Subject: Financial Sector’s Cyber Threat

Intelligence Principles

Dear CEO,

Dear CCO,

Greetings,

Based on the supervisory role of the Saudi Central Bank on the financial sector, and in reference to the Cybersecurity strategy for the financial sector which aims at creating a secure and reliable financial sector that enables growth and prosperity. And taking into consideration the changes in business models of financial institutions, relying on technology in financial transactions, and attracting emerging and modern technologies.

Whereas a change has been observed in the level of Threat Landscape to the financial sector, which resulted in a rapid and noticeable development by the Advance Persistence Threat “APT” groups targeting the financial sector for different purposes on several levels such as their Tactics, Techniques, and Procedures; which requires the development of proactive detection and analysis capabilities for financial institutions to work proactively in line with the development of the threat actors.

Accordingly, the Financial Sector Cyber Threat Intelligence Principles "Principles" had been adopted, which aims to establish scientific and practical foundations for proactive detection and analysis of the cyber threats as well as enhancing the practices of financial institutions with regard to cyber threat intelligence; to take precautionary measures and feed the various technical, operational and business

departments with Threat Intelligence appropriate to the work of these departments, the Principles are divided on several levels, as follows:

• Core principles - required basis activities needed to perform planning, production and dissemination of threat intelligence.
• Strategic principles - strategic level cyber intelligence focused on the objectives, motivations and intent of threat actors.
• Operational Principles - to produce information about modus operandi, behavior and classification of the different stages of attacks (Taxonomization).
• Tactical principles - includes information about technical elements and components of cyber attacks

Accordingly, to enhance the cyber resilience of the financial sector and raise the maturity level of threat intelligence capability; The financial institutions shall be guided by these principles. In case of implementing the principles, we recommend that the stages of implementation are as following:

Conducting a gap assessment of the current status of Threat Intelligence management, compared to what is stated in the principles, with its various levels, to identify the gaps.

Develop a roadmap for full compliance with the Principles as of this circular date, according to the following periods:

Six months for core, operational and tactical principles.

Twelve months for strategic principles.

Present the prepared Roadmap to the Board of Directors, inform them of it, and obtain approval of the plan and the necessary support for its implementation.

The cyber security committee in the financial institution shall follow up the implementation of the principles and the extent of commitment to the approved plan and provide full support to solve the obstacles and challenges facing the competent teams in the financial institution; while escalating internally to the authorized person on anything that may affect or obstruct the implementation of the principles.

Provide the necessary support to the Cyber Security Department to fully implement the principles,

enhance the role of cyber threat intelligence, and ensure that they are provided with competency and trained national human resources, technological tools and appropriate training to carry out their tasks to the fullest.

If there are inquiries in this regard, you can contact the General Department of Cyber Risk Control represented by the Cybersecurity Fusion Center at the e-mail: (CFC@SAMA.GOV.SA)

To be informed and complied with.

Kind regards,

General Department of Insurance Control

Distribution to:

- Insurance sector companies