The UAE’s new Insurance Brokers’ Regulation: strengthening cybersecurity and data protection in the insurance sector

The Insurance Brokers’ Regulation (“the Regulation”) came into effect on 15 February 2025. Released by the United Arab Emirates (“UAE”) Central Bank in July 2024, the Regulation aims to promote greater transparency among insurance brokers, companies, and policyholders. It introduces several changes, including a heightened focus on cybersecurity, which is crucial given the rising number of threats in this area. As these threats become more prevalent, insurance brokers must adapt to the new standards designed to improve security, protect data, and bolster overall risk management practices. This timely shift underscores the increasing importance of safeguarding sensitive information in the digital age.

The Regulation replaces the previous 2013 Insurance Brokerage Regulations and applies to all regulated entities operating within the onshore UAE. Under the new framework, insurance brokers are required to establish and maintain robust policies and procedures aimed at identifying, preventing, and resolving data security breaches, while also ensuring the protection of personal data. A key provision mandates that personal data must be stored and maintained within the UAE, prohibiting its storage outside the country. Additionally, brokers must establish secure backups of all personal data in a separate (and presumably still within the UAE) location for the required period of retention of ten years. Brokers are also required to process and retain only the personal data necessary for providing insurance brokerage services, in accordance with regulatory requirements and standards on data protection. The practical implementation of these laws is awaited, as it will provide clarity for the industry and address any uncertainty regarding interpretation.

Cybersecurity risk management is another core focus of the Regulation. Brokers must develop effective governance practices. This includes dedicating skilled resources to identify risks, protect critical services against attacks, contain the impact of cyber security incidents, and restore services. A comprehensive cyber incident response plan must also be in place, enabling brokers to quickly isolate threats and restore services. This plan should outline procedures to respond to potential cyber threats, ensuring that brokers are prepared to respond swiftly and effectively.

These changes reflect the growing recognition of cyber security risks and the critical importance of protecting sensitive information. With cyber threats becoming more prevalent, particularly in the financial and insurance sectors, the Regulation addresses these risks by enforcing stricter data protection measures. By requiring brokers to maintain data within the UAE and implement comprehensive security protocols, the Regulation aims to enhance the resilience of the insurance industry against cyber threats and data breaches. This proactive approach is especially relevant considering the rising sophistication of cyberattacks and the need to protect both consumer information and the integrity of the broader UAE financial ecosystem.

Looking ahead, the industry can expect increased regulatory scrutiny and frequent updates to the framework as new technological and security challenges emerge. These changes are expected to not only boost consumer confidence but also enhance the stability of the UAE’s insurance market, ensuring that both brokers and policyholders are better protected in an increasingly digital world. Given the rising threats posed by cybercrime, these regulatory updates may set a precedent for tightening cybersecurity measures across the broader financial services sector.