Help Center
Frequently Asked Questions
Find answers to your questions about cybersecurity and the CISO Consulting platform
Suggested Answer
SAMA & Banking 156
All financial institutions regulated by the Saudi Arabian Monetary Authority (SAMA) must comply, including commercial banks, insurance companies, finance companies, payment service providers, and fintech firms operating in the Kingdom.
Was this helpful?
The SAMA Cybersecurity Framework v2.0 contains 251 sub-controls organized across 12 domains covering Governance, Risk Management, Identity & Access, Operations Security, Network Security, System Acquisition, Third-Party Management, Business Continuity, and Threat Management.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Cybersecurity), regulated entities must implement a structured vendor risk management lifecycle covering onboarding, ongoing monitoring, and offboarding. Here's how to structure it effectively:
**1. Vendor Classification & Tiering:** Categorize vendors by criticality — Tier 1 (critical/core banking vendors), Tier 2 (important), and Tier 3 (low-risk). This determines the depth of due diligence required.
**2. Pre-Onboarding Due Diligence:** Require vendors to complete a cybersecurity questionnaire aligned with SAMA CSF controls. Request evidence of certifications such as ISO 27001 or SOC 2. For Tier 1 vendors, consider independent security assessments.
**3. Contractual Controls:** Embed cybersecurity obligations in contracts, including right-to-audit clauses, incident notification timelines (typically 72 hours per SAMA expectations), data handling requirements aligned with PDPL, and minimum security standards.
**4. Continuous Monitoring:** Conduct annual reassessments for Tier 1 and Tier 2 vendors. Use threat intelligence feeds and surface web monitoring to identify vendor breaches proactively.
**5. Offboarding Controls:** Ensure data deletion confirmation, access revocation, and documentation of asset returns.
**6. Board Reporting:** Per SAMA CSF Control 3.1.4, the board and senior management must receive regular reports on third-party risk exposure.
A common gap observed in Saudi financial institutions is treating third-party risk as a one-time checkbox rather than an ongoing program. Embed vendor risk reviews into your annual SAMA self-assessment cycle to ensure continuous compliance posture.
Was this helpful?
A robust cybersecurity incident response plan (IRP) for Saudi financial institutions must satisfy the requirements of SAMA CSF Control 3.6 (Cybersecurity Incident Management) as well as NCA ECC Domain 2-7 (Cybersecurity Incident and Threat Management). At its core, the IRP must define six phases: Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Review. SAMA specifically requires that any cybersecurity incident impacting operations, customer data, or financial services be reported to SAMA within 72 hours of discovery — with a full Root Cause Analysis (RCA) submitted within 30 days. NCA mandates reporting of significant incidents to the National Cybersecurity Authority through established channels, and institutions should register with the Saudi Computer Emergency Response Team (saCERT) for threat intelligence sharing. Practically, the IRP should include: clearly assigned roles (Incident Commander, Technical Lead, Communications Officer, Legal Counsel), a predefined severity classification matrix (P1–P4), communication templates for internal escalation and regulatory notification, and integration with PDPL obligations — since a breach involving personal data triggers mandatory notification to the SDAIA (Saudi Data and AI Authority) and potentially affected individuals. Tabletop exercises simulating ransomware, insider threats, and third-party breaches should be conducted at least annually per SAMA CSF best practices. The IRP must be reviewed after every major incident and updated annually. Our platform provides IRP templates pre-mapped to SAMA and NCA requirements, with automated incident ticketing and regulatory notification tracking.
Was this helpful?
Third-party risk management is a critical obligation for Saudi financial institutions under both SAMA CSF (Control 3.3.6 – Supplier Relationships) and NCA ECC (Domain 4 – Third-Party Cybersecurity). Here is a structured approach:
**1. Pre-Onboarding Due Diligence:** Before engaging any vendor, conduct a cybersecurity risk assessment covering data access scope, cloud or on-premise deployment, and regulatory exposure. SAMA CSF requires formal risk classification of all third parties with access to critical systems.
**2. Contractual Safeguards:** Embed cybersecurity clauses in all vendor contracts — including the right to audit, incident notification SLAs (typically 72 hours per PDPL Article 19), data handling obligations, and minimum security baseline requirements aligned with ISO 27001 Annex A controls.
**3. Ongoing Monitoring:** Third-party relationships must be continuously monitored, not just assessed at onboarding. This includes annual reassessments for critical vendors, review of their security certifications (e.g., ISO 27001, SOC 2), and tracking any publicly reported breaches.
**4. Concentration Risk:** SAMA specifically highlights the risk of over-reliance on a single vendor for critical services. Institutions must maintain documented exit strategies and business continuity plans for key third parties.
**5. Cloud Providers:** For cloud-based third parties, NCA CCC controls apply. Ensure your vendor is either hosted within Saudi Arabia or has received explicit regulatory approval for cross-border data processing.
Practically, build a third-party risk register, assign risk tiers (Critical, High, Medium, Low), and define review cycles accordingly. A CISO Consulting vCISO can help design and operationalize this program from day one.
Was this helpful?
Security awareness training is far more than a compliance checkbox — it is a frontline defense against phishing, social engineering, and insider threats. Both SAMA CSF (Control 3.3.2 – Cybersecurity Awareness and Training) and NCA ECC (Control 2-4 – Human Cybersecurity) mandate structured awareness programs. Here is how to build one that truly satisfies both frameworks:
**Regulatory Minimum Requirements:**
- **SAMA CSF:** Requires role-based security training differentiated by job function (general staff, privileged users, IT/security teams, and senior management). Training must be documented, tracked, and renewed at least annually.
- **NCA ECC:** Requires a formal awareness program covering phishing recognition, password hygiene, clean desk policy, and incident reporting procedures.
**Recommended Program Structure:**
1. **Baseline Assessment:** Start with a phishing simulation to measure current susceptibility rates. This creates a measurable benchmark aligned with SAMA's maturity measurement approach.
2. **Role-Based Curricula:**
- *All Staff:* Phishing, social engineering, password management, PDPL data handling basics
- *IT & Security Teams:* Secure coding (if applicable), incident escalation procedures, privileged access hygiene
- *Management & Board:* Cyber risk governance, regulatory liability, business continuity obligations
3. **Delivery Formats:** Blend short monthly microlearning modules (5–10 minutes), quarterly phishing simulations, and annual in-depth workshops. Gamification significantly improves completion rates.
4. **Measurement & Reporting:** Track completion rates, phishing click-through rates before and after training, and quiz scores. SAMA expects documented evidence of training effectiveness during assessments.
5. **Language Localization:** Deliver content in both Arabic and English to maximize comprehension and engagement across your workforce.
**Key Tip:** Maintain a training register with employee names, completion dates, scores, and training version — this is frequently requested during SAMA regulatory examinations and NCA assessments.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Cybersecurity), Saudi financial institutions must implement a structured vendor risk management lifecycle that spans onboarding, ongoing monitoring, and offboarding. Here's how to build a compliant program:
**1. Vendor Classification & Tiering:** Categorize vendors by the sensitivity of data they access and the criticality of services they provide. Tier-1 vendors (e.g., core banking system providers, cloud hosting partners) require the most rigorous scrutiny.
**2. Pre-Onboarding Due Diligence:** Before engagement, require vendors to complete a cybersecurity questionnaire aligned with SAMA CSF domains. Request evidence of ISO 27001 certification, penetration test results, and SOC 2 Type II reports where applicable.
**3. Contractual Security Requirements (per SAMA CSF 3.3.4):** Embed mandatory cybersecurity clauses in all vendor contracts, including: right-to-audit provisions, incident notification obligations (within 72 hours of discovery), data handling and encryption standards, and compliance with NCA ECC and PDPL where data is involved.
**4. Continuous Monitoring:** Conduct annual reassessments for Tier-1 vendors and bi-annual reviews for Tier-2. Use threat intelligence feeds to monitor for vendor breaches or vulnerabilities in vendor-supplied software.
**5. Offboarding Controls:** Ensure secure data deletion, credential revocation, and access termination are documented and verified upon contract termination.
A common gap found during SAMA assessments is that institutions maintain vendor lists but lack documented risk ratings or evidence of ongoing monitoring. Establishing a formal Third-Party Risk Register with assigned ownership and review dates is essential for audit readiness.
Was this helpful?
