Chapter Three: Website
Management of the Website
Article (7)
When managing the website, the Company shall comply with the following:
- The Company shall establish an IT department that shall be responsible for the managing of the official website.
- The Company shall obtain the Authority's prior approval before assigning the management of the website to any other party, and must verify the compliance of the contracting party with the provisions of the Regulations herein and related legislation.
- The Company shall appoint of a Communication Officer with the organization to which the management of the website was outsourced. The Communication Officer’s responsibility shall - include but not limited to - monitoring the contents of the website, responding to the enquiries and requests of customers, verifying that the other party is adhering to application of the outsource contract terms and conditions, verifying the commitment and adherence of the other party to the Regulation hereunder and other related legislation.
- Companies and related professions shall regularly conduct tests for Illegal Access and assessing vulnerabilities for the website or smart application to guarantee the soundness of such and to fill any potential gaps (if any).
- Compliance with cyber security standards and requirements issued by the Competent Authorities, to protect data, systems and networks issued by the Competent Authorities.
- Take the necessary measures, adhere to the data confidentiality of customer and visitor, adhere to the laws related to privacy as soon as they are issued, and put in place the necessary technical measures to prevent the leak of customer or visitor data, whether such thing happened intentionally or unintentionally.
Transparency and Disclosure
Article (8)
1- The Company or related profession shall comply to directly provide all necessary information to enter into a contract through its website, including the following as a minimum:
- Name of the Company or Related Professions that owns the website or the smart application.
- A Declaration to show the website or smart application belongs to the Company that is carrying the risk or it is one of the insurance Related Professions. In the latter case, it is mandatory to declare the name of the company that is carrying the insured risks.
- The Company or Related Profession ’s registration number with the Authority.
- Contact details through phone and by electronic means.
- An explanation on how to register a complaint so that procedures are clear.
2- The Company shall continuously update the data and information stipulated in Para (1) of this Article on its website or smart application.
Information Security and Integrity
Article (9)
1- The company shall maintain the confidentiality of the Electronic Information obtained through the website, and shall not disclose this information to any other party except by judicial or security order. Accordingly, the company shall establish the necessary procedures and controls to maintain the confidentiality of information.
2- The Company and Related Professions shall ensure the security and integrity of the information provided through its website, through applying the measures and criteria determined by the competent authorities in the state, including storing data inside the State and in the cloud.
3- The commitments of the Company and Related Professions and persons responsible of such for maintaining the confidentiality of Electronic Information pursuant to this Regulation shall remain in force and indefinite.
4- The Company and Insurance-related Professions shall protect the confidentiality of personal data and shall not share it with third parties, except within the scope of the provisions specified in this resolution. Further, the Company and Insurance-related Professions shall not disturb customers when promoting products by SMS or frequent emails, unless with prior approval of the Customer for that.
5- establish different levels of supervision and control of the electronic insurance operations carried out through its website as follows:
A. Application of the minimum security measures and procedures to prevent the alteration of content of the fixed information displayed on the website by unauthorized individuals.
B. Taking security measures and procedures to protect the shared Electronic Information with customers or visitors of the website from alteration, theft or illegal usage.
C. Application of measures and procedures and provision of the latest technologies and programs to ensure the security of the payment transactions carried out through the company's website, by using payment systems that are adopted and licensed by the Central Bank of the United Arab Emirates for paying the amounts of issuing or renewing the insurance policy.
6- The department responsible for the website shall supervise the design, implementation, follow - up and update the security system of the Company’s website.
7- The Company and Insurance-Related Professions shall establish the necessary measures to deal with emergency cases or disasters. They shall also maintain backup copies of all data and Electronic Information displayed or obtained through their website and shall establish a clear mechanism for restoring the website systems in case of failure of one or more elements of the automated system of the website.
8- Insurance companies and Insurance-Related Professions shall take the necessary measures to prevent any viruses from accessing devices, networks, and databases through which the data of customers or visitors to the website may be leaked, whether such thing happened intentionally or unintentionally. They shall also take the necessary measures to not use any storage tools, disks, software, or networks containing viruses, whether such thing happened intentionally or unintentionally.
