply with cybersecurity regulations.
Key steps businesses should take
As global digital connectivity grows, so too does the risk of cyber threats, which means being aware of current regulatory and legislative requirements is essential.
The UAE continues to address this topic in its development of new laws and companies operating in the UAE need to continually enhance their systems and procedures to ensure compliance with local law.
Simple protective measures can be adopted by companies looking to decrease their cyber exposure such as (1) carrying out a cyber security audit and identifying system weaknesses, (2) reviewing their existing contracts with service providers to strengthen cybersecurity provisions, (3) providing regular cybersecurity training to employees to raise awareness about cyber threats, (4) maintaining detailed records of cybersecurity activities, incidents, and compliance efforts, and (5) seeking guidance and support from cybersecurity experts and legal advisors familiar with UAE regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.