Under SAMA CSF Control 3.3 (Third-Party Management), Saudi banks and financial institutions must implement a structured, risk-based vendor management lifecycle that covers onboarding, ongoing monitoring, and offboarding. Here is how to build a compliant program:
**1. Vendor Classification & Risk Tiering:** Categorize vendors by the sensitivity of data they access and their criticality to operations (e.g., Tier 1 for core banking system providers, Tier 3 for low-risk suppliers). This tiering drives the depth of due diligence required.
**2. Pre-Engagement Due Diligence:** Before contracting, require vendors to complete a cybersecurity questionnaire aligned to SAMA CSF domains. For high-risk vendors, consider requesting ISO 27001 certification evidence or independent audit reports (SOC 2 Type II).
**3. Contractual Controls:** Ensure contracts include mandatory security clauses: right-to-audit provisions, incident notification obligations (within 72 hours per PDPL Art. 24 and SAMA CSF expectations), data handling restrictions, and business continuity commitments.
**4. Continuous Monitoring:** Conduct annual reassessments for Tier 1 vendors and biennial reviews for Tier 2. Use threat intelligence feeds and cyber ratings platforms to monitor vendor security posture between formal assessments.
**5. Offboarding Controls:** Define secure data return and destruction protocols when terminating vendor relationships, ensuring no residual data exposure.
Your GRC platform should automate vendor questionnaire distribution, track remediation timelines, and generate SAMA-ready reporting dashboards that demonstrate third-party risk governance to regulators during examinations.
Was this helpful?
Business Continuity Management (BCM) is a mandatory domain under both SAMA CSF (Domain 4 – Operational Resilience) and NCA ECC (Control 2-10 – Business Continuity). Saudi financial institutions must establish, implement, test, and continuously improve their BCM programs to satisfy regulatory expectations.
**SAMA CSF Requirements:**
SAMA CSF Control 3.4 requires institutions to maintain a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that are reviewed and tested at least annually. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) must be formally defined for all critical systems, with special attention to core banking platforms, payment systems, and customer-facing digital channels.
**NCA ECC Alignment:**
NCA ECC Control 2-10 mandates that organizations define cybersecurity-specific continuity scenarios, including ransomware attacks, critical system outages, and supply chain disruptions. Cybersecurity must be embedded in BCM exercises, not treated as a separate workstream.
**Practical Implementation Steps:**
1. Conduct a formal Business Impact Analysis (BIA) identifying critical processes, dependencies, and acceptable downtime thresholds.
2. Define RTO/RPO for all critical assets and validate these with technology and business stakeholders.
3. Develop cybersecurity-integrated DRP covering backup integrity, failover procedures, and out-of-band communication protocols.
4. Conduct tabletop exercises and full simulation tests at least annually, involving IT, security, operations, and executive leadership.
5. Document all test results, gaps identified, and corrective actions in your GRC platform for regulatory audit trails.
Regulators increasingly scrutinize BCM during SAMA examinations — institutions with outdated or untested plans face significant compliance findings.
Was this helpful?
Business Continuity Management (BCM) is a mandatory requirement for Saudi financial institutions under both SAMA CSF Control Domain 3.7 and NCA ECC Control 2-13. Here is a practical implementation roadmap:
**1. BIA (Business Impact Analysis)**: Begin with a formal BIA to identify critical business processes, maximum tolerable downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO). SAMA expects RTOs for core banking systems to typically not exceed 4 hours.
**2. BCM Policy and Governance**: Establish a board-approved BCM policy that assigns clear ownership. SAMA CSF requires the CISO and senior management to be directly accountable for BCM outcomes.
**3. Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP)**: Develop, document, and maintain separate BCP and DRP documents covering technology failover, manual workarounds, alternate site activation, and communication protocols.
**4. Testing and Exercises**: SAMA CSF mandates that BCM plans be tested at least annually through tabletop exercises, simulation drills, or full failover tests. NCA ECC Article 2-13 similarly requires documented test results and corrective action tracking.
**5. Third-Party and Supply Chain Continuity**: Ensure critical vendors maintain their own BCM programs aligned with your institution's RTO/RPO requirements, per SAMA CSF Control 3.6.
**6. Cyber Incident Integration**: BCM plans must explicitly address cybersecurity scenarios — ransomware, DDoS, and data center outages — ensuring alignment with your Cyber Incident Response Plan (CIRP).
**7. Regulatory Reporting**: SAMA requires institutions to report major disruptions within defined timeframes. Maintain a disruption log and ensure your BCM framework is reviewed during SAMA's annual cybersecurity examination cycle.
Was this helpful?
Business continuity and cyber resilience are among the most scrutinized areas during SAMA regulatory examinations. SAMA CSF Subdomain 3.5 (Cyber Resilience) sets out explicit requirements that go beyond traditional IT disaster recovery into true organizational resilience.
**Core SAMA CSF Requirements (Subdomain 3.5):**
- **Control 3.5.1 – BCP/DRP Development:** Banks must maintain documented Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) that specifically account for cyberattack scenarios (ransomware, DDoS, data destruction), not just natural disasters or hardware failures.
- **Control 3.5.2 – Testing Frequency:** BCPs and DRPs must be tested at least annually, with tabletop exercises, simulation drills, and full failover tests each serving distinct purposes. SAMA expects evidence of testing, including lessons-learned documentation.
- **Control 3.5.3 – Recovery Objectives:** Defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets must be formally approved by senior management and aligned to the criticality of each system.
- **Control 3.5.4 – Cyber Incident Integration:** The cyber incident response plan must be formally integrated into the BCP so that a cybersecurity event automatically triggers the appropriate continuity protocols.
**Integration with ISO 22301:**
ISO 22301 (Business Continuity Management Systems) provides the structural framework that operationalizes SAMA CSF 3.5 requirements. Specifically:
- ISO 22301 Clause 6.2 (BIA) directly supports SAMA's requirement to identify and prioritize critical systems.
- ISO 22301 Clause 8.5 (Exercising and Testing) maps to SAMA CSF Control 3.5.2.
- Achieving ISO 22301 certification significantly strengthens your SAMA CSF maturity evidence.
**NCA ECC Alignment:** NCA ECC Article 2-14 independently mandates cyber resilience planning for government-affiliated entities — financial institutions with government ownership must satisfy both regulators.
Was this helpful?
Business Continuity Management (BCM) sits at the intersection of operational resilience and cybersecurity in SAMA's regulatory framework. Under SAMA CSF Domain 3.5 (Cyber Resilience), financial institutions are required to develop, maintain, and regularly test a Cyber Resilience Program that ensures critical operations can withstand, recover from, and adapt to cyber incidents.
SAMA CSF Control 3.5.1 mandates that banks establish a formal BCM framework that explicitly addresses cyber threat scenarios — not just traditional IT failures or natural disasters. This means BCP documents must include ransomware outbreak scenarios, DDoS attack playbooks, data exfiltration incidents, and critical system compromise procedures.
Key SAMA BCM requirements for CISOs include:
**1. Business Impact Analysis (BIA):** Identify critical business functions, their dependencies on IT systems, and define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each. SAMA expects RTOs for critical payment systems to be extremely aggressive — often under 4 hours.
**2. Cyber Incident Scenarios in BCP Testing:** Annual BCM tests (per Control 3.5.3) must include at least one cyber-specific scenario. Tabletop exercises simulating ransomware or supply chain attacks are increasingly expected by SAMA examiners.
**3. Crisis Communication Protocols:** BCP must define escalation paths to SAMA (within 72 hours for major incidents per SAMA Cyber Incident Reporting Framework), the board, customers, and media.
**4. Backup and Recovery Controls:** Per SAMA CSF 3.3.10, offline and immutable backups must be maintained for critical data, with restoration tested regularly to validate actual RTO/RPO achievement.
**5. Alignment with NCA ECC:** NCA ECC Article 2-12 mirrors BCM obligations for all national entities, requiring coordination between the CISO and the COO/CRO on joint continuity planning.
CISOs should treat BCM not as a compliance checkbox but as a continuous resilience-building exercise embedded in the bank's annual security strategy.
Was this helpful?
Business Continuity Management (BCM) is a critical domain under SAMA CSF (Domain 5 – Cyber Resilience, Controls 5.1–5.4), requiring Saudi banks to maintain robust, tested, and board-approved continuity plans.
**Program Foundation:** Your BCM program must be anchored to a formal Business Impact Analysis (BIA) that identifies critical business functions, maximum tolerable downtime (MTD), recovery time objectives (RTO), and recovery point objectives (RPO) for each function. SAMA expects RTOs for critical systems to be defined and contractually enforced.
