Understanding SAMA’s Cyber Security Framework 

Due to the increasing ubiquity of cyber-attacks, the financial sector of Saudi Arabia has realised the need to strengthen its defences or risk untold losses. As a result, the Saudi Arabian Monetary Authority set about creating the SAMA Cyber Security Framework. This guide will walk you through what the framework involves, and the central pillars it involves: Common Approach, Maturity Level Enhancement and Effective Risk Management.  

SAMA Cyber Security Framework Requirements  

The SAMA Cyber Security Framework applies to all Member Organisations regulated by SAMA, covering: 

• All banks operating in Saudi Arabia  
• All insurance/reinsurance companies in Saudi Arabia  
• All Financing Companies in Saudi Arabia  
• Credit Bureaus in Saudi Arabia  
• The Financial Market Infrastructure  

 Although all domains apply to the banking sector, exceptions exist for other financial institutions, including specific mandates and exclusions for certain sub-domains. 

SAMA also applies to third–party services that Member Organisations rely on (information services providers, outsourcing providers, cloud computing providers, vendors, suppliers, governmental agencies, etc.) 

Key Components of SAMA’s Requirements 

Adhering to the Saudi Arabian Monetary Authority’s Cyber Security Framework (SAMA CSF) is crucial for businesses in Saudi Arabia due to several compelling reasons.  

Some of those reasons include the following: 

• Cyber Threat Protection: The SAMA Cyber Security Framework serves as a robust defence against the evolving landscape of cyber threats, ensuring businesses can safeguard sensitive data and critical operations. 
• Global Standards Alignment: Compliance with the CSF aligns businesses with international cyber security standards, including NIST, ISF, ISO, BASEL, and PCI, enhancing their cybersecurity posture and global standing. 
• Information Assets Protection: The CSF emphasises the protection of information assets and online services, critical components for businesses in the digital age. 
• Effective Risk Management: By adhering to the CSF, businesses actively engage in effective risk management, enhancing their ability to identify, assess, and mitigate cyber security risks. 
• Resilience of the Financial Sector: Compliance contributes to the overall resilience of the Saudi financial sector, fostering a secure environment for businesses to operate and thrive. 
• Customer and Stakeholder Confidence: Aligning with the CSF demonstrates a commitment to cyber security, instilling confidence in customers, partners, and stakeholders. 

SAMA Cybersecurity Checklist and Compliance Guidelines  

SAMA conducts periodic reviews to assess the framework’s effectiveness and address emerging cyber security threats. Member Organisations can request updates, subject to SAMA’s approval. Version control ensures clarity, with retired versions replaced by updated ones, communicated transparently to all Member Organisations. 

SAMA Cyber Security Framework Structure 

The framework is organised into four core domains, specifically: 

• Cyber Security Leadership and Governance. 
• Cyber Security Risk Management and Compliance. 
• Cyber Security Operations and Technology. 
• Third-Party Cyber Security. 

In each of these areas, there are smaller subdomains that focus on specific cybersecurity topics. For each subdomain, the framework spells out a principle, objective, and control considerations: 

• The principle covers the most important cyber security steps for that subdomain. 
• The objective explains what the principle aims to achieve. 
• Control considerations list the must-do cyber security steps, each with its unique number. Some of these lists can go up to four levels deep. 

The Framework is principle-based, also referred to as risk-based. This means that it prescribes key cyber security principles and objectives to be embedded and achieved by the Member Organisation. The list of mandated control considerations provides additional direction and should be considered by the Member Organisation in achieving the objectives. When a certain control consideration cannot be tailored or implemented, the Member Organisation should consider applying compensating controls, pursuing an internal risk acceptance and requesting a formal waiver from SAMA. 

The implementation of the Framework at the Member Organisation will be subject to a periodic self-assessment. The self-assessment will be performed by the Member Organisation based on a questionnaire.  

The self-assessments will be reviewed and audited by SAMA to determine the level of compliance with the Framework and the cyber security maturity level of the Member Organisation. 

 The evaluation of cyber security maturity will rely on a predefined model detailing six maturity levels (ranging from 0 to 5). 

Benefits of Implementing SAMA in Saudi Arabia 

• Global Reputation 
• Overall Resilience 
• Effective Risk Management 

Conclusion 

In conclusion, the implementation of the SAMA Cyber Security Framework marks a significant step forward in fortifying the financial sector against the ever-present threat of cyber incursions.  

It is not only a testament to the Saudi Arabian Monetary Authority’s proactive stance but also serves as a model for other sectors striving to protect their digital assets. By incorporating international standards, emphasising information asset protection, and instigating robust risk management protocols, the Framework ensures that all Member Organisations within the Saudi financial system can navigate the complexities of the cyber defence with greater assurance. Moreover, compliance conveys confidence, reassuring stakeholders, partners and customers alike of the security measures in place. 

Schedule a complimentary session to evaluate your organisation’s current standing against the SAMA Cyber Security Framework.