But policyholders will need to watch out for wordings

Cyber criminals stole almost 4bn dirham from victims in the UAE in 2017, raising concerns in the region of complex cyber threats and putting the spotlight on coverage.

Speaking at Global Reinsurance’s Dubai World Insurance Congress (DWIC), Shabnam Karim, senior associate at Clyde&Co Dubai highlighted several high-profile attacks to inflict the region, namely in Saudi Arabia and Bahrain.

The 2012 Saudi Aramco data breach was cited by Karim as the most significant cyber-attack in the Middle East to date.

Malware – labelled ‘Shamoon’ - partially wiped or totally destroyed the hard drives of 35,000 computers belonging to the state-owned national oil company of Saudi Arabia.

According to statistics cited by Karim, the UAE is the eighth most targeted country globally and first in MENA for spear-phishing. It is the second most targeted country in MENA for ransomware attacks.

The Symantec’s Internet Security Threat Report highlighted SME organisations in the UAE as the most vulnerable to attacks and targeted repeatedly for spear-phishing attacks.

When it comes to insurance coverage, Karim highlighted four key areas in cyber policies, which should be carefully considered and reviewed in cyber policies, including, business interruption, cyber extortion, cloud service providers and physical damage.

“In this region, the penetration for [cyber] insurance is still fairly low, but I think we see it increasing, especially where companies are aware of GDPR and the risks they face with regulatory scrutiny and having to incur the costs of doing mandatory breach notifications,” she said.

“Wordings can be tricky,” she warned. “It’s not always clear how certain terms are defined, and companies should make sure they have as much clarity as possible, or there is the risk of not having something covered which maybe was thought to be covered.”

Other high-profile attacks cited by Karim included: The Saudi petrochemical Triton hack in 2017, when hackers gained control to a safety shut off system; in November 2017, the Saudi authorities reported a fresh attempt by hackers to disrupt government computers; the Khalifa Bin Salman Port incident in Bahrain, when terminal operations were disrupted in June 2017; an attack on the Bank of Muscat in 2013; and the airline Gulf Air had its Facebook page hacked by political activists in 2012.

Although there are no specific privacy laws, the following general laws apply:

  • UAE constitution, Article 31: general concept of privacy;
  • UAE Penal Code, Article 378: offence to publish news, pictures or comments pertaining to the secrets of a person’s private or family life;
  • UAE Penal Code, Article 379: offence to disclose a secret that you are entrusted with, by reason of your “profession or craft”; and
  • DIFC Data Protection Law 2012; breaches may attract fines between $5,000 and $25,000
  • The impact of GDPR; which comes into force 25 May 2018