Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF

  • Cyber Resilience

    • Cyber Resilience Fundamental Requirements (CRFR)

      To read the Cyber Resilience Fundamental Requirements (CRFR), click here.

    • Cyber Security Framework

      This translation is provided for guidance. The governing text is the Arabic text.

      Motivated by the commitment of the Central Bank [SAMA] to enhancing cyber security standards at SAMA-supervised financial institutions through having in place a proven effective mechanism at the financial institutions based on the best solutions and practices that would help create a flexible and mature cyber security environment that is capable of combating the cyberattacks faced by the sector, and with reference to SAMA's cyber security-related strategic initiatives, including, among others, the development and issuance of a Cyber Security Framework at SAMA-supervised financial institutions;

      This is to inform you that a Cyber Security Framework has been issued, so all banks operating in the Kingdom shall fully comply with its contents as follows:

      First: Conduct an in-depth and accurate assessment of the current status of cyber security at the financial institution. This shall be compared against the requirements stated in the CSF [Gap Assessment] to identify weaknesses and assess the level of maturity as described within the CSF under the definition of "Maturity Level".

      Second: Develop a Roadmap to meet all requirements of the Maturity Level 3 as a minimum for all requirements set out in the CSF, after conducting an in-depth assessment of the current status at the financial institution's environment

      Third: The financial institution shall submit the Roadmap to the Board of Directors and provide the latter with explanatory details on it and obtain its approval on both the roadmap and support needed.

      Fourth: The financial institution shall send its Roadmap to SAMA not later than the end of August 2017.

      Fifth: Provide SAMA with quarterly reports starting from the end of Q3 2017 until full compliance by the financial institution with SAMA requirements.

      Sixth: The financial institution shall fully comply with the requirements stated in the CSF by the end of October 2018.

      Seventh: The financial institution's Cyber Security Committee must follow up on the implementation of the CSF and verify the level of compliance with the approved roadmap and full support and must provide full support for smoothing away all impediments faced by the financial institution's teams and to ensure timely escalation of obstacles and other related hindrances to the competent authority that may prevent complete implementation of the CSF.

      By virtue of the Circular No. [51610/99] dated 17/08/1440 H, the competent officers of the financial institutions must provide necessary support to the Cyber Security Department and provide it with the national talents, technical means and appropriate training in order to optimally perform its role.

      By virtue of the Circular No. [29814/67] dated 11/05/1440, Hand based on SAMA's powers to enhance cyber security in the financial sector and upgrade the maturity level to combat and manage the cyber challenges in a professional and advance manner, the banks are required to carry out the following:

      1. Develop a Roadmap for fulfilling all [Maturity Level 4] requirements by the end of Q3 2022, for all components of the following subdomains mentioned in the CSF:

        - 3.3.14 Cyber Security Event Management

         - 3.3.15 Cyber Security Incident Management

         - 3.3.16 Threat Management

         - 3.3.17 Vulnerability Management

      2. Provide necessary support to the Cyber Security Department and provide it with the national talents, technical means and appropriate training in order to optimally perform its role.

      3. Submit the Roadmap as mentioned in Para. [1] and [2] above to the Board of Directors and obtain the latter's approval on both the Roadmap and support needed.

      4. Provide SAMA [Financial Sector IT Risk Department] with the following:

         A- The roadmap approved by the Board of Directors by the end of Q1 2019;

         B- Quarterly reports as from the end of Q2 2019 showing the phases of fulfillment of SAMA's requirements until such requirements are fully satisfied; and

         C- An in-depth annual report by the Bank's Internal Audit Department showing the level of compliance with the CSF's requirements compared to the maturity level required, as per the mechanism to be designated by SAMA.

      Kindly be informed that SAMA will conduct periodic inspection visits to verify the accuracy of the assessment and level of compliance with the CSF's requirements. If you have any query, you can communicate with the Banking IT Risk Manager.

      To read the Cyber Security Framework, Click Here.

    • Financial Sector Cyber Threat Intelligence Principles

      To read the Financial Sector Cyber Threat Intelligence Principles, click here.

    • Minimum Verification Controls

      To read the Minimum Verification Controls, click here.

    • Business Continuity Management Framework

      To read the Business Continuity Management Framework, click here.

    • Financial Entities Ethical Red-Teaming

      To read the Financial Entities Ethical Red-Teaming, click here.