Every business today is at risk of a cyber attack, but perhaps nowhere are the stakes higher than in the financial and banking sector.
Cyber attacks can cause substantial financial losses for banks and customers. Banks also stand to suffer significant reputational damage as a direct consequence of a data breach, leading to a progressive erosion in customer trust, competitive advantage and a narrowing of future sources of revenue.
How can banks better protect their critical IT infrastructure and, by extension, their customers’ data at a time when cyber criminals are becoming more resourceful, sophisticated and finding innovative ways to identify and exploit vulnerabilities?
This question was at the forefront of a recent workshop hosted by the UAE Banks Federation in Abu Dhabi to promote cyber security awareness among information security officers of its member institutions. The workshop sought to present a holistic picture of how banks can mount an enterprise-wide approach to cyber security.
The first step in the cyber security journey is to create a comprehensive policy governance framework, experts at the workshop said. The framework must not be riddled with high-level objective statements, but instead lay out the policy direction in clear, concise and granular details.
Management buy-in is crucial and the policy itself must be aligned with multiple considerations, such as applicable regulatory requirements, global best practices and an understanding of the evolving threat landscape.
A major priority for banks is adherence to compliance requirements. Building a unified compliance framework can significantly help to meet regulatory requirements. The policy can be mapped against various regulatory requirements and controls can be selectively implemented based on applicable regulations.
Real-time cyber security monitoring, which also involves the detection of security activities that are triggered by devices and applications across the bank’s network, has a major role to play in ensuring brand protection and integrity.
Application security, threat intelligence and vulnerability management programmes help identify potential weaknesses in IT and digital assets and reduce the overall cyber security risks to an acceptable level.
No less important is the need to put together a well-structured identity and access to a management and governance framework to manage identities that work on various business applications and support the bank in providing customer services.
This is pivotal for controlling user access and ensuring that only data that is necessary and relevant based on a job role is accessible to an authorised user.
Data protection and privacy is another key area. In the wake of stringent privacy laws enacted around the world, privacy has become an increasingly pressing concern due to data residency regulation.
For banks, protecting customers’ sensitive information is a fundamental, non-negotiable priority due to its inherent value. The success or failure of a bank can depend on how well it is able to manage data confidentiality.
For banks, protecting customers’ sensitive information is a fundamental, non-negotiable priority due to the inherent value of such data
Pillairkulam Parthasarathy,
chairperson, UAE Banks Federation's information security committee
Today, regulators are pushing the sector into open banking standards, which empowers customers by giving them access to their data not only through bank channels, but also third-party apps.
This brings in a new dimension of security and privacy concerns for customer data that flows from the institution to the app providers.
Cloud computing systems offer numerous benefits, such as work from home or remote working capabilities, which have provided cyber resilience to business operations. However, the migration of financial services to the cloud brings security risks and a major one relates to data residency.
A recent McAfee report found there were no less than 3.1 million external attacks on cloud user accounts in the fourth quarter of 2020.
It’s essential that information security officers at financial institutions put in place effective cyber security incident response, crisis management and business continuity plan that outline procedures to follow in the face of an unplanned disruption in critical service. The plan should also identify the processes and resources needed to build sufficient business resilience and capability for an effective response.
The important thing to remember is that each of these should be approached with a broad, long-term perspective. All systems and processes must be sustainable and amenable to scaling up to accommodate future requirements and keep pace with the increasing volume and velocity of cyber attacks.
Financial institutions are increasingly outsourcing operations for product enhancement, cost optimisation and to be quick to the market.
However, this creates third-party risk, or supply-chain risk. Trends in developed economies indicate that attackers often exploit vulnerabilities in supply-chain vendors to reach the target’s core systems. Financial institutions must, therefore, build controls around vendor risk management to handle these threats.
Cyber criminals are in for the long haul and our response to the threat they pose must be on similar lines. Financial institutions must develop people, processes and technology to assess risk and build controls that are commensurate with the organisation’s risk appetite.
Pillairkulam Parthasarathy is chairperson of UAE Banks Federation's information security committee.
Ten tax points to be aware of in 2026
1. Domestic VAT refund amendments: request your refund within five years
If a business does not apply for the refund on time, they lose their credit.
2. E-invoicing in the UAE
Businesses should continue preparing for the implementation of e-invoicing in the UAE, with 2026 a preparation and transition period ahead of phased mandatory adoption.
3. More tax audits
Tax authorities are increasingly using data already available across multiple filings to identify audit risks.
4. More beneficial VAT and excise tax penalty regime
Tax disputes are expected to become more frequent and more structured, with clearer administrative objection and appeal processes. The UAE has adopted a new penalty regime for VAT and excise disputes, which now mirrors the penalty regime for corporate tax.
5. Greater emphasis on statutory audit
There is a greater need for the accuracy of financial statements. The International Financial Reporting Standards standards need to be strictly adhered to and, as a result, the quality of the audits will need to increase.
6. Further transfer pricing enforcement
Transfer pricing enforcement, which refers to the practice of establishing prices for internal transactions between related entities, is expected to broaden in scope. The UAE will shortly open the possibility to negotiate advance pricing agreements, or essentially rulings for transfer pricing purposes.
7. Limited time periods for audits
Recent amendments also introduce a default five-year limitation period for tax audits and assessments, subject to specific statutory exceptions. While the standard audit and assessment period is five years, this may be extended to up to 15 years in cases involving fraud or tax evasion.
8. Pillar 2 implementation
Many multinational groups will begin to feel the practical effect of the Domestic Minimum Top-Up Tax (DMTT), the UAE's implementation of the OECD’s global minimum tax under Pillar 2. While the rules apply for financial years starting on or after January 1, 2025, it is 2026 that marks the transition to an operational phase.
9. Reduced compliance obligations for imported goods and services
Businesses that apply the reverse-charge mechanism for VAT purposes in the UAE may benefit from reduced compliance obligations.
10. Substance and CbC reporting focus
Tax authorities are expected to continue strengthening the enforcement of economic substance and Country-by-Country (CbC) reporting frameworks. In the UAE, these regimes are increasingly being used as risk-assessment tools, providing tax authorities with a comprehensive view of multinational groups’ global footprints and enabling them to assess whether profits are aligned with real economic activity.
Contributed by Thomas Vanhee and Hend Rashwan, Aurifer
Avatar: Fire and Ash
Director: James Cameron
Starring: Sam Worthington, Sigourney Weaver, Zoe Saldana
Rating: 4.5/5
Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.
Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.
“Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.
Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.
“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.
Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.
From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.
Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.
BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.
Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.
Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.
“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.
Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.
“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.
“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”
The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”
The five pillars of Islam
1. Fasting
2. Prayer
3. Hajj
4. Shahada
5. Zakat
