3/4/24, 2:43 PM Cyber Risk Thematic Review 2024

1. Introduction 2. General 3. Governance 4. Hygiene and resilience 5. Declaration

Cyber Risk Thematic Review 2024

Submission details

Firm Name: ASCA Capital Limited

DFSA Authorised Firm number: F007537

Name of person making the submission: Sameer Ahmed Magami

Position: Compliance Officer
Email address: [email protected]
Contact telephone number: +97143207322

https://eportal.dfsa.ae/servlet/,DanaInfo=.adgud0q,SSL+survey.PreviewSurvey?i_n_f=survey134542_pg3_totpg5_rid15967351_lqid2974609_Sur… 1/3
3/4/24, 2:43 PM Cyber Risk Thematic Review 2024
_____________________________________________________________________________________________________________________________________________

1. Introduction
Background:

In line with its regulatory objectives, the Dubai Financial Services Authority (DFSA) is carrying out the Cyber Risk Thematic Review 2024 (Review). The Review is
designed to assist in determining:

• the current maturity level of Authorised Firms’, Authorised Market Institutions’ and Registered Auditors’ (collectively referred to as “Firms”) cyber risk
management frameworks;

• the compliance of Firms’ cyber risk management practices with the DFSA Cyber Risk Management Rules; and

• the growth in maturity following the DFSA Cyber Thematic Review 2022.

The Review will be conducted via online questionnaire consisting of mainly multiple-choice questions that seek high-level information on each Firm’s cybersecurity
practices.

The deadline for Firms to submit responses is 08 March 2024. We may also select certain Firms to obtain additional information.

The DFSA will communicate its key findings to all Firms following the Review.

Important notes:

1. Defined terms in this questionnaire are identified by the capitalisation of the first letter in a word or of each word in a phrase. These terms are either defined in
the “Glossary” below or in the Glossary module (GLO).

2. All questions must be answered completely and accurately. Some questions can be answered as “N/A”, however, this should be in exceptional cases only. For
example, if the question is not relevant for the Firm (e.g. question refers to a Group and the Firm is not a part of a Group).

3. Use of abbreviations and acronyms should be defined at first mention and used consistently thereafter.

4. You will be logged out of the questionnaire after an extended period of inactivity. Please save your responses periodically to ensure you do not lose any
information.

5. Please retain a copy of the completed form and any attachments for the Firm's records. The DFSA recommends saving as MHTML rather than PDF

6. Upon completion of the questionnaire, a person validly appointed and duly authorised to complete the questionnaire must read and sign the declarations in
section 6. These declarations, include but are not limited to, confirmations that due enquiry has been made, that the information included in the responses is
complete and correct, and that you understand the consequences if you provide the DFSA with any information which is false, misleading or deceptive, or to
conceal information where the concealment of such information is likely to mislead or deceive the DFSA.

7. Please direct any questions to [email protected].

Glossary

Means to ensure that access to assets is authorised and restricted based on the ‘least privilege’ and ‘need to know’
Access Control
principles.

In regard to an Information System, any user account that has full privileges and unrestricted access to that Information
Administrative Account
System.

A set of rules and specifications for software programs to communicate with each other that forms an interface between
Application programming Interface (API)
different programs to facilitate their interaction.

Artificial Intelligence (AI) The theory and development of computer systems able to perform tasks that traditionally use human intelligence

Using advanced analytics techniques in relation to a large volume of Data, generated by any means and stored in a digital
Big Data Analytics
format.

Automated recognition of individuals based on their biological and behavioural characteristics. It covers a variety of
technologies in which unique, identifiable attributes of people are used for identification and authentication. These include,
Biometrics
but are not limited to, a person’s fingerprint, iris print, hand, face, voice, gait or signature, which can be used to validate the
identity of individuals.

Any observable occurrence in an Information System. Cyber Events sometimes provide indication that a Cyber Incident is
Cyber Event
occurring.

An incident arising from the malicious use of information or communication technology that adversely affects an Authorised
Cyber Incident
Person’s ICT Assets.

A predetermined set of instructions or procedures providing for measures to be taken by the Authorised Person to respond to
Cyber Incident Response Plan
and limit consequences of a Cyber Incident.

Preservation of confidentiality, integrity and availability of information and/or Information Systems through the cyber medium.
Cybersecurity
In addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved.

Documented process or set of procedures to execute a Firm's disaster recovery processes in relation to Information Systems
Disaster Recovery Plan (DRP)
and recover and protect the IT infrastructure in the event of a disaster.

Distributed Ledger Technology (DLT) Processes and related technologies that enable Nodes in a network (or arrangement) to securely propose, validate, agree and
record state changes (or updates) to a synchronised ledger that is distributed across the network’s Nodes.

https://eportal.dfsa.ae/servlet/,DanaInfo=.adgud0q,SSL+survey.PreviewSurvey?i_n_f=survey134542_pg3_totpg5_rid15967351_lqid2974609_Sur… 2/3
3/4/24, 2:43 PM Cyber Risk Thematic Review 2024

Blockchain is a type of DLT which stores and transmits Data in packages called “blocks” that are connected to each other in a
digital ‘chain’.

Firm The DIFC office of an Authorised Person.

The combination of hardware, software and telecommunication networks used to collect, process, manage and store
Information System
electronic information. The system supports a firm’s operations and processes business activities.

A Cyber Incident is considered a Material Cyber incident if it causes any of the following losses:

· impact to client data and/or client assets;

· leakage of sensitive information;

· disruption to critical business function(s) / critical Information System(s);

Material Cyber Incident · significant operational impact to internal users that is material to clients or business operations;

· material financial loss;

· where it is believed the root cause of the incident, and/or the incident itself, may impact external stakeholders such that
there is concern of systemic risk to the DIFC, Dubai and/or the United Arab Emirates;

· negative reputational impact is imminent (e.g. public/media disclosure).

The use of two or more of the following factors to verify a user’s identity:

· knowledge factor, “something an individual knows”;

Multi-Factor Authentication
· possession factor, “something an individual has”;

· biometric factor, “something that is a biological and behavioural characteristic of an individual”.

A test methodology in which assessors, using all available documentation (e.g. system design, source code, manuals) and
Penetration Testing
working under specific constraints, attempt to circumvent the security features of an Information System.

Security Patch In regard to an Information System, an update that can be applied to the Information System to address a Vulnerability;

Any weakness, susceptibility or flaw of the Information System that can be exploited, including but not limited to by allowing
Vulnerability an unauthorised person to access the Information System, or to compromise the security configuration settings of the
Information System.

Systematic examination of an Information System, and its controls and processes, to determine the adequacy of security
Vulnerability Assessment measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures
and confirm the adequacy of such measures after implementation.

_____________________________________________________________________________________________________________________________________________

I, Sameer Ahmed Magami, confirm that I have carefully read and understood the instructions displayed above. I further understand that the DFSA can take regulatory
action if the above instructions are not followed.

Yes
No

Please click here to return to the portal

Page 1 of 5

https://eportal.dfsa.ae/servlet/,DanaInfo=.adgud0q,SSL+survey.PreviewSurvey?i_n_f=survey134542_pg3_totpg5_rid15967351_lqid2974609_Sur… 3/3