**Cybersecurity Integration:** BCM must be tightly integrated with the Cybersecurity Incident Response Plan (CIRP). Ransomware scenarios, DDoS attacks, and critical data loss must be explicitly covered in continuity plans — a gap many Saudi banks overlook.
**Plan Components:** A compliant BCM program includes: Crisis Management Plan, IT Disaster Recovery Plan (DRP), Business Recovery Plans per department, and Communication Plans (internal, regulatory, and customer-facing). SAMA CSF Control 5.2 specifically requires that SAMA be notified within defined timeframes during a major disruption.
**Testing & Validation:** SAMA requires annual BCP/DR exercises, including tabletop simulations and full failover tests. Results must be documented, lessons learned captured, and plans updated accordingly. NCA ECC also mandates resilience testing for entities managing critical national infrastructure.
**Governance:** The BCM program must have executive sponsorship, with the CISO and CRO jointly accountable. Plans must be reviewed and approved annually by senior management.
Our platform provides BCM templates pre-mapped to SAMA CSF domains, enabling banks to build, test, and evidence their resilience programs efficiently.
Was this helpful?
Business Continuity Management (BCM) is a tier-one requirement under SAMA CSF Domain 4 – Operational Resilience. SAMA expects member banks to maintain a formally documented, regularly tested, and board-approved BCM program that ensures the continuity of critical financial services during and after disruptive events.
**Core BCM Components Required by SAMA CSF:**
**1. Business Impact Analysis (BIA):** Per SAMA CSF Control 4.1.1, institutions must conduct a BIA to identify critical business functions, their dependencies (people, technology, third parties), and define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). For systemically important banks, RTOs for core banking services are typically expected within 4 hours.
**2. BCM Policy and Strategy:** A board-approved BCM policy must define scope, roles, responsibilities, and escalation procedures. The strategy must address alternative site activation, manual workarounds, and communication protocols.
**3. IT Disaster Recovery (DR):** Aligned with SAMA CSF Control 4.2, DR plans must be technically documented and cover failover procedures for all tier-1 systems. Data replication and backup frequencies must align with RPO commitments.
**4. Testing and Exercises:** SAMA requires at minimum an annual full DR test and tabletop exercises for crisis management scenarios. Results must be documented, gaps identified, and corrective actions tracked.
**5. Integration with PDPL:** Under PDPL Article 19, data backup and recovery mechanisms must preserve data integrity and access rights, ensuring that personal data is not exposed during DR failover events.
**Documentation Tip:** Maintain a BCM program register linking each plan to its owner, last test date, RTO/RPO targets, and SAMA CSF control reference. This significantly simplifies regulatory examination responses.
Was this helpful?
Business Continuity Management (BCM) is a mandatory component of SAMA CSF under Control Domain 3.5. Saudi banks must implement a BCM program that ensures critical financial services remain operational during disruptions — whether cyber incidents, natural disasters, or systemic failures.
**SAMA CSF BCM Requirements:**
**1. Business Impact Analysis (BIA):** Identify and classify critical business processes, define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each, and assess interdependencies with third-party services and IT systems. SAMA expects RTOs for critical systems to be under 4 hours.
**2. BCM Policy and Governance:** A formally approved BCM policy must exist, endorsed by senior management and reviewed annually. A designated BCM owner must be appointed at the executive level.
**3. Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP):** Separate but integrated plans must cover people, processes, technology, and facilities. Plans must include clear escalation paths, communication trees, and alternate site arrangements.
**4. Testing and Exercising:** SAMA requires BCM plans to be tested at least annually. Tests must include tabletop exercises, simulation drills, and full failover tests for critical systems. Results must be documented and gaps remediated.
**5. Alignment with NCA ECC:** NCA ECC Article 2-15 reinforces BCM requirements for organizations operating national infrastructure, adding requirements around cyber-resilience and continuity of digital services.
**6. PDPL Consideration:** BCM plans must account for data protection obligations — backup systems must maintain the same security and access controls as primary systems.
**Practical Steps:**
- Integrate BCM into your annual SAMA self-assessment submission.
- Use our platform's BCM module to map RTOs/RPOs, schedule tests, and generate regulator-ready reports automatically.
- Align BCM with ISO 22301 for internationally recognized best practice.
Was this helpful?
Business Continuity Management (BCM) is a critical regulatory obligation for Saudi financial institutions. Both SAMA CSF (Domain 4 — Operational Resilience) and NCA ECC (Article 2-14) mandate formal BCM programs. Here is a practical implementation roadmap:
**1. Governance and Policy Foundation:**
Establish a BCM policy approved by the Board or senior executive committee. SAMA CSF requires explicit ownership at the executive level. Assign a dedicated BCM owner — often the CISO or COO — responsible for program maintenance.
**2. Business Impact Analysis (BIA):**
Conduct a thorough BIA to identify critical business functions, their dependencies, and acceptable Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). SAMA expects RTOs and RPOs to be defined for all critical systems including core banking, payments, and customer-facing channels.
**3. Risk Assessment Integration:**
BCM must be integrated with the organization's broader cybersecurity risk assessment process. NCA ECC Article 2-14 specifically requires scenarios covering cyberattacks, ransomware, and system failures.
**4. Plan Development:**
Develop Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) covering people, processes, technology, and facilities. Ensure plans address both partial and full site failures.
**5. Testing and Exercises:**
SAMA CSF requires BCM plans to be tested at least annually through tabletop exercises, functional drills, or full failover tests. Test results and lessons learned must be documented and acted upon.
**6. Third-Party Dependencies:**
Map and test continuity arrangements for critical vendors and cloud service providers. SAMA expects contractual BCM obligations to be embedded in third-party agreements.
Regular review cycles — at least annually or after significant changes — ensure plans remain current and aligned with evolving regulatory expectations.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance domain for Saudi financial institutions, governed primarily by SAMA CSF Domain 4 (Operational Resilience) and NCA ECC Controls 2-9 and 2-10, which address resilience and recovery capabilities.
**Core SAMA CSF Requirements:**
SAMA CSF Control 4.1 requires institutions to establish a formal BCM program covering Business Impact Analysis (BIA), Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and tested Business Continuity Plans (BCPs). RTOs for critical banking services are typically expected to be 4 hours or less, with RPOs of 1–2 hours for tier-1 systems.
**NCA ECC Alignment:**
NCA ECC Article 2-9 mandates that organizations establish and maintain Disaster Recovery Plans (DRPs) with documented failover procedures, while Article 2-10 requires periodic testing and simulation exercises at least annually.
**Practical Implementation Steps:**
1. Conduct a thorough BIA to identify critical processes and acceptable downtime thresholds.
2. Define RTO/RPO for each critical system — core banking, payment rails, and customer-facing channels.
3. Develop tiered BCPs: site-level, system-level, and crisis communication plans.
4. Establish an alternate/hot site that meets SAMA's geographic separation requirements.
5. Test plans through tabletop exercises, functional drills, and full failover simulations annually.
6. Integrate BCM with your Cybersecurity Incident Response Plan to cover ransomware and cyber-induced outage scenarios.
Documentation of test results, gaps identified, and remediation actions must be maintained and submitted during SAMA regulatory reviews. A common weakness is treating BCM as an annual checkbox — successful institutions embed it into change management and release processes year-round.
Was this helpful?
Business Continuity Management (BCM) is a mandatory domain under SAMA CSF, addressed comprehensively in Domain 3.5 — Resilience. Financial institutions must build and maintain a BCM program that ensures critical operations can withstand and recover from disruptive incidents, whether cyber-related or operational.
**Core components required by SAMA CSF:**
1. **Business Impact Analysis (BIA)**: Identify and prioritize critical business functions, define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each, and map dependencies on technology and third-party services.
2. **Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)**: Develop documented, tested plans that address various disruption scenarios including ransomware attacks, data center failures, and key personnel unavailability.
3. **Crisis Management Framework**: Establish a crisis management team with defined roles and escalation paths. SAMA expects named executives and deputies to be designated for continuity decisions.
4. **Testing and Exercises**: SAMA CSF Control 3.5.4 requires that BCM plans be tested at least annually through tabletop exercises, functional drills, or full simulation tests. Results must be documented and gaps remediated.
5. **Integration with Cyber Incident Response**: BCM must be aligned with the Cyber Incident Response Plan (CIRP) to ensure coordinated response during cyber disruptions, including ransomware or DDoS attacks targeting financial services.
6. **Regulatory Reporting**: Any incident triggering BCP activation must be reported to SAMA within defined timeframes per the SAMA Cyber Incident Reporting Framework.
