Principle
| |
Member Organisations should draw on a variety of internal and external data sources to identify and monitor emerging fraud threats.
| |
Control Requirements
| |
| a. | The fraud Intelligence Monitoring process should be defined, approved, and implemented.
| |
| b. | When defining the Intelligence Monitoring process, Member Organisations should consider the SAMA Cyber Threat Intelligence Principles.
| |
| c. | The effectiveness of fraud Intelligence Monitoring should be subject to periodic evaluation to assess whether the sources used are comprehensive and the intelligence collated is aiding the prevention of fraud.
| |
| d. | The Intelligence Monitoring process should include:
| |
| | 1. | Scanning, collation, analysis, assessment and dissemination of information on existing and emerging threats.
|
| | 2. | Capturing relevant details on identified threats, such as modus operandi, actors, motivation, the origin of attacks (e.g., organised crime group, jurisdiction) and type of threats.
|
| | 3. | Taking action to act on existing and emerging threats.
|
| | 4. | Sharing relevant intelligence with internal and external stakeholders (e.g., Cyber, Business Operations or SAMA).
|
| e. | Intelligence Monitoring activities should draw on a range of information sources to develop a holistic understanding of the Member Organisation’s fraud landscape. At a minimum, these should include:
| |
| | 1. | Internal Audit reports, fraud investigation output and Fraud Scenario Analysis covering attempted and actual fraud to identify trending fraud tactics, techniques, and procedures (TTPs).
|
| | 2. | New and emerging fraud typologies identified by fraud detection systems, fraud investigators or the Counter-Fraud Department.
|
| | 3. | Insights from support functions (e.g., Internal Audit, Compliance, Cyber Security Event and Incident Management).
|
| | 4. | Reliable and relevant external sources on fraud trends both locally and globally, (e.g., government agencies, fraud forums and events, Counter-Fraud system vendors, open-source information, and subscription sources).
|
| f. | Member Organisations should, to the extent not prohibited by law or contractual terms, collaborate in sharing Counter-Fraud information including emerging fraud typologies, fraud threat intelligence on the groups who may be perpetrating fraud, TTPs and market trends with Saudi Central Bank and other organisations in the sector.
| |
| g. | Member Organisations should share log-in information for confirmed fraud cases (e.g., mobile or Device ID, IP address) through the Sectorial Anti-Fraud Committee.
| |
| h. | Member Organisations should perform analysis of log-in information shared by other Member Organisations to assess the level of exposure for their own customers and record the actions completed on an analysis log sheet which may be subject to independent review.
| |
