SAMA CSF: Everything You Need to Know

blog details

In this era of widespread digital proliferation era, cybersecurity is one of the most important concerns for businesses.With the severity of cyberattacks increasing, companies are becoming aware of how important it is to safeguard sensitive data and transactions. Public and private organisations place a high priority on information assets and online services. These services are critical to a thriving digital economy and national security. Cybersecurity frameworks provide a set of “best practices” for determining risk tolerance and setting controls. In today's digital world, customers want flawless customer experiences, continual service availability, and good data security.

Due to geopolitical positions, broad adoption of digital activities, enormous natural resource deposits, and wealth accumulation, Saudi Arabia is one of the most targeted countries in the Middle East for cyber-attacks. According to a recent KPMG CEO Outlook poll, 20 per cent of Saudi Arabia's CEOs agreed that cyber security concerns are among the biggest challenges for their organisations today.

What is SAMA? Why was it formulated?

Saudi Arabia's Central Bank is committed to improving cyber resilience by adopting industry standards, practices, and frameworks, thus resulting in the formulation of the SAMA Cyber Security Framework. An appropriate level of security compliance for all entities across sectors was mandated by SAMA in order to manage and withstand cyber security threats. In May 2017, the Saudi Arabian Monetary Authority (SAMA) published its first version of the Cyber Security Framework (SAMA CSF). SAMA noted in its introduction that new online services and new technological developments such as fintech, and blockchain require additional regulatory standards to protect against continuously evolving threats.

Regulated organisations benefit from the establishment of effective cybersecurity governance, a robust infrastructure with the necessary investigative and preventative measures by identifying appropriate procedures to efficiently detect and resolve cybersecurity risks. Moreover, the Framework guides on assessing maturity levels and relevant checks. By adopting the Framework, Saudi Arabian Banking, Insurance, and Financing Companies will become better prepared to deal with cybersecurity threats.

SAMA's Cyber Security Framework is very comprehensive and prescriptive, perpetuating key cybersecurity principles and objectives for every regulated entity to embed and achieve. These are organized into four main cybersecurity 'domains': Leadership and Governance, Risk Management and Compliance, Operations and Technology, apart from Third-Party Considerations.

Cyber Security principles and objectives are clearly laid out in the SAMA Framework, which is risk-based and provides clear guidance for Member organisations. The mandated control considerations provide additional instructions to Member organisations on how to achieve the objectives. In cases where certain controls cannot be tailored or implemented, the Member organisations should apply alternate controls, undertaking an internal risk assessment, and requesting a formal waiver from SAMA.

What are the objectives of SAMA CSF?

The stated objectives of the SAMA CS Framework is as below:

1. To create a common approach for addressing cybersecurity within the Member organisations. 2. To achieve an appropriate maturity level of cybersecurity controls within the Member organisations. 3. To ensure cybersecurity risks are properly managed throughout the Member organisations.

What are the nature of companies which are expected to comply with SAMA

- All Banks operating in Saudi Arabia

- All Insurance and/or Reinsurance Companies operating in Saudi Arabia

- All Financing Companies operating in Saudi Arabia

- All Credit Bureaus operating In Saudi Arabia

- The Financial Market Infrastructure

SAMA CSF is a requisite for financial security

As a result of the SAMA CSF, financial institutions have been made aware of the nature and scope of their information assets, as well as the potential Cyber Security risks they face during the course of their business and adoption of new technologies. Unlike many other cybersecurity frameworks, SAMA avoided a common pitfall. To ensure the sector is able to manage and withstand cybersecurity threats, the framework was mandated rather than asking banks, insurance companies, and financial services companies to adopt the best practices voluntarily.

Financial Institutions can ensure complete SAMA CSF compliances and leverage isorobot solutions to complement their measures to fulfil the requirements set out in the Cybersecurity Framework. Isorobot allows for the protection of data both inside and outside organisations by controlling not just who can access what documents, with what permissions, from what network or IP address and in what timeframe. Identifying risk instances on corporate data through efficient monitoring, isorobot - the data-centric cyber security system software supports compliance with the SAMA framework. It allows for the persistent protection of the organisation’s most protected data. Isorobot’s data security and protection potentials are proven in industries of all kinds and is reflected by the growing number of large organisations relying on it to manage their Business risks and Cyber security

Akhila Nasneem

Akhila Nasneem is a young aspiring brand communications and digital marketing enthusiast. She loves to write blogs, advertising brand contents and is curious about work-a-day organisational concepts. Creating illustrations and befriending movies are her other active pursuits.

Stay tuned with all our updates and access our blogs and podcasts library for free!

By signing up, you consent to receive email newsletters from me periodically.

Find us on