Skip to main content
  • 1 Introduction

    • 1.1 Introduction to the Framework

      The current digital society has high expectations of flawless customer experience, continuous availability of services and effective protection of sensitive data. Information assets and online services are now strategically important to all public and private organizations, as well as to broader society. These services are vital to the creation of a vibrant digital economy. They are also becoming systemically important to the economy and to broader national security. All of which underlines the need to safeguard sensitive data and transactions, and thereby ensure confidence in the overall Saudi Financial Sector. 
       
      The stakes are high when it comes to the confidentiality, integrity and availability of information assets, and applying new online services and new developments (e.g. Fintech, block chain); while improving resilience against cyber threats. Not only is the dependency on these services growing, but the threat landscape is rapidly changing. The Financial Sector recognizes the rate at which the cyber threats and risks are evolving, as well as the changing technology and business landscape. 
       
      SAMA established a Cyber Security Framework (“the Framework”) to enable Financial Institutions regulated by SAMA (“the Member Organizations”) to effectively identify and address risks related to cyber security. To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework. 
       
      The objective of the Framework is as follows: 
       
      1.To create a common approach for addressing cyber security within the Member Organizations.
       
      2.To achieve an appropriate maturity level of cyber security controls within the Member Organizations.
       
      3.To ensure cyber security risks are properly managed throughout the Member Organizations.
       
      The Framework will be used to periodically assess the maturity level and evaluate the effectiveness of the cyber security controls at Member Organizations, and to compare these with other Member Organizations. 
       
      The Framework is based on the SAMA requirements and industry cyber security standards, such as NIST, ISF, ISO, BASEL and PCI. 
       
      The Framework supersedes all previous issued SAMA circulars with regard to cyber security. Please refer to ‘Appendix A - Overview previous issued SAMA circulars' for more details. 
       
    • 1.2 Definition of Cyber Security

      Cyber security is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the member organization's information assets against internal and external threats. 
       
      The general security objectives comprise the following: 
       
      Confidentiality - Information assets are accessible only to those authorized to have access (i.e., protected from unauthorized disclosure or (un)intended leakage of sensitive data).
       
      Integrity - Information assets are accurate, complete and processed correctly (i.e., protected from unauthorized modification, which may include authenticity and non-repudiation).
       
      Availability - Information assets are resilient and accessible when required (i.e., protected from unauthorized disruption).
       
    • 1.3 Scope

      The Framework defines principles and objectives for initiating, implementing, maintaining, monitoring and improving cyber security controls in Member Organizations. 
       
      The Framework provides cyber security controls which are applicable to the information assets of the Member Organization, including: 
       
      Electronic information.
       
      Physical information (hardcopy).
       
      Applications, software, electronic services and databases.
       
      Computers and electronic machines (e.g., ATM).
       
      Information storage devices (e.g., hard disk, USB stick).
       
      Premises, equipment and communication networks (technical infrastructure).
       
      The Framework provides direction for cyber security requirements for Member Organizations and its subsidiaries, staff, third parties and customers. 
       
      For business continuity related requirements please refer to the SAMA Business Continuity Minimum Requirements. 
       
      The Framework has an interrelationship with other corporate policies for related areas, such as physical security and fraud management. This framework does not address the non-cyber security requirements for those areas. 
       
    • 1.4 Applicability

      The Framework is applicable to all Member Organizations regulated by SAMA, which include the following: 
       
       All Banks operating in Saudi Arabia;
       
       All Insurance and/or Reinsurance Companies operating in Saudi Arabia;
       
       All Financing Companies operating in Saudi Arabia;
       
       All Credit Bureaus operating In Saudi Arabia;
       
       The Financial Market Infrastructure
       
      All domains are applicable for the banking sector. However, for other financial institutions the following exceptions apply: 
       
       Sub-domain (3.1.2) the alignment with cyber security strategy of banking sector is mandatory when applicable.
       
       Exclude sub-domain (3.2.3). However, if the organization store, process or transmit cardholder data or deal with SWIFT services, then PCI standard and/or SWIFT Customer Security Controls Framework should be implemented.
       
       Exclude sub-domain (3.3.12).
       
       Exclude sub-domain (3.3.13). However, if the organization provides online services for customers, a Multi Factor Authentication capability should be implemented.
       
    • 1.5 Responsibilities

      The framework is mandated by SAMA. SAMA is the owner and is responsible for periodically updating the Framework.

      The Member Organizations are responsible for adopting and implementing the Framework.

    • 1.6 Interpretation

      SAMA, as the owner of the Framework, is solely responsible for providing interpretations of the principles, objectives and control considerations, if required.

    • 1.7 Target Audience

      The Framework is intended for senior and executive management, business owners, owners of information assets, CISOs and those who are responsible for and involved in defining, implementing and reviewing cyber security controls within the Member Organizations.

    • 1.8 Review, Updates and Maintenance

      The Framework will be reviewed and maintained by SAMA.

      SAMA will review the Framework periodically to determine the Framework's effectiveness, including the effectiveness of the Framework to address emerging cyber security threats and risks. If applicable, SAMA will update the Framework based on the outcome of the review.

      If a Member Organization considers that an update to the Framework is required, the Member Organization should formally submit the requested update to SAMA. SAMA will review the requested update, and when approved, the Framework will be adjusted.

      The Member Organization will remain responsible to be compliant with the Framework pending the requested update.

      Please refer to ‘Appendix B - How to request an Update to the Framework’ for the process of requesting an update to the Framework.

      Version control will be implemented for maintaining the Framework. Whenever any changes are made, the preceding version shall be retired and the new version shall be published and communicated to all Member Organizations. For the convenience of the Member Organizations, changes to the Framework shall be clearly indicated.

    • 1.9 Reading Guide

      The Framework is structured as follows. Chapter 2 elaborates on the structure of the Framework, and provides instructions on how to apply the Framework. Chapter 3 presents the actual Framework, including the cyber security domains and subdomains, principles, objectives and control considerations.