United Arab Emirates: Cyber insurance products – potential development in the Middle East

In February 2017, we authored an article "Cyber security and data protection breaches: a brief comparative review" which examined some of the basic laws that have been implemented in various countries in the Middle East to counter cyberattacks and this is available on Kennedys website. Given the increasing interest in cyber insurance products, in this article we analyse some of the cyber risks and corresponding products available in the Middle East market.

The growth in interest in cyber insurance can be attributed to a number of things such as, the growing awareness of cyber risks among companies, particularly those that have experienced cyberattacks. The recent Shamoon II attack in Saudi Arabia is yet another example of the disruptive impact a cyberattack can have on a company. Saudi Arabia telecoms authority issued an alert in January this year which claimed that Shamoon II¹ was behind the new cyberattacks on the labour ministry and a chemical firm, Sadara Chemical Company. The aim of the attack was to disable equipment and services by stealing data and information and planting viruses.

No doubt, as a result of this attack and others, regulators and senior executives have been prompted to review their enterprise risk management strategies. Some regulators in the region are already doing their part to raise awareness among senior executives on their obligations to recognise and mitigate risks associated with cyberattacks and data breaches. For example, in December 2016, the Dubai Financial Services Authority (DFSA) held a 'Cyber Risk Outreach' (Outreach) that provided a platform for various cyber professionals to present their thoughts on cyber risks in the Middle East. The Outreach session also provided thought provoking questions on how cyber risks were being assessed and raised questions on cyber risk responsibilities that senior managers may have, which form part of their regulatory obligations to the Dubai International Financial Centre Authority, the DFSA and all relevant UAE agencies. One of the risk mitigation tools discussed was cyber insurance.

This article provides a review of insurance coverages that are available in the Middle East to assist senior executives and risk managers to mitigate cyber risks. In addition, this article will mention some of the cyber risks that may not be covered unless insurance managers are familiar with specific risks posed by cyberattacks and or data breaches to their organisation and seek to obtain specific insurance coverages from their insurance provider.

Typical cover available?

There is a lack of standardised cyber insurance policies. Different policies can therefore be customised to provide cover according to the needs of the organisation. Below are some of the typical covers available:

• Crisis Management Costs (including IT, forensic, legal services and public relations experts)
  These services are paid for by insurers to provide organisations with guidance on what action the organisation should take when dealing with a cyberattack. From the insured's point of view, it is preferable to have a policy that covers actual loss and the threat of a loss. When a cyberattack occurs as part of the mitigation process, the aim of the organisation will be to limit the damage to the business. Crisis management services are normally provided by third party specialist firms. Provision of such services within the insurance policy will usually be on condition that notification of the cyberattack is provided to insurers within a specified time scale. There is usually a requirement for the insured to notify the insurer in writing. Some policies may also require notification to specific regulatory authorities. However, some cyber policies allow the insured to contact the crisis management specialist directly prior to notifying the insurer.
• Data Security Breach or Failure Costs
  Depending on the organisation and the type of information involved in a cyber breach, cyber insurance policies usually indemnify organisations for the costs associated with data breach or data failure costs. For any organisation that deals with personal information, for example, retailers or medical health providers, this cover may be critical as the costs of dealing with cyberattacks which involve the theft of personal and or sensitive information are expensive and can quickly mount up to millions of dollars. Although there are limited regulatory notification requirements in the Middle East at the moment (and these are particularly confined to the Dubai International Financial Centre and Abu Dhabi Global Markets), there are still costly risks associated with such breaches. Redress for such breaches include payment card loss, consumer identity theft, credit card monitoring costs and the cost of recovering data. Cover in some policies may only be for third party customer's personally identifiable information as opposed to the confidential information in the insured entity's possession.
• Legal liabilities owed to third parties
  This usually provides cover for any legal defence costs or damages awarded against the insured for third party bodily injury or property damage that occurs as a direct consequence of a cyberattack.
• Business Interruption
  This may provide cover for the damage and interruption to the business caused by a cyberattack which causes system downtime and subsequent interruption to the business of the insured company. Essentially, what is being covered is the loss of profit or reduction in the organisation's profit during a certain period (which is defined in the policy) as a result of a cyberattack. This cover may be of particular importance to companies that use cloud services as demonstrated by recent attacks in America.

What may not be covered?

• First party cover: Physical loss or damage. For example, the physical damage to 30,000 computers experienced by Saudi Aramco during the Shamoon I² attack of 2012.
• Outsource service provider costs: These are costs arising out of network interruption failures of devices controlled or operated by a third party. Unencrypted media in the care and control of third-party processors may not be covered. The outsourcing of services and functions is a common practice particularly in the insurance industry. Many companies are requiring their third party service providers to have cyber liability insurance cover in place before contracting with them.
• Losses arising from affiliated companies: Some insurance policies may have a restricted definition of the insured company to provide cover only for the company named as an insured on the insurance policy and any subsidiary companies where the parent owns a certain percentage ownership interest. Affiliated companies may not, therefore, be covered.
• Voluntary transfers: This occurs where the insured is tricked into voluntarily transferring money to a third party. This is also called social engineering fraud.
• Malicious acts by an employee: Malicious fraudulent acts may be excluded under a cyber policy.
• Payment card industry - merchant services agreement charges: Such agreement involves third parties processing personal information. Unless specifically agreed between the insurer and the insured, coverage may not be provided if the entity performing the service is not the insured entity that sustained the damage or loss.
• Betterment: This involves the upgrading or enhancement of a company's computer system following a cyberattack. There are cyber insurance policies in other jurisdictions that are providing this cover.

Local insurance policy wording requirements still apply

The increased awareness of cyber insurance policies and their availability in the Middle East has led to some companies to proactively seek to utilise this risk mitigation tool to transfer some of their risks. While this marks progress for the region, both insurers and insureds should not ignore the specific regulatory requirements that apply to insurance policy wordings in different countries in the Middle East. Unless specifically exempted, these regulations will apply equally to cyber insurance policies.

Footnotes

1. Reuters Cyber Risk Mon Jan 23 2017

2. Reuters Regulatory News, August 26 2012

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.