Fintechs should pay special attention to cloud dependencies, SaaS provider continuity, and ensuring contractual SLAs with vendors include documented RTOs aligned with their own SAMA-approved thresholds.
Was this helpful?
Business Continuity Management (BCM) is a mandatory domain under SAMA CSF, and for fintechs — given their digital-first nature and reliance on third-party infrastructure — it carries elevated risk. SAMA CSF Domain 4 (Operational Resilience) sets the overarching expectations, requiring that all member organizations establish, test, and maintain comprehensive BCM programs.
**Core Requirements:**
**Business Impact Analysis (BIA):** SAMA CSF Control 4.1 requires fintechs to conduct a formal BIA identifying critical business processes, dependencies, maximum tolerable downtime (MTD), recovery time objectives (RTO), and recovery point objectives (RPO). For payment services, RTOs are typically expected to be under 4 hours.
**Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP):** Both must be documented, approved by senior management, and reviewed at least annually. DRP must address IT system recovery sequencing and failover procedures.
**Testing & Exercises:** SAMA expects regular tabletop exercises (at minimum annually) and full DR drills. Test results must be documented, gaps identified, and improvement actions tracked.
**Communication Plans:** BCPs must include internal escalation paths and external stakeholder communication protocols, including notification to SAMA in cases of significant operational disruptions.
**Third-Party Resilience:** Fintechs must validate the BCM posture of critical technology vendors (e.g., cloud providers, payment processors) as part of their overall resilience strategy.
**ISO 22301 Alignment:** While not explicitly mandated, aligning your BCM program with ISO 22301 significantly eases SAMA audit readiness and demonstrates a mature, internationally recognized approach to operational resilience.
Fintechs should treat BCM not as a compliance checkbox, but as a core operational risk discipline that directly protects customer trust and regulatory standing.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance obligation for Saudi financial institutions. Both SAMA CSF and NCA ECC set explicit expectations that institutions must meet.
**SAMA CSF Requirements (Control Domain 3.4):**
SAMA requires a formal BCM program covering Business Impact Analysis (BIA), Business Continuity Plans (BCP), and Disaster Recovery Plans (DRP). Key mandates include:
- RTO (Recovery Time Objective) and RPO (Recovery Point Objective) must be defined per critical system
- BCP must be tested at minimum annually through tabletop exercises, and full DR failover tests at least every two years
- SAMA expects BCM to align with the institution's risk appetite and be approved by senior management
**NCA ECC Requirements (Article 2-13):**
NCA ECC mandates resilience controls including redundant systems, failover capabilities, and documented recovery procedures. Institutions must ensure cybersecurity continuity is embedded within the broader BCM framework.
**Practical Implementation Steps:**
1. Conduct a formal BIA to identify critical business processes and their dependencies
2. Define RTOs and RPOs in alignment with SAMA's operational resilience thresholds
3. Develop tiered BCP and DRP documents covering people, process, and technology
4. Establish an alternate site (hot, warm, or cold standby) for critical banking operations
5. Integrate cyber incident scenarios into BCP testing, including ransomware and DDoS simulation
6. Maintain an annual test schedule and document results with lessons learned
**PDPL Consideration:**
Under Saudi PDPL, personal data must remain protected even during disaster recovery operations. Ensure DR environments enforce the same data protection controls as production.
Was this helpful?
Business Continuity Management under SAMA CSF is governed primarily by Domain 4 (Cyber Resilience), which mandates that Member Organizations establish, maintain, and test a comprehensive BCM program. Here are the core requirements and implementation steps:
**1. BCM Policy & Governance (SAMA CSF Control 4.1)**
Establish a board-approved BCM policy that defines RTO (Recovery Time Objective) and RPO (Recovery Point Objective) thresholds for critical banking systems. Assign a dedicated BCM owner at the senior management level.
**2. Business Impact Analysis (BIA)**
Conduct a formal BIA annually to identify critical business functions, dependencies, and acceptable downtime limits. For core banking systems, SAMA expects RTO to typically not exceed 4 hours for Tier-1 institutions.
**3. Disaster Recovery Planning (SAMA CSF Control 4.3)**
Maintain a documented and tested Disaster Recovery Plan (DRP) covering IT systems, data centers, and third-party dependencies. DR sites must be geographically separated and tested at least annually through full failover exercises.
**4. Testing & Exercising**
SAMA CSF requires at minimum annual tabletop exercises and bi-annual technical DR drills. Results must be documented, gaps remediated, and evidence retained for regulatory review.
**5. Alignment with NCA ECC**
NCA ECC Article 3-8 also addresses resilience requirements. Ensure your BCM program satisfies both frameworks to avoid duplicate audit findings.
**Practical Tip:** Integrate your BCM program with your Cyber Incident Response Plan (CIRP) so that a major cyber incident automatically triggers BCM protocols. This alignment is increasingly scrutinized during SAMA on-site examinations.
Was this helpful?
Business Continuity Management (BCM) is a mandatory component under SAMA CSF Domain 4 and NCA ECC Control 2-10, requiring Saudi financial institutions to maintain resilient operations against disruptions, cyber incidents, and disasters.
**SAMA CSF BCM Requirements (Domain 4.1):**
- Develop and maintain a formal Business Continuity Policy approved by senior management
- Conduct Business Impact Analysis (BIA) to identify critical business functions and their maximum tolerable downtime (MTD)
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems — for core banking, SAMA typically expects RTO within 4 hours
- Establish and test Disaster Recovery Plans (DRP) for IT systems at least annually through simulated exercises
**NCA ECC Control 2-10 Alignment:**
- Requires cybersecurity considerations to be embedded within BCM, including cyber-specific recovery scenarios
- Mandates that BCM plans account for ransomware, DDoS, and supply chain disruption scenarios
**Testing & Exercises:**
- Tabletop exercises, functional drills, and full failover tests must be documented
- Results, gaps, and corrective actions must be formally recorded and tracked
- SAMA examiners will request evidence of test outcomes during assessments
**Integration with Incident Response:**
- BCM and Incident Response Plans must be aligned to avoid conflicting procedures during crisis activation
- Assign clear crisis communication roles including regulatory notification to SAMA within required timeframes
**Practical Tip:** Establish a BCM Steering Committee with cross-functional representation (IT, Operations, Risk, Legal) to ensure enterprise-wide ownership and alignment with SAMA's governance expectations.
Was this helpful?
Business Continuity Management (BCM) is a critical regulatory obligation for Saudi financial institutions under SAMA CSF Domain 4, specifically Controls 4.3.1 through 4.3.6. A compliant BCM program must address the following areas:
**1. Business Impact Analysis (BIA):**
- Identify and classify critical business processes, their dependencies, and maximum tolerable downtime (MTD).
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system.
- BIA results must be reviewed and updated at least annually or after major changes.
**2. Business Continuity Plan (BCP) Development:**
- Document detailed recovery procedures for all critical functions.
- Assign clear roles, responsibilities, and escalation paths.
- Plans must address both cyber-incident-triggered disruptions and physical/environmental events.
**3. Disaster Recovery (DR) Planning:**
- Maintain a tested, operational DR site — SAMA expects financial institutions to have geographically separated primary and secondary data centers.
- DR failover capabilities must meet defined RTO/RPO commitments.
**4. Testing and Exercising:**
- SAMA CSF Control 4.3.5 requires regular BCM testing, including tabletop exercises and full failover drills.
- Testing must be conducted at least annually, with results documented and lessons learned incorporated.
**5. Integration with Cyber Incident Response:**
- BCM must be tightly integrated with the Cyber Incident Response Plan (CIRP) to ensure seamless activation during cybersecurity incidents.
**6. Governance and Reporting:**
- BCM program ownership should sit at the executive level (COO or CRO), with the CISO responsible for the cyber resilience component.
- Annual BCM reports must be presented to the Board Risk Committee.
Key practical advice: Regulators increasingly scrutinize the gap between documented plans and actual tested capabilities — invest in realistic simulation exercises.
Was this helpful?
Under SAMA CSF Domain 4 (Operational Resilience), Saudi financial institutions must establish a comprehensive Business Continuity Management program that addresses both technology and operational risks. Key requirements include:
**1. BCP Documentation & Governance:** Per SAMA CSF Control 4.1, institutions must maintain formally approved BCM policies, define clear ownership at the board level, and embed BCM into strategic planning cycles.
**2. Business Impact Analysis (BIA):** Control 4.2 requires a structured BIA that identifies critical business functions, maximum tolerable downtime (MTD), recovery time objectives (RTO), and recovery point objectives (RPO) for all core banking systems.
