What GCC Insurers Must Do Now: Cybersecurity Compliance in the Era of Dual Regulation

India just overhauled its insurance cyber rules. GCC regulators already moved first. Here is what CBUAE and SAMA now require from every insurer operating in the Gulf — and what the penalties look like for non-compliance.

Layla Haddad
Cyber Policy & Digital Risk Correspondent7 min read
GCC insurance sector cybersecurity compliance under CBUAE and SAMA frameworks in 2026

GCC insurance sector cybersecurity compliance under CBUAE and SAMA frameworks in 2026

When India's insurance regulator IRDAI issued its revised Information and Cyber Security Guidelines in April 2026, replacing a framework from 2023, it joined a global wave of regulators tightening their grip on the insurance sector's digital defences. But for insurers operating across the Gulf Cooperation Council, the regulatory signal had already arrived — and the compliance clock is already running.

The GCC's two most consequential insurance cybersecurity frameworks — Saudi Arabia's SAMA Cybersecurity Framework and the UAE's newly consolidated CBUAE regulatory architecture — are not future considerations. They are current, binding obligations with real financial penalties for organisations that fall short.

This analysis breaks down what each framework demands, how they interact, and what GCC insurance executives need to prioritise before their next regulatory review.

The Stakes: Why Insurers Are in the Crosshairs

The financial services sector, including insurance, consistently ranks among the most targeted industries for cyberattacks globally. According to IBM, the average cost of a data breach in financial and insurance-based institutions has crossed USD 4.88 million. In the GCC specifically, cybercrime is estimated to cost regional businesses over $30 billion annually as of 2025, with the financial services sector remaining the largest segment of cyber insurance demand.

The threat profile for insurers is particularly acute. Insurance companies hold highly sensitive policyholder data — health records, property assessments, financial disclosures — making them attractive targets for both financially motivated ransomware groups and state-sponsored actors. In the first half of 2025, data exfiltration featured in 40% of large cyber claims globally, up from 25% in 2024, with attack-driven losses involving data theft more than double those without it.

For GCC insurers whose digital transformation programmes have accelerated rapidly under Vision 2030 and the UAE Digital Government Strategy, this expanding attack surface demands more than good intentions — it demands regulatory compliance backed by enforceable architecture. The UAE cyber threat landscape, including a 32% surge in ransomware and business email compromise, provides critical context for the operational environment these frameworks are designed to address.

Saudi Arabia: The SAMA Cybersecurity Framework

The Saudi Central Bank (SAMA) Cybersecurity Framework is the primary binding instrument for insurers operating in the Kingdom. The framework applies to insurance and reinsurance companies, which handle customer data and financial information, making them prime targets for cyber threats.

The framework is not optional — it is mandatory for all SAMA-regulated entities, with compliance enforced through periodic supervisory reviews, self-assessments, and onsite SAMA inspection visits.

What the framework requires:

The SAMA Cybersecurity Framework is organised around key domains including Cybersecurity Governance, Risk Management, Asset Management, Access Control, Operations Security, and Incident Management. Each domain is assessed against a six-level maturity model, with insurance companies required to achieve at least Maturity Level 3 as a minimum baseline.

Regulated insurance entities must first conduct an in-depth and accurate assessment of their current cybersecurity status compared against the framework's requirements to identify weaknesses. They must then develop a business plan to meet all requirements of Maturity Level 3 as a minimum.

Board accountability is non-negotiable:

SAMA's governance requirements are substantive. The board must be actively engaged with cybersecurity — receiving reports, approving policy, and overseeing the CISO function. Institutions where cybersecurity is entirely delegated below executive level without board visibility will fail this domain regardless of their technical controls.

The penalty exposure:

Financial fines under SAMA reach SAR 5 million per breach, alongside operational restrictions such as service suspensions. Severe cases can lead to licence revocation, public disclosures, and executive liability under Saudi cyber laws. In 2025, SAMA levied over SAR 20 million in penalties across more than 50 violations.

A critical but often overlooked dimension: SAMA updates its framework annually, with 2026 cloud and AI revisions pending. Static compliance policies become obsolete during mid-project execution. Insurance CISOs must treat SAMA compliance as a continuous programme, not a point-in-time certification exercise. Saudi Arabia's evolving digital regulatory environment — including annual SAMA framework updates and NCA circulars — demands continuous monitoring as a baseline operational requirement for compliance teams.

