The Financial Services Regulatory Authority’s Financial and Cybercrime Prevention department has published the results of a wide-ranging cyber risk management survey, revealing significant gaps in how regulated firms in Abu Dhabi Global Market approach cybersecurity governance, asset management, and incident response.
According to ACA Group, conducted in Q3 2025, the survey was distributed to 315 FSRA-regulated firms and achieved an 83% response rate, with 263 firms contributing data on their governance structures, technical controls, and overall cyber resilience.
ACA Group recently detailed what the FSRA’s cyber risk survey reveals about financial sector readiness in 2026.
The publication was deliberately timed. With the FSRA’s new Cyber Risk Management Rules having come into force on 31 January 2026, the findings serve simultaneously as a readiness benchmark and a regulatory signal — a clear-eyed view of where the sector stands and where it continues to fall short.
Governance gaps remain at the foundation
The survey’s first area of focus assessed the governance frameworks underpinning firms’ cybersecurity programmes. The FSRA expects firms to maintain a formally documented, board-approved cyber risk management framework, supported by active board-level representation and clearly assigned operational responsibilities. The authority’s emphasis on the latter is pointed: ambiguity in accountability rarely becomes apparent under normal operating conditions. It becomes apparent during a cyber incident, when clarity of ownership is the difference between containment and escalation.
Asset visibility and third-party risk are persistent blind spots
The second focus area covers cyber risk assessments, IT asset classification, vulnerability management, and third-party risk. The survey found that without a complete, up-to-date inventory of information and communications technology assets — classified by criticality and sensitivity — firms are making resource allocation decisions in the dark. The FSRA notes that unidentified assets and unpatched vulnerabilities remain among the most exploited attack vectors in the financial sector.
Third-party cyber risk attracted particular scrutiny. Many firms, the survey suggests, are failing to formalise cybersecurity expectations within vendor relationships. Service provider agreements should include explicit cyber incident reporting requirements, clearly defined cybersecurity standards, and be subject to ongoing compliance monitoring rather than assumed adherence. The FSRA is unambiguous on this point: outsourcing a function does not reduce a firm’s obligations to the regulator.
Training, threat intelligence, and technical controls
The third assessed area covers the day-to-day operational fabric of a firm’s defences. On security awareness training, the FSRA positions employees as a first line of defence against social engineering attacks — and an undertrained workforce as a vulnerability that sophisticated technical controls cannot compensate for. On threat intelligence, firms are expected to actively participate in intelligence-sharing communities and ensure insights are integrated into internal processes rather than siloed. On technical controls, while basic measures such as multi-factor authentication and anti-malware solutions are widely adopted, more advanced controls show lower uptake — an outcome the FSRA acknowledges reflects proportionality principles, though identity and access management remains a firm expectation across the board.
Monitoring and adversarial testing adoption remains limited
The fourth focus area revealed that limited adoption of advanced testing methodologies is leaving firms with blind spots in their threat detection capabilities. The FSRA draws a clear distinction based on organisational complexity: larger, more complex firms are expected to employ penetration testing, red teaming, and other exercises that simulate real-world attack scenarios. For those firms, these are not optional enhancements — they are expected capabilities. Structured logging and monitoring, meanwhile, are essential to detecting incidents as they occur; without them, breaches can go undetected for extended periods with significantly amplified consequences.
Incident response plans mean little without testing
The fifth and final area assessed whether firms have formal cyber incident response plans in place and, critically, whether those plans are being tested. The FSRA’s findings are direct: a plan that has never been exercised is unlikely to perform as expected when a real incident occurs. The regulator expects incident response frameworks to be supported by regular simulation exercises and post-incident reviews to drive continuous improvement. Firms with well-tested response procedures will contain incidents faster, recover more effectively, and be better positioned to meet the FSRA’s 24-hour notification requirement for material cyber incidents.
The findings reveal a systemic integration problem
The five areas assessed by the survey are not independent workstreams, and the FSRA’s findings suggest that many firms are treating them as though they are. In practice, they function as a chain. Effective monitoring depends on what is being monitored — and if IT asset inventories are incomplete, monitoring programmes carry built-in blind spots from the outset. Penetration testing findings cannot be acted upon quickly without the clearly defined roles demanded by sound governance frameworks. Security awareness training directly affects how incident response plans perform in the field. Threat intelligence, properly integrated, should be feeding directly into risk assessments and vulnerability prioritisation.
The FSRA’s underlying intent is not to produce firms that can demonstrate compliance across five discrete categories. It is to produce firms with fully integrated, resilient cybersecurity programmes. The survey findings suggest that meaningful progress has been made in individual areas — but that the connective tissue binding those areas together remains underdeveloped across much of the sector.
Read the full ACA Group post here.
Copyright © 2026 FinTech Global
Copyright © 2018 RegTech Analyst