Duties of the Companies and Related Professions
Article (10)
The Company and Related Professions shall make sure of the following:
- Verify its website or smart application's capacity to expand and absorb any additions that may arise in the future, such as the capacity of the website to handle any increase in the number of users, and the absorption of additional electronic insurance operations resulting from selling insurance policies or receiving claims and handling complaints.
- The website or smart application shall be made available for use on a 24 hours’ basis and throughout the year and the responsible department for the website shall supervise and ensure that. In the event that the website is subject to maintenance processes, these responsible departments shall ensure that maintenance period shall not exceed one working day as maximum. In case of failure to complete maintenance operations during this period, the company shall notify the Authority in writing of the reasons that led to the website failure and determine the expected period of time to reboot the website.
- Ensure that the electronic content on the website does not fall under any of the prohibited content categories.
- Ensure that the website does not violate any laws, regulations and legislation in force in the UAE.
- Ensure the collection and processing of the sensitive data of users in a secure manner (Including: using SSL techniques / Encryption to prevent illegal collection of usernames, credit card information and bank information).
- Ensure that servers and website systems are secure, the use of antivirus and malware software, and shall perform security audits according to the best practices of management and operations.
Pre-contract Phase
Article (11)
- The Company shall illustrate its website with a description of the nature of the products that the company sells and markets electronically, and with self-assessment tools which enable the Insurance Proposer to assess his insurance needs, and eventually enable him to make an informed decision to conclude the contract.
- The Company is committed to draw the attention of the Insurance Proposer to the following information in a timely manner during the purchase process and before concluding the contract:
- Nature of the product countering the insurance risk.
- Main benefits of the product.
- Options of the insurance product and the insurance coverage.
- Exclusions of coverage and restriction of the product.
- If there are waiting periods for specific covers.
- Total premiums, VAT and any other expenses, in an accurate and clear manner.
- Warning the Insurance Proposer of the consequences of providing incorrect data and information.
- Showing the outcome of cancelling the contract, in particular the manner premium refunds are calculated.
- Informing the Insurance Proposer about the importance of acquiring insurance consultancy from a licensed and registered Insurance Consultant.
Declarations of the Insurance Proposer
Article (12)
The Company, through its website is committed to use "step by step" approach for the disclosure of essential individual information (rather than providing information in full) to ensure that the Insurance Proposer acknowledges and signs the same, and that he has read the essential information related to the insurance application, and that he comprehends and understands legal consequences of his declaration.
Outsourcing of Electronic Insurance Operations
Article (13)
- The Company and Insurance -Related Professions, after satisfying the procedures set forth in the Regulations herein- when outsourcing the electronic insurance operations to other party, outsourcing the development, management or maintenance of its website or outsourcing any other operations related to its website, shall develop a special provision in the Outsourcing Contract thereunder the other party shall commit to apply the provisions of the Regulations herein, the code of professional practice issued by the Insurance Authority, and other related legislation. The Company and Insurance-Related Professions shall remain accountable to the IA.
- It is permissible to execute contracts through electronic automated means, including two or more electronic information systems that are prepared and programmed to do such in advance. The contracting shall be valid and has legal ground0s, even if no direct personal interference was done in the process of executing the contract between these systems.
- It is permissible to enter into a contract through an electronic automated system in the possession of a Company and Related Professions and other party, provided the other party knows or is expected to know that the system will automatically handle entering and executing the contract.
- The Company and Related Professions, that wish to sell their insurance products through a website owned by other party licensed for this purpose, shall obtain the prior approval of the Insurance Authority. The Company and Related Professions shall verify that the website of the other party meets the following conditions:
- If the other party's website is used to sell the insurance products of other companies, each insurance product must be clearly linked to the company providing it.
- The website shall include all the information and data that need to be disclosed by the company, such as; the Company name, address, license status, classes of insurance activities, channels of communication with the Company.
- The Website of the other party shall clarify the role of this party, its obligations towards customers such as the insured and whether this party is a broker or insurance agent licensed by the Insurance Authority or any other authority.
Advertising and Marketing
Article (14)
The Company and Insurance-Related Professions or the party outsourced to perform the business related to the company’s website, when conducting advertisement and promotion of the electronic operations shall comply with the provisions of the code of professional practice, and must obtain the prior written approval of the Insurance Authority.