Combined Cyber-Physical Insurance in the Gulf: A 2026 Market Survey

Combined cyber-physical cover, as the term is used by brokers in Dubai, Riyadh and Doha, almost never refers to a single policy that responds to a single event across both domains. It refers to a stack of contracts, sometimes from the same carrier, sometimes from three, arranged in a way that closes the seam between property damage and digital intrusion. The seam itself is where the loss sits.

The Gulf market in 2026 reflects a particular history. Property and engineering cover has been written here for decades, on London and Munich paper, with strong local reinsurance participation through companies such as Hannover Re Bahrain and Trust Re. Cyber cover, by contrast, arrived late, was treated as a specialty line, and was for a long period priced more by analogy to European books than by reference to regional loss data. When industrial control system incidents began producing claims that did not fit either category cleanly, the carriers responded slowly. The product gap is now being closed, but unevenly, and the operator buying cover today needs to understand who is actually writing what.

The structure of the Gulf insurance market

The GCC insurance landscape is dominated, on the commercial side, by a small number of multinational carriers operating through local entities or DIFC and ADGM branches, paired with regional players whose books have grown alongside the construction and energy cycles of the past two decades. AXA Gulf, after the partial reorganisation that followed the GIG acquisition, continues to write substantial property and engineering volumes across the UAE, Bahrain, Oman and Qatar. AIG operates through AIG MENA out of the DIFC and writes both property and cyber on the same paper for the right risks. Chubb, Zurich, Allianz and Marsh-fronted Lloyd's syndicates compete for the larger industrial accounts. On the regional side, Oman Insurance Company, now operating as Sukoon, Abu Dhabi National Insurance Company, Qatar Insurance Company and Bupa Arabia for medical lines together hold the majority of premium volume in their home markets.

Reinsurance is concentrated. Munich Re, Swiss Re, SCOR, Hannover Re and the Lloyd's market underwrite the back end of almost every large policy issued in the region. This matters for the operator because the terms of the reinsurance treaty often dictate what the fronting carrier can offer. A local insurer may be willing to write a combined cyber-physical wording, but only within the limits its treaty permits. When the treaty excludes cyber-triggered property damage, the local carrier cannot grant it, regardless of relationship. The conversation that produces a workable contract therefore involves four parties: the operator, the broker, the local carrier and, at least in spirit, the reinsurer behind them.

The regulatory layer adds a further constraint. The UAE Insurance Authority, now folded into the Central Bank, the Saudi Central Bank acting through SAMA, and the Qatar Financial Centre Regulatory Authority each impose solvency, conduct and disclosure requirements that shape how carriers position cyber and combined products. SAMA in particular has issued cybersecurity framework guidance that touches on insurance practice indirectly, by raising expectations about what insured entities should themselves be doing. Carriers reflect those expectations in their underwriting questionnaires. An operator who cannot demonstrate alignment with the SAMA Cybersecurity Framework, or with comparable expectations in other jurisdictions, will see that reflected in pricing or in declination.

What carriers actually underwrite

The honest answer, as of early 2026, is that a small number of carriers in the GCC will entertain a genuinely combined wording on a primary basis, and a larger number will assemble equivalent cover through coordinated policies on a programme basis. AIG MENA has been the most consistent in writing cyber and property on aligned wordings for the same insured, with the cyber policy responding to first-party digital losses and the property policy modified by endorsement to remove the standard cyber exclusion where the loss is triggered by a covered cyber event. The endorsement is not automatic. It is negotiated, it is priced separately, and it depends on the underwriter's view of the insured's industrial control system architecture.

Chubb operates a similar model in the region, drawing on its global cyber-physical loss data and on its experience writing operational technology risks in North American utilities and manufacturers. Zurich has positioned itself around the larger energy and petrochemical accounts, where its engineering underwriters have long-standing relationships and where the conversation about cyber-physical exposure is already part of the renewal cycle. Allianz Global Corporate and Specialty, through its DIFC presence, writes complex programmes for multinational insureds with Gulf operations, often as part of a global master programme with local fronting.

AXA Gulf, now in its post-merger configuration, writes substantial property and engineering volume but treats cyber primarily as a specialty line written on separate paper. Combined cover, where it exists in the AXA book, is constructed through coordinated wordings rather than through a single contract. The result is comparable in claims practice, provided the broker has done the work to align triggers, exclusions and notification timelines across the two policies. Where that work has not been done, the operator discovers the gap at claim time, which is the worst time to discover it.

