Skip to main content
Entire section Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

Cyber Security Framework

No: 381000091275
Translation of this section is for demo purposes only.

Foreword

In view of the ever-growing seriousness of cyber-attacks, we are conscious of the need to stay one-step ahead. The issuance of a Cyber Security Framework (“CSF”) seeks to support our regulated entities in their efforts to have an appropriate cyber security governance and to build a robust infrastructure along with the necessary detective and preventive controls. The Framework articulates appropriate controls and provide guidance on how to assess maturity level.

The adoption and implementation of the Framework is a vital step for ensuring that Saudi Arabian Banking, Insurance and Financing Companies sectors can manage and withstand cyber security threats. In designing the Framework, we have considered the ways that our regulated entities are leveraging technology and felt that each entity will be able to adopt a common approach for addressing cyber security. This will ensure cyber security risks are properly managed throughout the sectors.

Financing Companies must adhere to implement the Cyber Security Framework as follows:

First: Conduct an in-depth and accurate assessment of the current status of cyber security at the financial institution. This should be compared against the requirements stated within the CSF to identify weaknesses and assess the level of maturity as described within the CSF under the definition of "Maturity Level".

Second: Develop a business plan to meet all requirements of the third maturity level, as mentioned in the CSF, as a minimum.

Third: Present the business plan to the board of directors/managers or general manager, for their review, approval and for seeking any further necessary support.

Fourth: Send the approved business plan to the SAMA by the end of the fourth quarter of the year 2019*.

Fifth: Provide SAMA with quarterly reports starting from the end of the second quarter of the year 2019* until full compliance with the CSF.

Sixth: Fully comply with the requirements stated in the CSF by the end of the fourth quarter of the year 2019*.

Seventh: The Cyber Security Committee –or equivalent- of the financial institution must follow up on the implementation of the CSF to ensure full support and resources are provided where necessary. Further to ensure timely escalation of obstacles and other related hindrances to the competent authority that may prevent complete implementation of the CSF.

To achieve the above, the full support and oversight from the Board of Directors and Senior Management are required for its implementation.

The Information Technology Risk team within the Deputyship of Supervision is at your disposal for any clarifications and we remain committed to guiding our regulated entities in creating a safer cyber environment.

The business plan and quarterly reports to be sent to: (CRC.Compliance@SAMA.GOV.SA)

*Amended in accordance to SAMA circular No (51610/99) dated 17/08/1440H.