16.1

Insurance Brokers must have in place and maintain adequate policies and procedures to:

a.

identify, prevent and resolve any data security breaches; and

b.

protect Personal Data.

16-2

Personal Data must be stored and maintained in the State. The Brokers must also establish a safe and secure backup of all Personal Data in a separate location for the required period of retention of ten (10) years.

16-3

Insurance Brokers must comply with applicable regulatory requirements and standards on data protection. They must control, process and retain only Personal Data that is necessary for the provision of Insurance Brokerage services.

16-4

An Insurance Broker may disclose Clients’ Personal Data to:

a.

a third party where the disclosure is made with the prior written consent of the Client or is required pursuant to applicable laws;

b.

the Central Bank;

c.

other regulatory authorities upon a request, following prior approval of the Central Bank;

d.

courts of law in the State;

e.

other governmental bodies which have lawfully authorized rights to access; and

f.

insurance related matters to Companies, the Emirates Insurance Federation and licensed practitioners of Insurance-Related Professions, to the extent they are necessary for underwriting or Claim Settlement.

16-5

An Insurance Broker must adequately manage cyber security risks through the risk governance process. It must commit adequate skilled resources to ensure its capability to identify the risk, protect its critical services against the attack, contain the impact of cyber security incidents and restore the services.

16-6

An Insurance Broker must establish a cyber incident response and management plan to swiftly isolate and neutralize a cyber threat and to resume affected services as soon as possible. The plan shall describe procedures to respond to plausible cyber threat scenarios.