**3. Testing & Exercising:** SAMA mandates at least annual BCM tests, including tabletop exercises and full simulation drills. Results must be documented and remediation actions tracked.
**4. IT Disaster Recovery Alignment:** BCM must be integrated with IT Disaster Recovery Plans (DRP), ensuring that DR environments — whether on-premises or cloud-hosted — are tested independently and meet SAMA's data residency expectations.
**5. Third-Party Coverage:** BCM scope must extend to critical service providers. Vendors supporting core banking, payment processing, or data hosting must demonstrate their own BCM capabilities contractually.
**6. PDPL Alignment:** When activating recovery procedures, institutions must ensure personal data processed during failover scenarios remains protected per PDPL Article 19 obligations.
Practically, institutions should maintain a BCM register, schedule quarterly reviews, and report BCM status to the board risk committee at least semi-annually. SAMA may request BCM documentation during regulatory inspections, so audit-readiness is essential.
Was this helpful?
Business Continuity Management (BCM) is a critical regulatory obligation for Saudi banks under SAMA CSF Domain 3.4 (Resilience) and is further reinforced by SAMA's dedicated Business Continuity Management Guidelines. Here is a structured approach to achieving full compliance:
**1. Establish a Formal BCM Program:**
SAMA requires a board-approved BCM policy that defines Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems. For core banking platforms, RTOs are typically expected to be four hours or less.
**2. Conduct Business Impact Analysis (BIA):**
Identify critical business functions, their dependencies on IT systems, and the financial/reputational impact of disruption. The BIA must be reviewed annually and after significant organizational changes.
**3. Develop and Maintain Plans:**
You need three interconnected plans:
- Business Continuity Plan (BCP): Covers operational continuity
- IT Disaster Recovery Plan (DRP): Covers technical recovery of systems
- Crisis Communication Plan: Covers internal and SAMA notification procedures
**4. Testing Requirements:**
SAMA CSF mandates regular testing — tabletop exercises at minimum annually, and full failover DR tests at least once per year. Results must be documented and gaps remediated.
**5. Third-Party Dependencies:**
BCM must account for critical vendor dependencies. If a core system provider experiences outage, your plan must address continuity.
**6. SAMA Notification:**
In the event of a significant disruption impacting customer services, SAMA expects notification within defined timeframes per the incident reporting framework.
Integrating your BCM documentation into a centralized GRC platform ensures version control, audit trails, and real-time test tracking.
Was this helpful?
Business continuity management under SAMA CSF (Domain 4, Controls 4.3.1–4.3.6) requires Saudi financial institutions to maintain a comprehensive, tested, and regularly updated BCM program. Key requirements include: (1) **Business Impact Analysis (BIA):** Identify critical business functions, acceptable recovery time objectives (RTO), and recovery point objectives (RPO) for all core banking systems. (2) **Business Continuity Plan (BCP):** Document recovery procedures for people, processes, technology, and facilities. Plans must cover scenarios including cyberattacks, not just natural disasters. (3) **Disaster Recovery (DR):** Maintain a geographically separated DR site within the Kingdom, with data replication aligned to RPO targets. SAMA requires DR sites to be activated and tested at least annually. (4) **Testing and Exercises:** Conduct tabletop exercises and full DR failover tests at least once per year. Results must be documented, gaps remediated, and evidence retained for SAMA examination. (5) **Third-Party Dependencies:** Map and address continuity risks from critical service providers, including cloud vendors and payment networks. Practically, banks should assign a dedicated BCM owner, integrate BCM into the overall risk management framework, and ensure board-level sign-off on the BCP annually. SAMA examiners will review test evidence, BIA documentation, and board minutes during assessments. Fintechs operating under SAMA oversight are equally subject to these requirements and must demonstrate proportional BCM maturity relative to their operational scale.
Was this helpful?
Business Continuity Management (BCM) for Saudi financial institutions sits at the intersection of operational resilience and regulatory compliance. SAMA CSF Domain 3.6 mandates a fully documented BCM framework that includes Business Impact Analysis (BIA), Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and tested Disaster Recovery Plans (DRP).
Key implementation steps include: (1) Conduct a BIA identifying critical business processes, dependencies, and acceptable downtime thresholds — SAMA expects RTOs for critical systems to be no more than 4 hours; (2) Develop and maintain a Business Continuity Plan (BCP) covering crisis communication, staff roles, and alternate processing sites; (3) Test your BCP at least annually through tabletop exercises, simulations, or full failover drills, with results documented and presented to the Board; (4) Integrate cyber incident scenarios — ransomware, DDoS, and data breach — into your continuity planning, aligning with SAMA CSF Control 3.6.5.
The PDPL dimension adds a critical data protection layer: if a business disruption involves personal data unavailability or breach, Article 24 of PDPL requires notification to the Saudi Data & AI Authority (SDAIA) within a defined timeframe. Your BCP must therefore include a data breach response workflow that triggers PDPL notification obligations simultaneously with operational recovery.
Best practice is to align your BCM documentation with ISO 22301, which SAMA accepts as a recognized standard, and to cross-reference NCA ECC controls 2-15 for cybersecurity resilience requirements. Our platform provides BCM templates pre-mapped to all relevant frameworks.
Was this helpful?
SAMA CSF Domain 4 — Business Continuity Management — sets comprehensive expectations for Saudi financial institutions to maintain operational resilience. A compliant BCM program must cover the following pillars: (1) Business Impact Analysis (BIA): Per SAMA CSF Control 4.1.2, conduct a formal BIA at least annually to identify critical business functions, Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) for all critical systems including core banking, payment infrastructure, and digital channels. (2) BCM Policy and Governance: Establish a board-approved BCM policy with clearly defined roles, responsibilities, and escalation paths. The CISO and BCM owner must coordinate closely, as cybersecurity incidents are a primary BCM trigger. (3) Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs): Develop and maintain tested BCPs for all critical business units and technical DRPs for IT systems. Plans must be reviewed after every significant incident or change, and at minimum annually. (4) Testing and Exercises: SAMA CSF Control 4.3 requires regular BCM tests — including tabletop exercises, functional drills, and full failover tests for critical systems. Results must be documented and findings tracked to closure. (5) Crisis Communication: Define internal and external communication protocols covering regulators (SAMA, NCA), customers, and media. (6) Third-Party Dependencies: Map BCM obligations to critical vendors and ensure contractual alignment. Integrate your BCM program into your GRC platform to maintain living documentation, automate test scheduling, and generate audit-ready reports for SAMA examinations.
Was this helpful?
Under SAMA CSF Domain 3 (Cybersecurity Operations), specifically Controls 3.3.1 through 3.3.5, Saudi banks must implement a comprehensive Identity and Access Management program addressing several critical areas:
**Privileged Access Management (PAM):** All privileged accounts (system administrators, database admins, network engineers) must be inventoried, subject to multi-factor authentication (MFA), and monitored via privileged access workstations. Standing privileged access should be minimized in favor of just-in-time (JIT) access models.
**Least Privilege Principle:** Role-based access control (RBAC) must be enforced across all systems, with access rights reviewed at minimum semi-annually. Segregation of duties (SoD) controls must prevent any single user from having end-to-end control over critical financial transactions.
**User Lifecycle Management:** Onboarding, transfer, and offboarding procedures must be formally documented. Departing employees' access must be revoked within 24 hours of termination, with immediate revocation for involuntary departures.
**Directory Services:** Active Directory or equivalent identity providers must enforce password complexity, account lockout thresholds, and session timeout policies aligned with SAMA CSF Appendix requirements.
**Third-Party and Vendor Access:** Remote vendor access must be time-limited, logged, and conducted through secure jump servers or PAM solutions — never via shared credentials.
From an ISO 27001 alignment perspective (Annex A Control 5.15–5.18), these requirements map directly to information access controls and privileged access procedures.
**Practical Recommendation:** Conduct a quarterly IAM audit using your GRC platform to flag orphaned accounts, excessive privileges, and SoD violations before your SAMA assessment cycle. Document all exceptions with formal risk acceptance sign-off from your CISO.
Was this helpful?
Cybersecurity governance is the foundational pillar that regulators evaluate first during SAMA examinations. Building a robust governance structure requires deliberate mapping between SAMA CSF and ISO 27001.
**SAMA CSF Governance Requirements:**
SAMA CSF Domain 1 (Cybersecurity Leadership and Governance) requires financial institutions to establish a Board-approved Cybersecurity Strategy, a dedicated Cybersecurity Function reporting to senior management, and a formal Cybersecurity Policy Framework. Control 1.1 mandates that the Board receive cybersecurity risk reports at least quarterly, and the CISO role must have clear independence from IT operations.
