A practical guide for CISOs navigating UAE's stored value facilities regulation
According to the UAE Cybersecurity Report 2025, 21% of all cybersecurity incidents in the region target banks and financial services, making it the most attacked sector. With ransomware attacks up 32% year-over-year and data breaches in the Middle East costing an average of $8.7 million, the Central Bank of the UAE isn't taking chances.
The CBUAE's Stored Value Facilities (SVF) Regulation establishes cybersecurity requirements that every digital payment provider operating in the UAE must meet. At Hacken, we've helped fintech and Web3 companies navigate these requirements — drawing on eight years of blockchain security expertise and our work with regulators including the Abu Dhabi Global Market (ADGM). Here's what you need to know.
What Are the CBUAE SVF Cybersecurity Requirements?
The CBUAE SVF Regulation (Circular No. 6/2020), specifically Article 12, establishes detailed technology and cybersecurity risk management requirements. Licensees must adopt international best practices when designing and implementing these systems. The regulation covers:
Domain | Key Requirements |
IT Governance | IT control policies, clear structure of IT functions, independent technology audit function |
Risk Management | Continuous risk management process, change management, project management methodology |
SDLC & Coding | Secure development guidelines, source code reviews, formal testing and acceptance |
Access Control | Role-based access, need-to-have basis, privileged access management |
Security Operations | Vulnerability management, patch management, security monitoring and logging |
Cyber Resilience | Cyber threat intelligence, penetration testing, cyber-attack simulation |
Payment Security | Information classification, encryption, customer authentication, fraud detection |
Business Continuity | Business impact analysis, recovery strategies, alternate site requirements |
Purpose of the Regulation
The regulation exists to:
- Protect the financial ecosystem — Ensure providers can identify risks, protect critical services, and respond to attacks
- Maintain consumer trust — Safeguard customer data and funds from fraud and breaches
- Align with global standards — Position the UAE alongside frameworks like MiCA and DORA
- Enable safe innovation — Provide clear compliance frameworks for scaling with confidence
Who Is Affected?
The regulation applies to:
- SVF Licensees — Prepaid cards, mobile wallets, digital payment instruments, payment tokens
- Financial Free Zone Entities — DIFC/ADGM companies operating SVFs in mainland UAE
- Banks — UAE-licensed banks launching SVF products
- Third-Party Providers — Vendors handling payment processing or customer data
Implementation Checklist for CISOs
Based on Article 12 of the CBUAE SVF Regulation, here's a detailed implementation checklist with actionable requirements:
1. IT Governance & Policies
Requirement | Implementation Details |
Establish IT governance framework | ☐ Define clear structure of IT functions with assigned responsibilities ☐ Establish independent technology audit function ☐ Create technology risk management function separate from IT operations ☐ Ensure Senior Management formally approves all IT control policies |
Develop IT control policies | ☐ Document policies covering all technology applications and business models ☐ Define process for verifying compliance with IT policies ☐ Establish approval process for policy dispensations ☐ Specify consequences for failure to adhere to policies |
2. Technology Risk Management
Requirement | Implementation Details |
Implement risk management process | ☐ Establish continuous risk identification, evaluation, and monitoring ☐ Document risk assessments for new products, services, and processes ☐ Monitor changes in external factors (laws, regulations, threats) ☐ Maintain risk register with treatment plans and ownership |
Establish change management process | ☐ Implement formal change control for applications, systems, hardware, and network ☐ Document emergency change procedures with record keeping ☐ Require appropriate approval before changes to production environment ☐ Verify changes do not have undesirable impact on production |
3. Secure Development Lifecycle (SDLC)
Requirement | Implementation Details |
Adopt project lifecycle methodology | ☐ Define methodology for developing, implementing, and maintaining systems ☐ Establish project management framework for major technology projects ☐ Conduct quality assurance reviews with legal and compliance involvement ☐ Document software package acquisition process for vendor solutions |
Implement secure coding practices | ☐ Develop guidelines referencing industry-accepted secure development standards ☐ Conduct source code reviews (peer review and automated analysis) ☐ Define security requirements in early stage of system development ☐ Perform risk-based code reviews as part of quality assurance |
Establish testing and deployment controls | ☐ Maintain segregated environments for development, testing, and production ☐ Cover business logic, security controls, and stress-load scenarios in testing ☐ Prohibit use of production data in testing without desensitization ☐ Ensure developers cannot access production libraries or promote code directly |
4. Segregation of Duties
Requirement | Implementation Details |
Enforce role separation | ☐ Separate development, testing, and production access permissions ☐ Implement independent review for automated code promotion tools ☐ Monitor vendor access to UAT environments ☐ Establish independent checks for privileged operations |
5. Access Control & Identity Management
Requirement | Implementation Details |
Implement role-based access control | ☐ Grant access rights only on a need-to-have basis ☐ Adopt role-based access control (RBAC) framework ☐ Restrict access via adequate authentication mechanisms ☐ Establish formal procedures for allocating access to system resources |
