MENA+ Edition 
Egypt Edition 
UAE Edition 
Saudi Edition 
MENA <> India Corridor 
Logistics (MENA) 
Climate (MENA) 
Share
Resilience is a newly critical fixed cost in banking — and not every bank will be able to pay it. That’s the blunt assessment of Mashreq Group Chief Information Security Officer Olivier Busolini, whose bank responded to March’s attacks by re-architecting for a scenario the Gulf’s risk models never priced in: The UAE itself going dark.
The digital-first bank is re-architecting its cloud to fail over to regions outside the Gulf, treating geographic redundancy as a core control rather than a nice-to-have — and, pending regulatory approval, preparing to hold backup copies of critical data in Europe and Asia. The lesson of March, Busolini says, is that same-region redundancy protects you from a data center failure, not from a war.
When we mapped last month {how geopolitical volatility and AI are reshaping regional cybersecurity}, we argued that the convergence of physical conflict and digital attacks was breaking the old corporate risk models. Mashreq’s playbook shows what replacing them looks like in practice.
Among the key takeaways, Busolini walks us through:
- How the definition of resilience has shifted from “can we recover?” to “can we continue operating?”
- How the bank is looking for regulatory approval to move key backups outside our region;
- Why its expansions in Egypt and Pakistan are built as sealed, digitally sovereign compartments to hedge against the possibility of a breach in one market cascading to others;
- What a “minimum viable bank” costs to keep standing
- What the cost of additional resilience could mean to smaller lenders;
- And the three ways he convinces other execs and boards to think through wartime investment in capex on cybersecurity.
EnterpriseAM: Iranian strikes took down data centers in the UAE and Bahrain, at least two of which have never recovered. How did that change how you think about resilience and being cloud-first?
Olivier Busolini: The events of March did not reverse Mashreq’s cloud‑first strategy, but they materially refined how cloud resilience is defined and engineered. Our internal decisions shifted away from assuming that same‑region redundancy provides sufficient resilience during geopolitical escalation. Same-region redundancy protects against data‑center failures, not regional or geopolitical outages. As a result, the strategic response has focused on re‑architecting for geographic‑independent failover.
Core banking and ledger platforms remain on hardened, regulator-approved on‑premise environments, consistent with existing regulatory and operational models, as reflected in Mashreq’s resilience plans. At the same time, we’re redesigning cloud‑based systems toward primary-secondary or active-active multi‑region models, including regions outside the Gulf, to reduce the shared geopolitical blast radius.
[These are two different ways of running backup systems across different geographies to ensure a bank stays online. A primary-secondary model works like a main computer and a standby backup: If a crisis knocks-out the main region, the bank has to flip a switch to wake up the secondary region and take over. An active-active model works like a multi-engine airplane: Both regions are fully awake and processing live customer data simultaneously.]
Selective externalization is the name of the game. This means backups and archives migrating to Europe or Asia for cyber and regional‑outage resilience. It also means cross‑region designs for cloud security and monitoring platforms, specifically to remain operational if UAE regions are unavailable. We’re in the design phase and, in some cases, have prepared plans that are pending regulatory approval.
This doesn’t mean relocating the bank, but ensuring cognitive continuity, as in the ability for monitoring, decision‑making, data recovery, and command‑and‑control during regional disruption. We’re positioning this as ‘cloud maturity,’ not ‘cloud retreat’ — it’s not about “Can we recover?” but “How can we continue operating?”
EnterpriseAM: We reported on an 8x surge in DDoS attacks in March. Is your intelligence team see any signs of the use of adaptive AI bots — specifically, those that can autonomously change their traffic signatures or attack tactics once they’re throttled by your defenses?
OB: We haven’t seen confirmed evidence of fully autonomous, self‑adapting AI botnets dynamically mutating attack signatures in real time. The March DDoS surge was predominantly driven by hacktivist‑style DDoS campaigns characterized by high volume, rapid coordination across groups, and sustained, rolling attacks across multiple days and geographies.
The dominant behavior was human‑directed adaptation, not autonomous AI adaptation. The human behavior pattern included manual switching, HTTP floods, and application‑layer pressure, as in re‑targeting banks and public‑facing portals as defenses were activated. Those attacks were loud, visible, and symbolic, rather than stealth‑driven. While fully autonomous adaptive botnets have not been observed, we’re acutely aware — through external advisories — that AI‑accelerated offensive capabilities are emerging, particularly in exploit discovery and chaining, rather than DDoS traffic shaping itself. Current data shows limited evidence of APT‑level, destructive tooling.
