If hit by data breach, UAE firms not compliant with GDPR could face fines of $23m

Many UAE companies remain “critically vulnerable” to cyber-attacks and also face the added threat of falling foul of the General Data Protection Regulation (GDPR) which took effect this year, according to insurance firm AIG.

Since May this year, local companies which do business in Europe (or have dealings with European nationals) are required to comply with GDPR, which mandates organisations to report any kind of breach to the authorities within 72 hours of being aware of it.

But many companies in the country fail to “maintain basic cyber-hygiene practices”, and if their cyber-security is not compliant, they could face significant fines, according to Alexander Blom, head of Broker and Client Management at AIG MEA.

AIG said it has received more than 150 cyber insurance queries in the UAE in the past two years.

But while market awareness of cyber threats is improving, the company said it “frequently comes across businesses with poor governance and controls in place”.

The UAE “ranks high for cyber-attack exposure” since the proliferation of attacks and vulnerability-exploitation tools have helped create an ecosystem that is catering to both petty criminals and organised crime entities, AIG said.

The company said its claims reveal ransomeware to be the biggest single threat, followed by phishing, data leakage and hacking.

“Cyber-attackers today have a very low entry barrier into this ‘market’, because the tools needed to cause maximum disruption are readily available and do not require in-depth technical knowledge,” said Blom.

“In addition, data vulnerabilities can now be exploited at an incredibly fast pace – what once might have taken months can now be achieved in a matter of hours.

“In the context of this cyber environment, it is vital that businesses comply with data protection rules. Not only will this minimise the risk of attack, it will also safeguard them against the impact of the European Union’s GDPR regulations.”

He added: “If applicable UAE companies suffer a data breach and are found not to be compliant with the regulation, they could face a fine of €20m ($23m) or 4 per cent of their total worldwide annual turnover.”

Also read: Keeping your data safe

AIG shared five key cyber-risk management strategies businesses in the UAE should adopt to help reduce the threat:

1) The final responsibility for all cyber risks resides with the business executives and the board, and yet far too often this layer of management is the least knowledgeable. The people leading the company must take time to understand cyber-risk better.

2) Cyber-risks are business risks. It is therefore recommended that companies have a clearly identified chief information security Officer with sufficient budget and personnel to accomplish the job, and ideally with a direct reporting line to the CEO and/or active membership in the executive team.

3) More than 80 per cent of all threats in cyber space can be mitigated by doing a few things “right”. That includes timely patching, close control over user accesses and asset control, which can prevent enterprises from becoming a random victim of widespread attacks coming from the internet.

4) Attackers are always at the forefront of finding new ways to achieve their objective. It is therefore key that enterprises react and adapt quickly to new threats. Individual excellence in security operations, as well as the collaboration with peers is an important success factor.

5) Cyber-risks, like all business-related risks, need to be analysed in the context of the actual business. It is key to understand the impact a cyber incident can have on the value generation of the business – business interruption or denial of service attack, and what costs are associated with a data breach. Additionally, the impact to the reputation or stolen information, in the case of industrial espionage, are important cyber risks.