Gulf organizations are becoming increasingly exposed to cybersecurity risk. There is evidence that cyber-attacks are rising regionwide, while new data privacy legislation threatens hefty fines for non-compliance.

Research from multinational cybersecurity provider Kaspersky Lab says that malware attacks have risen in the UAE—they shot up by 12% in Q1 compared to Q1 2018. Over Q1 this year, around 23.4 million malware threats and 1.1 million phishing attacks were reported in the UAE—that’s an average of over 12,000 threats daily. The report also states that more than 150 million malware attacks took place across the Middle East, Turkey and Africa region during Q1 alone, representing an average of 1.6 million attacks per day, an alarming 108% increase over Q1 2018.

On August 1, Bahrain’s Personal Data Protection Law came into force with heavy fines for companies in breach. Increased regulation is now also a fact of UAE business life, with the emirates recently enacting a National Cybersecurity Strategy, and the Dubai International Financial Centre issuing a public consultation paper for input into its planned data protection law intended to reflect the principles and concepts of Europe’s GDPR.

The reality of legal breaches became clear recently with British Airways fined $220 million for a GDPR breach in which hackers stole the personal data of half a million of the airline’s customers. Hotel chain Marriott was then fined $124 million for failing to protect customer data after hackers stole the records of 339 million of its guests.

Yet the fines only scratch the surface when it comes to the real cost of these breaches. There is also the potential for damages claims from customers, legal costs, administrative time, investigation costs and the cost of repairing reputational damage to be considered.

Analysts warn that risks are not always external, but can also be internal, citing that human error is behind 18% of data breaches in Saudi Arabia and the UAE. Risks can also come from deliberate acts by rogue staff with network access or access to confidential data.

The risks are great, but the good news is that today they can be insured against. Several types of insurance are geared towards financial losses that businesses incur. These include directors’ and officers’ insurance, cyber-insurance, professional indemnity, banker’s blanket bond (BBB)—all of which cover intangible, rather than tangible losses.

One important aspect to consider is where such policies offer different coverage but can actually complement each other. For example, a cyber policy will usually exclude losses resulting from crime. Whereas a BBB policy (or equivalent) comes into its own when guarding a company’s assets against losses resulting from crime, whether internal or external. This policy will pick up the crime exclusion of the cyber policy as most BBB policies also cover losses incurred through computer manipulation, i.e. someone accessing a company’s system and stealing assets, commonly through fraudulent bank transfers.

The problem is to assess which cover is needed for a specific company, which is where broker expertise comes in. Brokers can work out where organizations are exposed. A cybersecurity assessment can ensure the right cover is customer-designed and put in place. 

The not-so-good news is that premiums are rising in the Middle East where the market is hardening. Reductions in regional underwriting capacity, coupled with increased cyber and BBB losses are bringing more market volatility. With less regional capacity to insure against these cyber-risks, demand for brokers with international reinsurance abilities that have access to additional markets willing to write such risks will increase.

Cyber insurance is not a silver bullet. It does not protect a company against the possibility of a cyber-attack taking place, but it can help keep organizations supported operationally and financially stable should a security breach occur. Cyber insurance is arguable now an essential layer of business continuity.