As cyber threats intensify across the Gulf, businesses face a growing protection gap—with few insured against the true scale of risk. At DWIC, Zurich’s Peter Englund and Clyde & Co’s Olivia Darlington explored how regulation, rising incident costs and evolving insurance products are reshaping the region’s cyber risk landscape.
As cyber threats escalate in scale and sophistication, businesses across the globe are grappling with a widening protection gap. While this challenge is recognised in the context of natural catastrophes, the cyber risk gap is broader, more complex, and growing at a startling pace.
Speaking at the Dubai World Insurance Congress (DWIC 2025), Peter Englund (left of picture), senior executive officer for the Middle East at Zurich Insurance Company, explained: “Global estimates suggest that cybercrime could cost the world economy more than $10trn by 2030, making it one of the largest economic threats of our time.
“Yet today, the entire global [cyber] insurance market is valued at only around $15-20bn. In other words, we’re trying to fight a wildfire with a water bottle.”
This imbalance is even more acute in the Middle East, where rapid digitisation has not always been matched by investment in cyber resilience or risk transfer solutions.
Olivia Darlington, a partner at Clyde & Co and specialist in cyber insurance and incident response, argued that the region’s unique profile creates fertile ground for threat actors.
“The threat landscape of the GCC is very live… the wealth of the region, the rate with which the countries are developing, the rates of digitisation, and also the relatively low level of cyber security hygiene… all of that is creating a prime target for cyber criminals,” she said.
“In the UAE alone, [there’s been a] 58% increase in the number of ransomware groups that are active in the region… I think they’ve suddenly woken up to the fact that the Middle East is this amazing target where they can make a lot of money.”
Regional risk realities
The region has witnessed a marked rise in both high-impact and high-frequency cyber attacks.
In Saudi Arabia, hackers stole a terabyte of data from Saudi Aramco through a third-party breach and demanded a $50m ransom. In the UAE, three major banks were targeted by distributed denial-of-service (DDoS) attacks, disrupting services for thousands of customers. And in Qatar, more than five million cyber attacks were recorded in the lead-up to the 2022 FIFA World Cup.
“These attacks weren’t minor tech disruptions,” Englund commented. “They affected thousands of customers and forced companies to rethink cybersecurity at the leadership level.”
Darlington added that the composition of attacks is shifting, with cyber espionage now a growing concern—particularly against government and quasi-government entities.
She also warned that increased AI adoption could exacerbate these challenges. As governments in the region aggressively pursue AI-led digital transformation, attackers are using the same tools to scale their operations and evade detection.
The hidden cost of underinsurance
Despite these growing threats, many organisations in the region remain uninsured or significantly underinsured.
The regional cyber insurance market is currently valued at $80–100m, with projections suggesting it could reach $150m by the end of the decade, but this is not nearly enough to keep pace with the rising costs of attacks.
“The average cost per data breach is $8.75m, which is second only to the US and actually double the global average,” Darlington noted.
Part of the issue is cultural. Many businesses remain hesitant to disclose incidents, even internally, let alone seek external support. Others still perceive cyber insurance as a niche product, or fail to understand what it can provide.
In parallel, the insurance market faces its own contradictions. Increased capacity and new market entrants—particularly in hubs like the DIFC—have driven prices down, even as risks have intensified.
“We saw our rates coming down last year by close to 30%,” Englund said. “It’s interesting when you see an increase in the threat landscape… yet rates are softening.”
From liability to resilience
One explanation for this disconnect lies in how cyber insurance is perceived. Traditionally focused on third-party liability, policies are now evolving to offer much broader protection—from breach response and regulatory support, to crisis communications, and business interruption coverage.
“People have been more focused on buying [cover for breach response],” Darlington said. “But because of the changes in the laws that are coming in, that is going to shift more to the data protection side of things.”
Yet there remains a lag between emerging regulatory regimes and active enforcement. Darlington pointed to Qatar, where a data protection law passed in 2017 only resulted in its first enforcement decision in 2024. That delay, she said, reflects a wider trend in the region—but one that is beginning to shift.
“You can’t bring in laws and try and attract people into the region and then not enforce them,” she said. “Particularly in Saudi, I expect the regulator there to be more active, and that will help drive demand.”
Supply, demand and market growth
Both Englund and Darlington agree that regulatory evolution and global integration will be key growth drivers. As more Middle Eastern businesses expand into Europe and North America, they are becoming subject to global standards, such as Europe’s GDPR—and face contractual obligations that increasingly require cyber cover.
“We’re seeing a lot more sort of locally headquartered entities now having subsidiaries in mainland Europe… they’re not just subject to the data protection laws here. They’re also subject to GDPR,” Darlington said.
From a sectoral perspective, demand is widening. Initially driven by financial services and insurers, cyber uptake is now spreading to energy, aviation, logistics, government, and mid-market SMEs.
“We see a broader uptake now,” Englund said. “Governmental institutions are interested, and we also see the SME segment—particularly with revenues between $50 and $500million—starting to buy for the first time.”
This diversification could play a critical role in helping to close the protection gap. However, it will require continued collaboration between insurers, clients, regulators and governments.
However, the cyber protection gap cannot be closed by technology alone. As Darlington and Englund both emphasised, insurance must be seen not just as a financial backstop, but as a core component of cyber resilience.
Ultimately, the future of cyber risk management in the Middle East will depend on shifting perceptions, strengthening policy frameworks, and developing more integrated, client-centric insurance offerings. With the stakes this high, inaction is not an option.
As Englund concluded: “Cyber risk is no longer a technical issue. It’s a board-level risk, a national security concern, and a societal vulnerability.”
No comments yet