The company you keep could be your biggest cyber threat

In today’s digital world, cyber risk does not stop at your firewall; it extends to everyone with which you do business. As a result, when it comes to cybersecurity, the company you keep could well be your biggest threat.

As organisations across the United Arab Emirates (“UAE”) continue to digitise their operations and lean more heavily on external information technology service providers, third-party cyber risk is emerging as a major concern. Recent assessments indicate that many businesses are not effectively managing the cybersecurity threats posed by their vendors.

Third parties are often responsible for critical services such as cloud storage and software development. While these services offer efficiency and scalability, they can also introduce new vulnerabilities. If a third-party service provider (“TPSP”) is compromised, the consequences can be severe, including data breaches and violations of data protection legislation. Even the most robust internal cybersecurity controls can be undermined by a single weak link in the supply chain.

According to the Dubai Financial Services Authority’s (“DFSA”) 2024 cyber thematic review, only 75% of firms conduct proper due diligence to ensure that TPSPs meet defined cybersecurity standards before granting the TPSPs access to their systems or data. More concerning still, only two thirds conduct regular reviews to confirm that these providers continue to meet the required standards. In many cases, firms also fail to include formal cybersecurity requirements in their contracts with third parties.

This lack of oversight and contractual clarity presents a serious and growing risk. A third-party cyber incident may cause, amongst other things, operational disruption, financial loss as well as regulatory scrutiny.

The DFSA has made it clear that third-party cyber risk must be addressed as an integral part of a firm’s overall cyber risk management framework. This includes selecting vendors who meet appropriate standards, embedding cybersecurity provisions into contracts, and conducting regular reviews to ensure ongoing compliance.

In a country rapidly establishing itself as a global leader in digital innovation and smart infrastructure, this approach reflects a wider regulatory emphasis on shared responsibility. Data breaches involving third parties are on the rise globally as businesses become more connected and supply chains more complex. Without proactive cybersecurity measures, the UAE could see similar trends.

Cyber insurance has a valuable role to play in seeking to reduce the liability of these risks. It provides a potential financial safety net in the event of a cyber incident involving an external provider and may include cover for forensic investigations, legal fees, regulatory penalties, and business interruption.

While cyber insurance is no substitute for sound governance, it is nevertheless a critical part of a mature and resilient risk strategy.

If you have any questions on cyber insurance, please reach out to us.