Cyber risk continues to dominate the MENA landscape, with a mixture of financial incentives, geopolitical agendas and bilateral disputes[1] driving an increase in malicious and criminal cyber activity in the region. Yet despite growing dangers to businesses, there is still a large proportion of uninsured risk in the Gulf and North African regions, coupled with reinsurers’ inability to adequately assess risk and establish probable maximum loss.
This situation comes at a time when MENA’s SME ecosystem is becoming increasingly important to the future success of regional economies, from GCC and Gulf nations to fast-developing North African jurisdictions. Despite their growing importance – in the UAE, for example, 500,000 SMEs now employ close to half the country’s workforce[2][3] and make up approximately two-thirds of the nation’s non-oil GDP[4] – the reality is that small businesses are exposed to greater risk than large corporations through excessive complexity[5] and inherent resource constraints.
Elsewhere in the region, newsworthy hacks and data breaches continue to dominate the headlines, with recent evidence from the UN Office on Drugs & Crimes suggesting that transnational cybercrime syndicates from Southeast Asia are scaling up cyberattacks on businesses across the African continent[6] and further afield.[7]
Although the threat to SMEs rarely makes the news bulletins, it represents a significant risk for a sector on which the success of so many economies depends.
Why are SMEs more exposed?
It is often argued that smaller businesses are more susceptible to attacks from cyber criminals because their protection is either less effective, because they are less likely than larger organisations to have any protection at all, or because they see little risk of attack. Data from cybersecurity surveys reinforces the notion of a general under-appreciation of the risks involved for SMEs. The Association of British Insurers reports that many small businesses consider themselves “too small to present a target”[8], and yet it is estimated that 50% of all successful attacks target SMEs.
This is problematic for jurisdictions in the MENA region for many reasons. The UAE government, for example, plans to increase the number of SMEs in the country to around 1 million by 2030.[9] In North Africa, some countries have witnessed a staggering growth in entrepreneurship, with almost 100,000 new companies established in Morocco in 2023 alone[10], according to the Moroccan Office of Industrial and Commercial Property (OMPIC), and over 60,000 in Q1 2024.
As things stand, many businesses, if uninsured, may have no choice but to succumb to extortion after a ransomware attack or absorb the business-interruption costs of a hack, and yet SMEs in Morocco account for 96% of the private sector and are the country’s largest employers[11]. In the UAE, a significant proportion of its more than 200,000 digital assets[12] are thought to remain without adequate cybersecurity or cover.
Risk awareness and threat landscape: what has changed?
Risk awareness is beginning to grow across the region, not least because, as was widely reported in April, Morocco’s Ministry of Employment and its social-security database, the Caisse Nationale de Sécurité Sociale (CNSS), were compromised by Algerian hacktivists,[13] who then leaked sensitive but unverified financial data from a social-security fund responsible for pensions, insurance benefits and healthcare right across the private sector[14]. Whilst it is important to note that the CNSS has questioned the accuracy and authenticity of much of the leaked data[15], pointing to discrepancies between the records it holds and the information leaked, the data leak is alleged to have contained sensitive personal information relating to political parties and executives of state-owned companies, as well as individuals with ties to the pan-African charitable and investment fund[16], Al Mada. As if to underline the threat exposure to SMEs, Maroc PME, the very government agency dedicated to supporting SMEs, was also targeted, along with the General Treasury, the Ministry of Health and the Ministry of Economy[17].
Until recently, data regulation in Morocco has been policed by the Moroccan data protection authority, the Commission Nationale de Contrôle de Protection des Données à Caractère Personnel (CNDP) under rules and regulations established in 2003 and updated in 2009[18] and 2013[19]. However, the Moroccan government was already urgently reviewing the legal framework covering data breaches earlier in the year before April’s hack[20], and recent legislative action will make reporting data breaches obligatory. This regulatory shift will further expedite demand for effective cyber-risk transfer and is likely to reinforce the need for well-structured SME coverage supported by robust risk analysis.
The JENOA view
In the MENA region and elsewhere, assessing clients’ cyber exposure remains a significant area of unknown risk for many brokers and reinsurers. A US survey, for example, revealed recently that a lack of real-time insights into cyber exposure, coupled with an inability to assess systemic loss and a certain opaqueness from clients about their security practices, feature as the principal three areas of concern for brokers and reinsurers[21]. In other words, the ability to assess risk both before and after an incident is severely lacking, and therefore a comprehensive risk-mitigation strategy is punishingly difficult to establish. Consequently, adequately pricing cover remains a significant challenge.
According to Swiss Re Institute, there is still a high proportion of uninsured cyber risk, coupled with a lack of meaningful and sustainable cover. This is partly because it is hard to determine probable maximum loss (PML) in an immature cyber market. Within the SME sector, where opportunities for attack are made much greater by uninsured or under-insured risk among small businesses, the problem is further exacerbated by the fact that many SMEs do not consider cyberattacks a genuine threat to their operations. For cyber criminals, these businesses represent the low-hanging fruit.