EnterpriseAM: Are you seeing any evidence that these big, noisy DDoS attacks are being used to overwhelm security teams while AI-assisted tools perform surgical, quiet data exfiltration in the background?
OB: We considered this hypothesis, but found no confirmed evidence during the March events that DDoS activity was successfully used to mask simultaneous stealthy data exfiltration. The observed activity remained noisy end‑to‑end. Our detection did not show indicators of stealthy lateral movement, data staging, or exfiltration. The primary risk observed was availability and reputational impact rather than deep, stealthy compromise at this stage. Where quiet compromise has occurred regionally outside Mashreq, it involved, as per our understanding, mobile device management environments, or supply‑chain or third‑party control planes.
EnterpriseAM: In your last annual report, Mashreq highlighted “operational resilience” as a core pillar. Did the March attacks change the way you think about what that means?
OB: Yes — the definition of operational resilience has demonstrably expanded. We’re still thinking through a cyber‑availability lens (DDoS, software redundancy, local disaster recovery) but we’re also thinking about what we call a broader “geo‑physical‑operational” model.
Geographic redundancy is now a must-have, not an optional enhancement. This includes backups outside the UAE in locations such as Europe for selected cloud and SaaS platforms — subject to regulatory approval, of course. Regional outages are now credible threats, not edge cases. Resilience discussions now integrate physical, connectivity, vendor, and staffing concentration risks, alongside cyber threats.
But this doesn’t mean a blanket policy to move workloads out of the Gulf during escalation. Certain functions are explicitly documented as UAE‑anchored due to regulatory or physical dependencies and must be made resilient in place rather than relocated.
EnterpriseAM: You’re growing quickly in Egypt with both the Egyptian banking arm and with key back-office functions being carried out there for the group. And you have a full digital license in Pakistan. How do you ensure that a threat in Egypt or Pakistan doesn’t spread to other operations?
OB: We treat expansion markets as digitally sovereign compartments so that lateral privilege into the UAE core is deliberately engineered out. We don’t want to see a breach in one geography cascade to others. All of our key controls are designed with this in mind.
EnterpriseAM: Beyond Mashreq’s own internal infrastructure, where do you see the most significant systemic risk?
OB: The largest risks here are not isolated attacks, but shared dependencies where many institutions fail at once — there’s simply a massive amount of shared‑infrastructure risks — risks outside Mashreq’s unilateral control — that we need to think through and mitigate. This means hedging against single-provider dependency risk, even with multi availability zones designs. It also means hedging against domestic telco concentration, where connectivity, payments, and remote operations during crisis scenarios could be impacted.
Our internal resilience plans also address exposure across national payments infrastructure or SWIFT and correspondent banking connectivity, etc. Third‑Party SaaS used for security monitoring, collaboration or crisis communication. We’re evaluating them now not just for availability, but for jurisdiction, data residency, and survivability during geopolitical escalation.
EnterpriseAM: Our reporting suggests that defending against cyber risk is going to get more and more expensive. How do you make the case to leadership for a wartime boost in capex?
OB: We’re not justifying hardening as a security upgrade, but as a core business‑continuity and franchise‑protection investment. We presented that to our executive committee and the board of directors in explicitly economic terms.
EnterpriseAM: How should other institutions think through the capex piece?
OB: We used three principles that we think are widely applicable. First, we defined what a “minimum viable bank” looked like and set out to deliver that, not maximum fortification. That means ensuring the bank can continue operating a critical subset of services. In our case, that meant core ledgers, payment, treasury, and regulatory reporting systems and essential security, identity, and data‑preservation capabilities — not full operations.
You also want to see those investments be “reversible” where possible. Think about temporary cross‑region data copies, additional cloud capacity, and backup preservation.
And when you’re making your case, always set out the cost of prevention in the context of the cost of outage. Spending on resilience is easy to quantify — the cost of regulatory exposure, inability to clear payments or meet obligations, and long‑tail reputational harm are existential. This isn’t about incremental IT spend, it’s about reputation and delivering on our promises.
EnterpriseAM: Can smaller banks with higher cost bases keep pace?
OB: Resilience is becoming a fixed cost of banking, not a competitive feature — institutions with scale can amortize it; others must compromise. Smaller institutions with higher cost bases may struggle to justify irreversible capex and be forced toward shared utilities, outsourcing, or lighter “compliance‑minimum” resilience. This creates a structural resilience gap rather than a skill gap.