**ISO 27001 Alignment:**
ISO 27001:2022 Clause 5 (Leadership) and Clause 6 (Planning) directly complement SAMA CSF Domain 1. Institutions can leverage an ISO 27001-certified ISMS as documented evidence during SAMA assessments, demonstrating control implementation across Annex A domains. Gap analysis should map each SAMA CSF control to its ISO 27001 counterpart to eliminate duplication of effort.
**Practical Governance Structure:**
1. Establish a Cybersecurity Steering Committee chaired by the CEO or COO with CISO, CRO, and Business Unit representation.
2. Define a three-lines-of-defence model: Security Operations (1st), Risk & Compliance (2nd), Internal Audit (3rd).
3. Develop a Policy Framework with a Master Cybersecurity Policy, supported by topic-specific standards (e.g., Access Control, Encryption, Incident Response).
4. Implement a cybersecurity KRI/KPI dashboard reported to the Board Risk Committee quarterly per SAMA CSF Control 1.2.
5. Schedule annual governance framework reviews aligned with ISO 27001 management review cycles.
Institutions that integrate both frameworks reduce audit fatigue significantly while achieving a stronger overall security posture.
Was this helpful?
Security awareness training is a foundational control under both SAMA CSF (Domain 2.3 – Human Resource Security) and NCA ECC (Control 1-3 – Cybersecurity Awareness and Training). Saudi financial institutions must implement structured, role-based training programs that address the following requirements:
**SAMA CSF Requirements:**
- All staff must complete cybersecurity awareness training at least **annually**, with records maintained for audit purposes.
- Privileged users and IT/security personnel require **specialized, role-based training** covering topics such as secure development, incident handling, and access management.
- New joiners must complete onboarding security training **before or immediately upon** gaining access to systems.
**NCA ECC Requirements:**
- Control 1-3 mandates a formal Cybersecurity Awareness Program with defined objectives, target audiences, delivery methods, and measurable KPIs.
- Training must cover phishing, social engineering, password hygiene, acceptable use policies, and incident reporting procedures.
**Practical Implementation Guidance:**
1. Conduct an annual training needs assessment segmented by job role.
2. Use a Learning Management System (LMS) to deliver, track, and report training completion.
3. Run simulated phishing campaigns quarterly to measure behavioral change.
4. Document all training completion records and present them during SAMA regulatory examinations.
5. Include third-party contractors and vendors with access to sensitive systems in the training scope.
Non-compliance with these controls is a common finding during SAMA onsite inspections and can result in a lower maturity rating, impacting your institution's overall CSF assessment score.
Was this helpful?
Under SAMA CSF Control 3.3.1 (Human Resources Security), Saudi financial institutions are required to implement a formal, risk-based cybersecurity awareness and training program covering all employees, contractors, and privileged users. The program must be conducted at least annually, with role-specific training for personnel handling sensitive data or critical systems. Key requirements include: (1) Onboarding security orientation for all new hires before system access is granted; (2) Annual refresher training covering phishing, social engineering, password hygiene, and data handling; (3) Specialized technical training for IT, security, and developer teams aligned with their specific risk exposure; (4) Phishing simulation exercises to measure and improve employee vigilance; (5) Board and senior management briefings on cyber risk governance. Training effectiveness must be measured through KPIs such as phishing click-through rates, quiz scores, and completion rates, and documented for regulatory review. SAMA expects evidence of training records during examinations. Institutions should also align their programs with NCA ECC Article 2-8, which reinforces human security controls. Practical tip: Integrate awareness training into your GRC platform to automate scheduling, track completion, generate audit-ready reports, and trigger remediation workflows for employees who fail simulated phishing tests.
Was this helpful?
Cyber incident response for Saudi banks is governed primarily by SAMA CSF Control 3.5 (Cybersecurity Incident Management), which requires institutions to maintain a formally documented Incident Response Plan (IRP) that is tested at least annually through tabletop exercises or simulations. The IRP must define clear roles, escalation paths, containment procedures, and recovery objectives.
From a regulatory reporting perspective, SAMA requires that significant cybersecurity incidents — particularly those affecting customer data, core banking systems, payment infrastructure, or public-facing services — be reported to SAMA within 72 hours of detection. This timeline aligns with PDPL Article 27 requirements for personal data breach notification to the Saudi Data and Artificial Intelligence Authority (SDAIA). For critical infrastructure incidents, NCA ECC Article 4-3 may trigger parallel reporting obligations to the National Cybersecurity Authority.
The definition of a 'reportable' incident under SAMA typically includes: unauthorized access to customer accounts, ransomware or destructive malware affecting operations, DDoS attacks causing service unavailability exceeding defined thresholds, data exfiltration, and fraudulent transactions linked to a systemic compromise.
Post-incident, SAMA expects a formal Root Cause Analysis (RCA) report within 30 days, along with a remediation roadmap. Institutions must also maintain an incident log and demonstrate lessons-learned integration into their security controls.
Practically, your GRC platform should automate incident intake, classification by severity, and stakeholder notification workflows — ensuring that your team can trigger the right regulatory reporting chain within the 72-hour window without relying on manual processes under pressure.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (People), Saudi financial institutions are required to implement a structured, role-based cybersecurity awareness and training program covering all staff, contractors, and third parties with access to critical systems. At minimum, programs must include: (1) Annual mandatory awareness training for all employees, with documented completion records; (2) Specialized technical training for IT and security personnel, aligned with their specific responsibilities; (3) Executive and board-level briefings on cyber risk governance; and (4) Phishing simulation exercises conducted at least quarterly. Programs should be mapped to real threats facing the Saudi financial sector, including social engineering, credential theft, and BEC (Business Email Compromise) attacks. Per SAMA CSF Control 3.3.2, institutions must maintain training completion metrics and report gaps to senior management. Practical structuring guidance: segment your curriculum into tiers — general staff, privileged users, developers, and executives — with differentiated content for each. Integrate PDPL obligations into training so employees understand data handling responsibilities. Leverage e-learning platforms with Arabic-language content to ensure accessibility across all workforce segments. Training effectiveness must be measured through post-training assessments, phishing click-rate tracking, and annual program reviews. Non-compliance in this domain is frequently cited in SAMA examination findings, making it a high-priority area for CISOs in Saudi banking.
Was this helpful?
Under SAMA CSF Control 3.3.1 (Security Awareness and Training), Saudi banks and financial institutions are required to establish a formal, risk-based Security Awareness and Training program that covers all employees, contractors, and privileged users. Here's a practical implementation roadmap:
**Program Structure:**
- Conduct an annual training needs assessment aligned to your organization's risk profile
- Develop role-based curricula: general staff, IT teams, and senior management each have distinct learning paths
- Include mandatory onboarding training for new hires and third-party staff with system access
**Content Requirements:**
- Social engineering, phishing simulation, and business email compromise (BEC) scenarios relevant to Saudi financial sector threats
- PDPL data handling obligations and confidentiality responsibilities
- Incident reporting procedures and escalation channels
- Acceptable use policies for critical systems
**Delivery & Frequency:**
- Minimum annual refresher training for all staff, with quarterly phishing simulations recommended
- Blended learning: e-learning modules, in-person workshops, and simulated attack exercises
- NCA ECC-3.3 also reinforces the need for continuous awareness campaigns, not just point-in-time training
**Measurement & Reporting:**
- Track completion rates, phishing click rates, and knowledge assessment scores
- Report program effectiveness to senior management and the board at least annually
- Use metrics to justify budget and demonstrate compliance during SAMA regulatory examinations
A mature SAT program is a leading indicator of your overall cybersecurity culture. Platforms like CISO Consulting can help automate tracking, generate compliance evidence, and align training content to your current threat landscape.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 4 (Third-Party Management) and NCA ECC-1:2018 Control 3-8. Financial institutions must implement a structured lifecycle approach covering four key stages:
**1. Vendor Due Diligence & Onboarding:** Before engagement, conduct cybersecurity risk assessments for all vendors with access to sensitive systems or data. SAMA CSF requires classification of vendors by criticality tier, which directly determines the depth of assessment required.
**2. Contractual Security Requirements:** Embed mandatory security clauses into all vendor contracts, including right-to-audit provisions, incident notification SLAs (typically 24–72 hours per SAMA expectations), data handling obligations aligned with PDPL Article 29, and minimum acceptable security standards such as ISO 27001 certification.