The critical angle here for SMEs and governments is the propensity for cybercrime to disincentivise innovation and investment, something that would stifle entrepreneurship and have severe consequences for growing economies in the MENA region.
The need to drastically improve SMEs’ operational and cyber resilience comes hand in hand with growing commercial opportunities for reinsurers to help small businesses address protection gaps through much broader and deeper support for the sector.
What does this mean for MENA clients & how can JENOA help?
Given the immaturity of the cyber insurance market in many North African nations, JENOA is uniquely positioned to offer added value in not only in Morocco, but across North Africa, the Gulf and further afield in the MENA region beyond simply sourcing and structuring cyber cover for SMEs. JENOA will actively support insurers and brokers in conducting pre- and post-risk assessments as part of a comprehensive risk mitigation strategy. This includes determining the probable maximum loss (PML), which JENOA considers a crucial element in building the meaningful and sustainable cover that the SME sector so desperately needs, and something that the market lacks.
These products will be fit for purpose and offer the affordable cyber, BI and DBI cover that the SME sector needs to fill current insurance gaps in an ever-evolving threat landscape.
With access to the Lloyd’s of London market and reinsurance hubs worldwide, we leverage conventional Lloyd’s capabilities and international reinsurance expertise to maximise opportunities in cyber, BI and DBI cover. JENOA gives clients a broader reach into markets in the MENA region as well as European and UK markets, where over 20% of global cyber cover is currently placed[22]. With rising SME demand for cyber insurance on the back of high-profile attacks, JENOA’s experience can help insurers establish a strong and attractive presence and a viable proposition in target markets for SME cyber cover.
Affordable cover to reduce SME risk
It becomes clearer by the day that carriers would do well to invest time and resources into assessing risk exposure with more in-depth client insights, something that would help SMEs achieve the comprehensive and affordable cover this sector so desperately needs to address protection gaps.
Key exposures can then be evaluated and priced, with a constant eye on probable maximum loss, whether in isolation or with digital assets forming systemic risk across the global IT supply chain. Pre- and post-risk assessment are crucial elements in successful risk-mitigation strategies, leading to more effective and affordable cyber-risk transfer.
[1] https://www.euronews.com/2025/04/10/hackers-breach-moroccos-social-security-database-in-unprecedented-cyberattack
[2] https://sme.ae/Uploads/Files/STATE_of_SMEs_in_Dubai_Presentation.pdf
[3] https://u.ae/en/information-and-services/business/small-and-medium-enterprises
[4] https://u.ae/en/information-and-services/business/small-and-medium-enterprises
[5] https://www.abi.org.uk/globalassets/files/publications/public/cyber/abicyberresilienceforsmestheinsurancegapexploredjan2025.pdf
[6] https://www.insurancejournal.com/news/international/2025/04/21/820577.htm
[7] https://www.insurancejournal.com/news/international/2025/04/21/820577.htm
[8] https://www.abi.org.uk/globalassets/files/publications/public/cyber/abicyberresilienceforsmestheinsurancegapexploredjan2025.pdf
[9] https://u.ae/en/information-and-services/business/small-and-medium-enterprises
[10] https://www.moroccoworldnews.com/2025/01/165781/tax-revenues-and-the-role-of-smes-in-moroccos-economic-transition
[11] https://www.moroccoworldnews.com/2025/01/165781/tax-revenues-and-the-role-of-smes-in-moroccos-economic-transition/#:~:text=In%202023%2C%20Morocco’s%20entrepreneurial%20ecosystem,real%20estate%2C%20and%20professional%20services.
[12] https://cpx.net/media/thbeuxk5/cpx-state-of-the-uae-report-2025.pdf
[13] https://www.euronews.com/2025/04/10/hackers-breach-moroccos-social-security-database-in-unprecedented-cyberattack
[14] https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach
[15] https://www.linkedin.com/pulse/morocco-investigation-major-data-breach-allegedly-edm1c/
[16] https://www.euronews.com/2025/04/10/hackers-breach-moroccos-social-security-database-in-unprecedented-cyberattack
[17] https://www.euronews.com/2025/04/10/hackers-breach-moroccos-social-security-database-in-unprecedented-cyberattack
[18] https://www.dataguidance.com/jurisdictions/morocco
[19] https://mipa.institute/en/10778
[20] https://en.hespress.com/106929-morocco-strengthens-cybercrime-laws-to-protect-citizens-and-privacy.html
[21] https://cybersecurityventures.com/cybersecurity-almanac-2024/
[22] https://www.reuters.com/business/major-cyber-attack-could-cost-world-35-trillion-lloyds-london-2023-10-18/#:~:text=Over%2020%25%20of%20the%20world’s,the%20Lloyd’s%20market%2C%20Lloyd’s%20said.
