Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Arab Emirates
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in Focus View all
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Cyber Space: Global insights on cyber and data risks for insurers November 2025 – What 2025 has taught us about cyber risks in the Gulf region

01 Dec 2025 Gulf Region, Middle East 6 min read

Introduction

As the Gulf region accelerates towards large-scale digital transformation, its cyber risk profile is evolving rapidly. Governments and businesses are adopting cloud, IoT, smart city infrastructure and digitised public services as part of economic diversification plans.

This article outlines the current regional threat picture (including a focus on Saudi Arabia) and practical considerations for insurers to consider.

1. The regional threat picture

Across the region, cyber incident volumes have increased, for example the UAE Cyber Security Council has reported 200,000 daily attacks on strategic sectors, and threat actors are now pursuing more financially motivated extortion. Consequently, ransomware and data theft are more common. This shift has resulted in an increase in disruption and losses incurred.

Geopolitical tensions and regional instability have also heightened the prospect of state sponsored or linked attacks against civilian infrastructure, such as subsea cables.

At the same time, ambitious digitisation programs, including rapid cloud adoption and deployment of IoTs in energy and utilities, are increasing the potential for misconfiguration, third‑party compromise and supply chain incidents. This is resulting in a higher frequency of cyber incidents coupled with a longer tail impact following systemic events.

2. Claims and loss trends

Cyber losses in the region mirror global patterns but with local variations.  The UAE appears to be leading the region in cyber exposure, accounting for 40% of Gulf-related dark web activity, albeit higher severity has generally been seen in Saudi Arabia (see below).

Ransomware and double‑extortion remain the dominant drivers of cyber claims. Contingent and supply chain business interruption exposures are also in focus, reflecting exposure to risks connected to cloud and managed service providers as well as dependencies on critical infrastructure.

3. Regulatory developments

Cybersecurity and data protection regimes across local jurisdictions are increasing regulatory and compliance costs and reinforcing the need to consider potential regulatory policy triggers against local legal obligations.

In particular, the Saudi Data & Artificial Intelligence Authority enforces the Saudi Personal Data Protection Law (“KSA PDPL”) with mandatory breach notifications and heavy penalties for non-compliance (up to SAR 5 million, which can be doubled), including criminal sanctions for violations relating to sensitive data.

Similar to the KSA PDPL, the Qatar Personal Data Protection Law mandates 72-hour breach notifications and strict data handling requirements. The Qatar National Data Privacy Office has stepped up enforcement, issuing rulings that cite inadequate security controls, signalling a more proactive regulatory stance.

Free zones, designated areas within a country with independent legal frameworks, such as Dubai International Financial Centre (“DIFC”) and Abu Dhabi Global Market (“ADGM”) maintain their own GDPR-aligned data protection frameworks. Similarly, in Qatar, the Qatar Financial Centre (“QFC”) recently issued a decision and fine of USD 150,000 following a data breach that revealed inadequate security measures and failure to meet breach notification obligations.

4. Saudi Arabia in focus

Saudi Arabia is a focal point for both cyber risk and cyber insurance.

The Kingdom has established a robust regulatory approach leading to greater expectations around cyber resilience for both public and private entities. Key frameworks such as the National Cybersecurity Authority’s Essential Cybersecurity Controls and the Personal Data Protection Law impose stringent requirements, including breach notification and mandatory security controls. Active enforcement is also increasing. This supports the Kingdom’s resilience objectives but also causes business to increasingly focus on cybersecurity compliance. 

Digitisation of high‑risk targets, such as energy, financial services, telecoms and government services has also increased exposures, particularly where digital infrastructure and suppliers are concentrated. Recent incidents in the energy sector and government networks underscore the attractiveness of these targets to state-linked actors, amplifying systemic risk.

From an insurance perspective, the market’s scale and sophistication is resulting in high interest from cyber insurers. However, underwriting remains complex due to factors such as local data protection obligations, regulatory penalties, and uncertainty around enforcement. Other issues include potential state involvement in incidents, and the impact of war/hostile acts exclusions due to geopolitical issues. We therefore anticipate this will require sensible consideration of existing cyber wordings and placement strategy.

4. Practical considerations for insurers

Brokers and insurers should be alive to the following key points when considering placing and writing cyber business in the Gulf region:

  • Consider the potential for systemic risk given the potential for state‑linked attacks, supply‑chain compromise and disruption to physical infrastructure.
  • Understand the interaction between national cybersecurity and data protection obligations and relevant policy triggers.
  • Identify the differing and relevant local regulatory exposures to help avoid coverage gaps.
  • Rapid technological advancement has not been matched by the knowledge and appreciation of cyber risks. Cyber resilience, pre-breach training and cyber incident preparation are important in mitigating risk and consideration should be given to them alongside cyber insurance. 
  • Appreciate the absence of experienced and trusted local cyber vendors and the need to consider the early consideration or pre-agreement of vendors across incident response, forensics and legal.

Conclusion

The Gulf cyber insurance market is entering a more mature phase with greater capacity that should be coupled with clearer expectations around controls and compliance. The combination of rapid digitisation, national‑level cybersecurity standards and concentration of high‑value targets creates opportunities but with a nuanced risk environment.

Given our local knowledge, alongside our longstanding experience of cyber coverage, CMS can support policyholders and their brokers in preparing for and responding to cyber incidents in the region as well as advising insurers on any policy wording and coverage issues that may arise.

Cyber Space – More to come…

This article is part of our Cyber Space series. These regular articles, produced for the cyber insurance market, are written collaboratively by CMS’ global network of cyber and data lawyers to build a rolling comparison of the approaches to cyber risks, insurance and legislation across different jurisdictions. 

As an international full-service law firm, providing cyber coverage advice and incident response services to insurers and their policyholders for over 15 years, CMS is ideally placed to comment on the important issues and developments in the global cyber space and the potential impacts to insurers and policy cover.

More insights
TMT - Technology, Media & Telecommunications

Explore more

Event United Arab Emirates

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in the United Arab Emirates

37 min read
Publication United Arab Emirates

CMS toolkit series

02 Jul 2025 1 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.