1. Data Protection & Localization

Under the updated Insurance Brokers’ Regulation (effective 15 February 2025), CBUAE now mandates that:

• Personal data must be stored and maintained within the UAE, explicitly prohibiting cross-border storage.
• A secure backup of all personal data must also be maintained in a separate (and still UAE-located) facility for 10 years.
• Only necessary personal data may be collected and processed, in line with regulatory standards.

This reflects the growing emphasis on enhancing data sovereignty and strengthening privacy protections.

2. Cyber Risk Governance & Incident Preparedness

Insurance brokers are now required to:

• Implement robust cybersecurity risk governance, including dedicated skilled resources to anticipate, mitigate, and respond to cyber threats.
• Maintain a comprehensive cyber incident response and management plan that delineates procedures to swiftly respond to and remediate cyber threats, isolate attacks, and restore critical services.

These provisions elevate cyber risk from an operational concern to a board-level strategic imperative.

3. Internal Controls & Reporting Expectations

While not solely cybersecurity-specific, the updated requirements also intersect with tech controls:

• Insurance entities must submit Management Assessment Reports, authorized by the CEO and CFO, by 30 April 2025. These reports must cover the effectiveness of Internal Controls over Financial Reporting (ICFR).
• The Internal Audit function must assess the operating effectiveness of these ICFR frameworks, including IT general controls.
• From year ending 2025, public disclosures of audit opinions — covering control weaknesses and corrective actions — will be mandatory.

This brings cybersecurity considerations into the scope of financial and operational control transparency.

Why These Changes Matter

• Data Sovereignty & Resilience: Localizing data storage and backups strengthens data confidentiality and safeguards against global cyber risks or legal exposures.
• Preparedness & Strategic Oversight: Formalizing incident response plans and governance mechanisms elevates cyber resilience and operational continuity.
• Transparency & Accountability: Bringing cybersecurity threads into financial reporting and control frameworks ensures holistic oversight and clearer accountability.

Recommended Action Plan: What Insurers Should Do Now

Data Management– Ensure all personal data and backups are stored within the UAE. – Conduct regular audits to confirm compliance and data minimization.

Cybersecurity Governance– Formally appoint skilled cyber risk personnel. – Develop, test, and train on the cyber incident response plan. – Integrate governance structures across board and executive levels.

Internal Controls & Reporting– Align ICFR frameworks with COSO standards, especially covering IT General Controls (ITGCs).

Prepare and submit the Management Assessment Report by 30 April 2025, with CEO/CFO sign-off. – Ensure internal audit processes test control effectiveness and report to governance structures.

Culture & Awareness– Raise staff awareness of data handling and cyber incident protocols. – Embed cybersecurity considerations in vendor assessments and outsourcing decisions.