**3. Continuous Monitoring:** Implement ongoing monitoring through annual reassessments for critical vendors, automated supply chain threat intelligence feeds, and periodic review of vendor security posture reports. NCA ECC Control 3-8-4 specifically mandates monitoring third-party access to organizational systems.
**4. Offboarding & Access Revocation:** Establish formal procedures for secure vendor offboarding, ensuring immediate revocation of access credentials and secure data return or destruction per PDPL requirements.
Practical recommendation: Maintain a centralized vendor risk register integrated into your GRC platform, enabling real-time risk scoring and automated compliance reporting. SAMA examiners routinely inspect TPRM documentation during regulatory reviews, so audit-ready records are essential. For fintechs leveraging multiple SaaS providers, prioritize vendors processing payment data or holding customer PII as your highest-risk tier.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 4 (Third Party Management), which requires financial institutions to establish a structured, risk-based process for managing vendor and supplier cybersecurity risks throughout the relationship lifecycle.
**Key Requirements:**
- **Pre-onboarding Assessment:** Before engaging any third party with access to systems or sensitive data, conduct a cybersecurity due diligence assessment. Evaluate the vendor's security posture, certifications (e.g., ISO 27001), and compliance with NCA ECC controls.
- **Contractual Controls (per SAMA CSF Control 4.2):** Embed mandatory cybersecurity clauses in all vendor contracts, including the right to audit, incident notification obligations (within 72 hours), data handling requirements aligned with PDPL, and termination rights upon material breach.
- **Ongoing Monitoring:** Implement continuous monitoring for critical vendors — this includes periodic reassessments (at least annually), reviewing security incident reports, and conducting on-site or remote audits.
- **Tiered Risk Classification:** Categorize vendors by risk level (Critical, High, Medium, Low) based on data access, system integration depth, and regulatory sensitivity. Apply proportionate controls accordingly.
- **Exit Strategy:** Maintain documented exit and transition plans to ensure business continuity if a third party fails or is terminated.
**Practical Tip:** Use a standardized vendor questionnaire mapped to SAMA CSF and NCA ECC controls. For cloud service providers, additionally apply the NCA Cloud Cybersecurity Controls (CCC) framework. Document all assessments in your GRC platform for audit readiness and regulatory inspection by SAMA examiners.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Management), Saudi financial institutions must implement a structured TPRM program covering the full vendor lifecycle. Here is a practical framework:
**1. Vendor Classification & Risk Tiering**
Categorize vendors by criticality — Tier 1 (critical/high-risk, e.g., core banking providers, cloud hosts), Tier 2 (moderate), and Tier 3 (low-risk). Per SAMA CSF Control 3.3.2, due diligence depth must match the vendor's risk tier.
**2. Pre-Onboarding Due Diligence**
Before contracting, assess vendors against: cybersecurity posture (ISO 27001 certification or equivalent), data handling practices aligned with PDPL obligations, sub-contractor exposure, and financial stability. Obtain evidence of relevant certifications and conduct questionnaire-based assessments.
**3. Contractual Safeguards**
Contracts must include: right-to-audit clauses, cybersecurity incident notification obligations (within 72 hours per PDPL Article 19 if personal data is involved), data residency requirements (Saudi Arabia for sensitive financial data), and SLA-linked security KPIs.
**4. Continuous Monitoring**
Conduct annual reassessments for Tier 1 vendors and biennial reviews for Tier 2. Use automated threat intelligence feeds to monitor vendor breach news and security ratings.
**5. Offboarding Controls**
Ensure secure data deletion, certificate revocation, and access termination upon vendor exit — documenting closure per SAMA CSF Control 3.3.5.
**NCA ECC Alignment:** NCA ECC Article 2-8 reinforces third-party controls for government-adjacent financial entities.
Our GRC platform automates vendor questionnaires, tracks remediation timelines, and generates SAMA-ready TPRM reports — reducing manual effort by up to 60%.
Was this helpful?
Third-party risk management is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Control 3.3, member organizations must establish a formal TPRM framework that covers the entire vendor lifecycle — from onboarding due diligence through contract management to offboarding. NCA ECC Article 2-14 further mandates that critical suppliers undergo cybersecurity assessments before being granted access to organizational systems or data.
A robust TPRM program should include the following components:
**1. Vendor Classification & Tiering:** Categorize vendors by criticality (Tier 1–3) based on data access, system integration depth, and business dependency. Critical fintech partners and cloud providers typically fall into Tier 1 and require the most rigorous oversight.
**2. Pre-Onboarding Assessment:** Conduct cybersecurity due diligence using standardized questionnaires aligned with SAMA CSF domains. Verify ISO 27001 certification where applicable and review SOC 2 Type II reports for cloud vendors.
**3. Contractual Obligations:** Ensure all vendor contracts include cybersecurity clauses covering incident notification timelines (within 24 hours per SAMA guidelines), right-to-audit provisions, and data handling obligations consistent with PDPL Article 19.
**4. Continuous Monitoring:** Implement ongoing risk scoring using threat intelligence feeds and periodic reassessments — at least annually for Tier 1 vendors.
**5. Concentration Risk:** SAMA expects boards to be aware of concentration risk when multiple critical services depend on a single third party.
CISOs should maintain a centralized vendor risk register and present quarterly TPRM status reports to the board's risk committee. Regulators increasingly scrutinize TPRM maturity during SAMA examinations, making documentation and evidence collection as important as the controls themselves.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Management), Saudi banks must implement a structured, risk-based approach to managing vendor and supplier relationships. Here's a practical framework:
**Pre-Onboarding Due Diligence:** Before engaging any third party with access to systems or data, conduct a formal cybersecurity risk assessment. Evaluate the vendor's security posture against SAMA CSF and ISO 27001 standards. Require evidence of certifications, audit reports (SOC 2, ISO 27001), and completed security questionnaires.
**Contractual Obligations:** All third-party contracts must include cybersecurity clauses covering data protection, incident notification timelines (typically 72 hours per PDPL obligations), right-to-audit provisions, and compliance with NCA ECC requirements where applicable.
**Tiered Risk Classification:** Classify vendors into Critical, High, Medium, and Low risk tiers based on their access level, data sensitivity, and operational dependency. Critical vendors (e.g., core banking system providers, cloud infrastructure) require annual reassessments and on-site audits.
**Continuous Monitoring:** Implement ongoing monitoring through periodic questionnaires, security ratings platforms, and review of vendor security bulletins. SAMA expects banks to maintain an updated third-party inventory with associated risk scores.
**Exit Strategy:** Document formal off-boarding procedures including data return/destruction certificates and access revocation timelines.
Practically, assign a dedicated Third-Party Risk Owner within your GRC team and integrate vendor assessments into your enterprise risk register. Regulators increasingly scrutinize supply chain risk, particularly for cloud and fintech partnerships, so documented evidence of this program is essential during SAMA examinations.
Was this helpful?
Third-party risk management is a critical obligation under SAMA CSF Domain 4 (Third Party Management), which requires Saudi banks to establish a formal, risk-based vendor management program. Here's how to implement it effectively:
**1. Vendor Classification & Risk Tiering:**
Classify all third parties (cloud providers, fintech partners, IT vendors) based on data sensitivity, criticality of services, and access levels. SAMA CSF requires higher scrutiny for vendors with access to critical systems or customer data.
**2. Pre-Onboarding Due Diligence:**
Before engagement, conduct cybersecurity assessments including review of ISO 27001 certifications, SOC 2 reports, and NCA ECC alignment. Require vendors to complete a security questionnaire aligned with SAMA CSF controls.
**3. Contractual Security Requirements:**
Embed cybersecurity clauses in all vendor contracts covering: incident notification timelines (per SAMA CSF Control 4.3), data handling obligations under PDPL, right-to-audit provisions, and minimum security standards.
**4. Continuous Monitoring:**
Don't treat vendor risk as a one-time assessment. Implement continuous monitoring through annual reassessments, periodic penetration testing of vendor-connected interfaces, and real-time threat intelligence on critical suppliers.
**5. Offboarding Controls:**
Ensure data return/deletion processes are documented and verified upon contract termination, aligning with PDPL Article 19 on data retention.
**Practical Tip:** Maintain a centralized vendor risk register reviewed quarterly by your risk committee. SAMA examiners frequently assess the maturity of your third-party risk program during regulatory reviews, so documentation quality matters as much as the controls themselves.
Was this helpful?