Manage privileged access | ☐ Change all default passwords on privileged accounts ☐ Restrict number of privileged users to minimum necessary ☐ Implement strong controls over remote access by privileged users ☐ Require formal approval before releasing privileged/emergency IDs ☐ Log, preserve, and monitor all privileged account activities ☐ Prohibit sharing of privileged accounts ☐ Change privileged passwords immediately upon return by requesters |
6. Security Operations & Monitoring
Requirement | Implementation Details |
Implement vulnerability management | ☐ Deploy combination of automated tools and manual techniques ☐ Perform comprehensive assessments including web vulnerabilities ☐ Define implementation timeframes for patches based on severity ☐ Categorize and prioritize security patches by impact |
Establish security monitoring | ☐ Implement tools to retain system, application, and network device logs ☐ Enable real-time monitoring of critical configurations and security settings ☐ Detect and block anomalies (abnormal behaviors, unusual processes) ☐ Define log retention policy and ensure examination capability |
Document security baselines | ☐ Document control procedures and baseline security requirements ☐ Maintain configurations for operating systems, databases, servers, and network ☐ Perform periodic reviews of security settings against baselines ☐ Update baselines when changes are approved |
7. Cyber Resilience & Testing
Requirement | Implementation Details |
Establish cyber threat intelligence | ☐ Subscribe to quality cyber threat intelligence services ☐ Collaborate with industry organizations to share threat information ☐ Monitor trends in cyber threats relevant to SVF business ☐ Update security measures based on emerging threats |
Conduct penetration testing | ☐ Regularly assess necessity for penetration and cyber-attack simulation ☐ Cover external and internal networks and application systems ☐ Include social engineering testing in scope ☐ Mitigate identified vulnerabilities based on risk exposure analysis |
8. Incident Management
Requirement | Implementation Details |
Develop incident management framework | ☐ Establish sufficient management oversight for incident response ☐ Define timely reporting process to CBUAE for fraud and security breaches ☐ Include cyber-attacks, prolonged disruptions, and systemic incidents ☐ Report incidents where customers suffer monetary loss or data leakage |
Implement communication strategy | ☐ Define stakeholder communication protocols during incidents ☐ Establish process for addressing reputational damage ☐ Document escalation procedures and crisis management protocol ☐ Maintain updated contact details for key personnel |
9. Payment Security & Data Protection
Requirement | Implementation Details |
Implement information classification | ☐ Classify information by degree of sensitivity ☐ Define appropriate protection procedures for each classification ☐ Assign information owners accountable for classification and protection ☐ Develop guidelines and definitions for each classification level |
Protect data in storage and transit | ☐ Encrypt sensitive data using strong, widely recognized techniques ☐ Implement secure end-to-end encryption for data transmission ☐ Store customer data within UAE as required by regulation ☐ Implement five-year data retention policy |
Implement customer authentication | ☐ Deploy two-factor authentication for high-risk transactions ☐ Combine factors: knowledge, possession, and biometrics ☐ Implement controls for password strength and complexity ☐ Limit login attempts and implement session timeouts |
Deploy fraud detection systems | ☐ Operate transaction monitoring to prevent and detect fraud ☐ Screen suspicious or high-risk transactions ☐ Implement card binding verification with issuer ☐ Ensure proper authorization for direct debit setups |
10. Business Continuity Management
Requirement | Implementation Details |
Conduct business impact analysis | ☐ Identify scenarios that may interrupt services ☐ Define minimum service levels for critical business functions ☐ Establish recovery time objectives (RTO) and recovery point objectives (RPO) ☐ Define maximum tolerable downtime for critical services |
Develop business continuity plan | ☐ Document detailed recovery procedures for all critical systems ☐ Define escalation procedures and crisis management protocol ☐ Establish proactive communication strategies (customer notification, media) ☐ Assign primary and alternate personnel for recovery responsibilities |
Establish alternate sites | ☐ Ensure alternate sites are sufficiently distanced from primary sites ☐ Install appropriate facilities and communication equipment ☐ Implement physical access controls at alternate locations ☐ Avoid excessive reliance on external vendors for DR support |
Test and maintain BCP | ☐ Conduct BCP testing at least annually ☐ Involve Senior Management and key personnel in testing ☐ Prepare formal testing documentation and post-mortem reports ☐ Obtain CEO sign-off on annual BCP statement to board |
How Hacken Helps
Since 2017, Hacken has secured 1,500+ digital asset leaders and built deep expertise in regional compliance frameworks, including VARA, CBUAE, and ADGM requirements. Our team of 60+ certified engineers combines Web3-native security knowledge with traditional financial services compliance experience.
We guide organizations through the full CBUAE SVF compliance journey:
- Gap Assessments — Evaluate your current posture against Article 12 requirements and prioritize remediation
- Security Program Development — Build governance frameworks, policies, and technical controls
- Penetration Testing & TLPT — Identify vulnerabilities with testing that satisfies regulatory requirements
- Secure Development Advisory — Implement SDLC controls, code review processes, and secure coding standards
- Audit Preparation — Prepare documentation and evidence for regulatory examinations
Ready to get started? Contact our compliance team to discuss your CBUAE SVF requirements.
This article is for informational purposes only and does not constitute legal or regulatory advice.