On the regional side, ADNIC, GIG, Sukoon and QIC have all written cyber as a standalone product for several years. Their willingness to extend into combined territory varies. ADNIC has been the most active, particularly for UAE-based industrial insureds, and has built underwriting capacity that can take meaningful retention before reinsurance. QIC has been more cautious, reflecting its broader strategic repositioning. The Saudi market, dominated by Tawuniya, Walaa and Bupa Arabia on the medical side, is in a different phase. Cyber product availability has expanded, but combined cyber-physical writing on local paper remains rare, and most Saudi industrial buyers seeking such cover obtain it through DIFC or ADGM branches of international carriers, with the local programme written for compliance and ceding purposes.

What combined cover actually means in the wording

The word combined invites confusion. In its strictest sense, a combined cyber-physical policy is a single contract that responds to physical damage to insured property, business interruption following such damage, and digital losses including data restoration, extortion payments where lawful, incident response costs and third-party liability arising from data breaches, when any of these are triggered by a single covered event or by a chain of events with a common origin. Few policies in the Gulf market meet that definition strictly. Most achieve the same economic outcome through one of three structures.

The first structure is the property policy with an affirmative cyber endorsement. The base policy responds to traditional perils, and the endorsement extends the cover to physical damage and business interruption arising from a malicious cyber event affecting operational technology. This structure is the one favoured by carriers with strong property books and developing cyber capability. The advantage is that the engineering underwriter retains control of the risk. The disadvantage is that the endorsement often contains sub-limits that are lower than the underlying property limit, and that the cyber-specific elements such as incident response and forensic costs may not be included.

The second structure is the cyber policy with a property damage extension. The base policy responds to data breaches, extortion, business interruption from network outages and third-party liability. The extension adds cover for physical damage to the insured's property when that damage results from a covered cyber event. This structure is favoured by carriers with strong cyber books, and the sub-limits on property damage are typically modest relative to a standalone property policy. It works for operators whose physical loss potential from a cyber event is bounded.

The third structure is the parallel programme, with separate property and cyber policies written to align in trigger language, notification timelines and claims-handling protocol. Done well, this structure can deliver outcomes equivalent to a single policy. Done poorly, it produces gaps and overlaps that surface as coverage disputes. The quality of the broker's work is decisive. Marsh, Aon and WTW operate substantial Gulf practices and have the capacity to do this work. Smaller brokers vary widely.

The wording matters more than the structure. The IEC 62443 framework provides a vocabulary that increasingly appears in underwriting submissions and in policy schedules, particularly for industrial control system risks. Where the policy refers to security zones and conduits in the sense of IEC 62443, and where the insured's architecture is documented in those terms, the negotiation becomes precise. Where the policy refers only to generic categories such as cyber event or computer system, the negotiation tends to be loose, and the loose terms favour the carrier at claim time.

How the market prices the risk

Pricing for combined cyber-physical cover in the GCC reflects three inputs in roughly equal weight. The first is the loss experience of the individual insured and of its peer group. The second is the carrier's view of the insured's technical controls, derived from underwriting questionnaires, third-party assessments and, increasingly, direct inspection. The third is the prevailing reinsurance treaty terms, which set the floor below which the carrier cannot price regardless of merit.

Loss experience in the region remains thin, in the sense that the number of disclosed cyber-physical incidents in the GCC is small, but the severity of disclosed events has been sufficient to inform pricing. Carriers also draw on global loss data, particularly from North American utility and manufacturing books, and apply judgmental adjustments for the regional risk environment. The judgmental adjustments are not always articulated, and they are not always consistent across carriers, which is why the same risk can produce widely different quotes.

Technical controls are assessed against frameworks that vary by carrier. The NIST Cybersecurity Framework version 2.0, ISO 27001, IEC 62443 and the SAMA Cybersecurity Framework all appear in underwriting practice. The carrier is not asking the insured to be certified to all of these. The carrier is asking the insured to demonstrate that its controls map to a recognised framework in a way that allows the underwriter to form a view. An operator who can produce a current ISO 27001 certificate, an IEC 62443 zone and conduit diagram, and evidence of network segmentation between IT and OT environments will price meaningfully below a peer who cannot. The CISA guidance on operational technology defence, while not regulatory in the Gulf, is increasingly referenced in underwriting conversations because it provides a clear standard for what the carrier expects to see.

The reinsurance treaty terms shape the upper end of the market. When global reinsurers tightened cyber capacity in 2022 and 2023, Gulf primary pricing rose sharply. The subsequent stabilisation, with new capacity entering from Bermuda and from select Lloyd's syndicates, has eased the pressure but has not returned pricing to pre-2022 levels. Combined cover, because it consumes both cyber and property capacity, prices at a premium to standalone cyber for the same limit, often in the range of fifteen to thirty percent depending on the insured's industrial profile.