UAE: The CBUAE Consolidated Framework

The UAE's regulatory landscape for insurance cybersecurity underwent its most significant structural change in decades when Federal Decree-Law No. 6 of 2025 came into effect on 16 September 2025. The new CBUAE Law consolidates regulation of banks, payment providers, and insurers under a single framework and introduces new licensing requirements for enabling technology providers.

Entities whose activities are newly captured under the law have until 16 September 2026 to regularise their licensing and compliance — a deadline that is now months away.

What changed for insurers specifically:

The reform consolidates banking and insurance oversight within a single statute, widens the licensing perimeter to capture emerging technologies, and introduces explicit consumer protection measures around fraud and cybersecurity. Notably, the 2025 Law extends the regulatory perimeter to insurtech and technology service providers that facilitate insurance activities, requiring them to hold CBUAE authorisation regardless of the medium or platform used.

The UAE Central Bank's directive requires all insurance companies to overhaul their cybersecurity and data protection systems, moving away from outdated legacy systems and building security into the very foundation of their operations.

The penalty ceiling under the new law is stark: maximum administrative fines have increased to AED 1 billion for institutions.

Operating in Both Jurisdictions: The Dual Compliance Challenge

Many large GCC insurers — particularly those with operations in both Riyadh and Dubai — face the challenge of satisfying two distinct but overlapping regulatory frameworks simultaneously.

For entities operating in both Saudi Arabia and the UAE, the UAE has a parallel framework — NESA (National Electronic Security Authority) — which applies to critical infrastructure sectors including financial services. The Saudi NCA's ECC-2 framework, issued in 2024, aligns with SAMA in both philosophy and structure, making dual compliance not just efficient but essential for organisations in the financial sector.

The practical implication is that a unified compliance programme must be mapped against SAMA's maturity model, CBUAE's consolidated law requirements, NESA's information assurance standards, and — for entities in DIFC or ADGM — the respective DFSA and FSRA frameworks.

What Insurance CISOs Should Prioritise in 2026

Based on the current regulatory requirements across both major GCC jurisdictions, the following areas demand immediate attention:

1. Gap Assessment Before Anything Else Both SAMA and CBUAE frameworks require a formal gap assessment as the starting point. Institutions that begin implementing controls without a gap assessment frequently over-invest in areas already at Level 3 and under-invest in areas with the largest gaps. Engage a qualified assessor familiar with both frameworks before committing budget to technical controls.

2. Board-Level Cybersecurity Governance Both SAMA and CBUAE require active board involvement — not delegation. Insurance boards should receive quarterly cybersecurity reporting, approve the cybersecurity strategy, and have visibility of CISO-level risk assessments.

3. Third-Party and Insurtech Vendor Risk The extension of CBUAE's licensing requirements to technology service providers means that vendor risk management is now a regulatory obligation. All third-party technology partners must be assessed against compliance requirements. A recent US government review found that a major cloud vendor's security documentation left evaluators unable to verify the product's actual security posture — a concrete illustration of why vendor due diligence cannot be delegated to certification alone.

4. Incident Response Architecture Both frameworks require documented, tested incident response capabilities. Detection and response capabilities can reduce claim costs by a factor of 1,000, making investment in this area carry both regulatory and commercial return.

5. Continuous Compliance Monitoring SAMA's framework updates annually. CBUAE is actively issuing implementing regulations under the new 2025 law. Static compliance is structurally inadequate — ongoing monitoring of regulatory circulars is a baseline operational requirement.

The Broader Signal: Global Regulators Are Converging

India's IRDAI 2026 update, Europe's DORA framework, and the GCC's own regulatory evolution reflect a global consensus that the insurance sector's cybersecurity obligations must be explicit, enforceable, and periodically reviewed. For GCC insurers, the opportunity is as real as the obligation. Organisations that build genuine cybersecurity maturity will be positioned to underwrite cyber risk products with credibility, attract institutional clients with rigorous vendor standards, and avoid the reputational and financial consequences of a breach under regulatory spotlight.

The window for preparation under the CBUAE's transitional period closes in September 2026. The time to act is now.

Layla Haddad

Cyber Policy & Digital Risk Correspondent

Layla Haddad covers cybersecurity regulations, data protection laws, and digital transformation initiatives across GCC and North Africa. She has worked closely with compliance teams, fintech startups, and government advisory groups. Her articles explore how cyber policy, AI governance, and privacy frameworks shape the region’s digital future.

Intelligence Focus Areas

GCC Compliance HubFinancial Sector CybersecurityRegulatory Analysis - GCCInsurance & Cyber Risk