MENA+ Edition 
Egypt Edition 
UAE Edition 
Saudi Edition 
MENA <> India Corridor 
Logistics (MENA) 
Climate (MENA) 
Share
Read Full Issue 
Resilience is a newly critical fixed cost in banking — and not every bank will be able to pay it. That’s the blunt assessment of Mashreq Group Chief Information Security Officer Olivier Busolini, whose bank responded to March’s attacks by re-architecting for a scenario the Gulf’s risk models never priced in: The UAE itself going dark.
The digital-first bank is re-architecting its cloud to fail over to regions outside the Gulf, treating geographic redundancy as a core control rather than a nice-to-have — and, pending regulatory approval, preparing to hold backup copies of critical data in Europe and Asia. The lesson of March, Busolini says, is that same-region redundancy protects you from a data center failure, not from a war.
When we mapped last month how geopolitical volatility and AI are reshaping regionalcybersecurity, we argued that the convergence of physical conflict and digital attacks was breaking the old corporate risk models. Mashreq’s playbook shows what replacing them looks like in practice.
Among the key takeaways, Busolini walks us through:
- How the definition of resilience has shifted from “can we recover?” to “can we continue operating?”
- How the bank is looking for regulatory approval to move key backups outside our region;
- Why its expansions in Egypt and Pakistan are built as sealed, digitally sovereign compartments to hedge against the possibility of a breach in one market cascading to others;
- What a “minimum viable bank” costs to keep standing
- What the cost of additional resilience could mean to smaller lenders;
- And the three ways he convinces other execs and boards to think through wartime investment in capex on cybersecurity.
EnterpriseAM: Iranian strikes took down data centers in the UAE and Bahrain, at least two of which have never recovered. How did that change how you think about resilience and being cloud-first?
Olivier Busolini: The events of March did not reverse Mashreq’s cloud‑first strategy, but they materially refined how cloud resilience is defined and engineered. Our internal decisions shifted away from assuming that same‑region redundancy provides sufficient resilience during geopolitical escalation. Same-region redundancy protects against data‑center failures, not regional or geopolitical outages. As a result, the strategic response has focused on re‑architecting for geographic‑independent failover.
Core banking and ledger platforms remain on hardened, regulator-approved on‑premise environments, consistent with existing regulatory and operational models, as reflected in Mashreq’s resilience plans. At the same time, we’re redesigning cloud‑based systems toward primary-secondary or active-active multi‑region models, including regions outside the Gulf, to reduce the shared geopolitical blast radius.
[These are two different ways of running backup systems across different geographies to ensure a bank stays online. A primary-secondary model works like a main computer and a standby backup: If a crisis knocks-out the main region, the bank has to flip a switch to wake up the secondary region and take over. An active-active model works like a multi-engine airplane: Both regions are fully awake and processing live customer data simultaneously.]
Selective externalization is the name of the game. This means backups and archives migrating to Europe or Asia for cyber and regional‑outage resilience. It also means cross‑region designs for cloud security and monitoring platforms, specifically to remain operational if UAE regions are unavailable. We’re in the design phase and, in some cases, have prepared plans that are pending regulatory approval.
This doesn’t mean relocating the bank, but ensuring cognitive continuity, as in the ability for monitoring, decision‑making, data recovery, and command‑and‑control during regional disruption. We’re positioning this as ‘cloud maturity,’ not ‘cloud retreat’ — it’s not about “Can we recover?” but “How can we continue operating?”
EnterpriseAM: We reported on an 8x surge in DDoS attacks in March. Is your intelligence team see any signs of the use of adaptive AI bots — specifically, those that can autonomously change their traffic signatures or attack tactics once they’re throttled by your defenses?
OB: We haven’t seen confirmed evidence of fully autonomous, self‑adapting AI botnets dynamically mutating attack signatures in real time. The March DDoS surge was predominantly driven by hacktivist‑style DDoS campaigns characterized by high volume, rapid coordination across groups, and sustained, rolling attacks across multiple days and geographies.
The dominant behavior was human‑directed adaptation, not autonomous AI adaptation. The human behavior pattern included manual switching, HTTP floods, and application‑layer pressure, as in re‑targeting banks and public‑facing portals as defenses were activated. Those attacks were loud, visible, and symbolic, rather than stealth‑driven. While fully autonomous adaptive botnets have not been observed, we’re acutely aware — through external advisories — that AI‑accelerated offensive capabilities are emerging, particularly in exploit discovery and chaining, rather than DDoS traffic shaping itself. Current data shows limited evidence of APT‑level, destructive tooling.
EnterpriseAM: How should other institutions think through the capex piece?
OB: We used three principles that we think are widely applicable. First, we defined what a “minimum viable bank” looked like and set out to deliver that, not maximum fortification. That means ensuring the bank can continue operating a critical subset of services. In our case, that meant core ledgers, payment, treasury, and regulatory reporting systems and essential security, identity, and data‑preservation capabilities — not full operations.
You also want to see those investments be “reversible” where possible. Think about temporary cross‑region data copies, additional cloud capacity, and backup preservation.
And when you’re making your case, always set out the cost of prevention in the context of the cost of outage. Spending on resilience is easy to quantify — the cost of regulatory exposure, inability to clear payments or meet obligations, and long‑tail reputational harm are existential. This isn’t about incremental IT spend, it’s about reputation and delivering on our promises.
Tap or click here to continue reading the full interview on our website.