When the cover makes economic sense

Combined cyber-physical cover does not make sense for every Gulf operator. For office-based businesses with no operational technology exposure, a standalone cyber policy is sufficient. For traditional property exposures with no meaningful network dependency, the standard property policy with its cyber exclusion is acceptable. The case for combined cover arises where physical assets depend on networked control systems whose compromise could produce physical damage or extended business interruption.

The clearest cases are in energy, petrochemicals, water and power utilities, port and airport operations, and large logistics and manufacturing sites. In each of these, the connection between digital integrity and physical operation is direct and the loss potential from a malicious cyber event includes both data and equipment. The book by Boswau and Knauer titled BOSWAU + KNAUER. From Building to Security Technology develops this argument at length in its treatment of industry and logistics customers, observing that the economic logic of security investment is not the avoidance of the single spectacular incident but the suppression of the recurring losses that accumulate in the unmonitored gap between IT and OT.

The decision to buy combined cover is therefore a decision about where the operator's loss potential actually sits. An audit, conducted with reference to a recognised framework such as NIST 800-53 or IEC 62443, produces the inventory of cyber-physical exposures that allows the insurance question to be answered with numbers rather than with intuition. Without that inventory, the operator buys cover that may or may not match the risk. With it, the conversation with the broker and the underwriter becomes structured, and the resulting policy reflects the actual exposure rather than a generic profile.

ASIS International and the GDV, the German insurance association, have both published guidance on the relationship between physical security standards and insurance terms. The guidance is not binding in the Gulf, but it informs how reinsurers think, and what they think eventually arrives in the primary wordings. An operator who is aligned with such guidance enters the underwriting conversation in a stronger position.

What holds

Combined cyber-physical insurance in the GCC is available, but it is not uniform. The buyer who treats it as a commodity will receive a commodity product, which is to say a product whose limits and exclusions do not match the buyer's actual exposure. The buyer who treats it as a structured negotiation, supported by a current technical assessment and a broker capable of aligning terms across carriers, will receive cover that responds when it is needed.

The right preparation begins before the broker is engaged. An operator who can present a documented control environment, mapped to a recognised framework, with evidence of segmentation, monitoring and tested incident response, will price below peers who cannot, and will obtain wording that closes the seam between physical and digital loss. The operator who arrives at renewal without that preparation will pay more for less, or will be declined.

For operators in the Gulf considering this question seriously, the practical next step is a structured assessment of the cyber-physical exposure across the portfolio, conducted in three to five days, producing the documentation that the underwriting conversation requires. That is Path II in the framework set out at the end of the book referenced above. For operators not yet ready for that step, a sixty-minute confidential conversation, Path I, is the place where the question becomes clear enough to act on.

Frequently asked questions

Which Gulf carriers offer this?

As of early 2026, AIG MENA, Chubb, Zurich and Allianz Global Corporate and Specialty write combined or aligned cyber-physical cover on a primary basis for industrial accounts in the region, typically through their DIFC or ADGM branches. AXA Gulf writes coordinated programmes through separate wordings. On the regional side, ADNIC has been the most active in extending into combined territory, with Sukoon and QIC writing standalone cyber and entertaining combined cover on a case basis. Saudi industrial buyers usually obtain combined cover through international carriers with local fronting arrangements.

What does combined cover mean?

Combined cover means a contractual structure under which a single covered event, originating in a cyber intrusion or system compromise, can trigger payment for both digital losses, such as data restoration and incident response, and physical losses, such as property damage and business interruption from equipment failure. The structure may be a single policy with appropriate endorsements, a primary policy with an extension into the other domain, or a parallel programme of aligned policies. What matters is that the seam between cyber and property is closed in the wording, not left to be argued at claim time.

How is it priced?

Pricing reflects loss experience, technical controls and reinsurance treaty terms. For an industrial insured in the GCC with sound controls aligned to IEC 62443 or NIST CSF 2.0, combined cover typically prices at a premium of fifteen to thirty percent above standalone cyber for the same limit, with property elements priced on the underlying engineering profile. Insureds without documented controls, without network segmentation between IT and OT, or without tested incident response capability will see higher loadings or sub-limits that constrain the cover. Pricing has stabilised since 2024 but remains above the levels seen before the reinsurance capacity contraction of 2022 and 2023.

When does it make sense?

Combined cover makes economic sense where physical operations depend on networked control systems whose compromise could produce equipment damage or extended interruption. Energy, petrochemicals, utilities, port and airport operations, and large logistics and manufacturing sites are the clearest cases. For office-based businesses without operational technology, standalone cyber cover suffices. The decision should follow a structured assessment of the cyber-physical exposure, not a generic risk perception. Without that assessment, the buyer pays for cover that may not match the actual risk, and the gap appears at claim time, when adjustment is no longer possible.