Under SAMA CSF Domain 3.3 (Third-Party Management), Saudi banks must implement a structured TPRM program that spans the entire vendor lifecycle — from onboarding through offboarding.
**Key Requirements:**
1. **Risk Classification**: Categorize vendors by criticality (Tier 1: critical/outsourced core banking; Tier 2: significant access; Tier 3: limited exposure). SAMA CSF Control 3.3.2 mandates risk-based due diligence prior to engagement.
2. **Contractual Controls**: Ensure all vendor contracts include cybersecurity obligations, audit rights, incident notification clauses (within 72 hours per SAMA CSF 3.3.5), and data handling requirements aligned with PDPL Article 5.
3. **Ongoing Monitoring**: Conduct annual cybersecurity assessments for Tier 1 vendors, including review of their ISO 27001 certification, SOC 2 reports, or completion of a standardized questionnaire aligned with NCA ECC controls.
4. **Cloud and Outsourcing**: For cloud-based third parties, apply SAMA's Outsourcing Requirements and NCA Cloud Cybersecurity Controls (CCC-1 through CCC-4), ensuring data sovereignty requirements are met — particularly that sensitive customer data processed by third parties remains within approved jurisdictions.
5. **Offboarding**: Define secure data disposal and access revocation procedures documented per SAMA CSF 3.3.8.
**Practical Tip**: Maintain a centralized Third-Party Register with risk scores, assessment dates, and contractual compliance status. This register is frequently reviewed during SAMA regulatory examinations. Automating this within your GRC platform significantly reduces audit preparation time and ensures continuous compliance visibility.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation for Saudi financial institutions under SAMA CSF Domain 4 (Third-Party Management) and NCA ECC-1:2018 Article 3-5. Here is how to build a compliant program:
**1. Vendor Classification & Risk Tiering**
Classify vendors based on data access, criticality, and integration depth. SAMA CSF Control 4.3 requires a formal classification methodology distinguishing critical from non-critical suppliers.
**2. Pre-Onboarding Due Diligence**
Before engagement, conduct cybersecurity assessments including review of ISO 27001 certification, SOC 2 reports, and security questionnaires. Verify that cloud or SaaS vendors hosting financial data hold NCA approval where applicable.
**3. Contractual Security Requirements**
Embed security clauses covering data handling, breach notification timelines (PDPL requires notifying SDAIA within 72 hours), right-to-audit provisions, and minimum security controls aligned with SAMA CSF.
**4. Continuous Monitoring**
SAMA CSF Control 4.5 mandates ongoing oversight — not just point-in-time assessments. Use threat intelligence feeds, vendor security scorecards, and periodic reassessments (at least annually for critical vendors).
**5. Exit & Termination Procedures**
Document data return and secure deletion processes upon contract termination, ensuring no residual data exposure.
**6. Concentration Risk Awareness**
SAMA also expects boards to understand concentration risk — where multiple critical functions depend on a single third party.
A mature TPRM program protects your institution from supply-chain attacks and regulatory findings during SAMA examinations. Platforms like CISO Consulting can automate vendor risk scoring and map findings directly to SAMA CSF controls.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3.3 (Third-Party Management), requiring Saudi banks to establish a structured program covering the full vendor lifecycle. Here's a practical approach:
**Pre-Engagement Assessment:** Before onboarding any vendor with access to systems or data, conduct a cybersecurity due diligence review. Per SAMA CSF Control 3.3.1, vendors must be classified based on risk level — critical, high, medium, or low — depending on data sensitivity, system access, and regulatory impact.
**Contractual Controls:** All vendor contracts must include cybersecurity clauses addressing data handling, incident notification timelines (typically 72 hours), audit rights, and compliance with PDPL obligations if personal data is involved.
**Ongoing Monitoring:** SAMA CSF Control 3.3.3 mandates periodic reassessment of vendor risk posture. For critical vendors, this should occur at least annually, including review of their ISO 27001 certifications, penetration test results, and SOC 2 reports where available.
**Exit Strategy:** Define clear data return and destruction procedures for vendor offboarding, aligned with NCA ECC Article 2-14 on data lifecycle management.
**Practical Tip:** Use a vendor risk register maintained within your GRC platform to automate assessment workflows, track remediation deadlines, and generate audit-ready evidence for SAMA examination teams. Fintech companies should pay particular attention to cloud service providers and payment processors, as these often carry the highest concentration of risk.
Was this helpful?
Security awareness training is often underestimated, yet it is explicitly mandated and audited under both SAMA CSF and NCA ECC. A well-structured program goes far beyond annual click-through videos.
**Regulatory Baseline:**
- SAMA CSF Control 3.2.1 requires a formal cybersecurity awareness and training program tailored to staff roles.
- NCA ECC Article 2-7 mandates periodic awareness campaigns covering phishing, social engineering, and acceptable use policies.
**Program Structure — What Auditors Look For:**
1. **Role-Based Training:** Generic training is insufficient. Segment your audience — executives require board-level briefings on cyber risk and governance; IT staff need technical deep-dives; general staff need phishing simulation and social engineering awareness.
2. **Frequency:** SAMA expects at least annual mandatory training with documented completion records. For high-risk roles (e.g., privileged users, finance teams), quarterly refreshers are strongly recommended.
3. **Phishing Simulations:** Run monthly or quarterly simulated phishing campaigns. Track click rates, report rates, and repeat offenders. Use results to trigger targeted remediation training — and maintain these records for SAMA examination.
4. **New Hire Onboarding:** Security awareness must be embedded in onboarding programs within the first 30 days of employment.
5. **Metrics and Reporting:** Report training completion rates, simulation results, and awareness KPIs to the CISO and board on a quarterly basis. This demonstrates a mature, measurable program.
6. **PDPL Awareness:** Since Saudi PDPL imposes personal liability on staff handling personal data, include dedicated modules on data handling, consent, and breach reporting obligations.
Document everything rigorously — training logs, attendance records, and phishing simulation reports are standard evidence requests during SAMA regulatory inspections.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation under SAMA CSF Domain 3 (Cybersecurity Risk Management), specifically controls 3.3.1 through 3.3.5, which require financial institutions to assess, monitor, and govern all third-party relationships that touch sensitive systems or data.
To build a compliant TPRM program, Saudi banks should:
1. **Vendor Classification**: Categorize all vendors by criticality — Tier 1 (critical/direct system access), Tier 2 (moderate risk), Tier 3 (low risk). SAMA CSF Control 3.3.2 mandates risk-based classification.
2. **Pre-Onboarding Due Diligence**: Conduct cybersecurity assessments before contract signing. This includes reviewing ISO 27001 certifications, SOC 2 reports, or equivalent evidence of security posture.
3. **Contractual Controls**: Ensure contracts include cybersecurity clauses covering incident notification timelines (typically 72 hours), right-to-audit provisions, and data handling obligations aligned with PDPL Article 19.
4. **Continuous Monitoring**: SAMA CSF requires ongoing oversight — not just point-in-time assessments. Use automated tools or periodic questionnaires to monitor Tier 1 vendors at least annually, and Tier 2 vendors biannually.
5. **Fourth-Party Risk**: Identify and assess sub-processors used by your critical vendors, particularly cloud providers or payment processors.
6. **Exit Strategy**: Maintain documented offboarding procedures to revoke access and retrieve or destroy data when vendor relationships end.
NCA ECC Article 2-14 further reinforces these obligations for entities within the national cybersecurity scope. Non-compliance with TPRM controls is a frequent finding in SAMA regulatory examinations and can result in formal corrective action plans.
Was this helpful?
Security awareness training is not optional for Saudi financial institutions — it is a formal regulatory requirement embedded in SAMA CSF Domain 3.2 (Human Resources Security), and a contributing control under NCA ECC Article 4.
**SAMA CSF Requirements:**
- **Control 3.2.1** requires institutions to implement a cybersecurity awareness program covering all employees, contractors, and privileged users.
- Training must be role-based: general staff receive phishing and social engineering awareness, while IT and security teams receive technically advanced content.
- New joiners must complete foundational cybersecurity training before or immediately after system access is granted.
- Annual refresher training is mandatory, with records maintained for audit purposes.
**What Makes a Program Effective:**
1. **Phishing Simulations:** Run monthly or quarterly simulated phishing campaigns and track click rates over time. SAMA examiners look for measurable improvement metrics.
2. **Role-Based Modules:** Tailor content for executives (social engineering, deepfake fraud), customer-facing staff (account takeover, vishing), and developers (secure coding, OWASP Top 10).
3. **Arabic-First Content:** Ensure training materials are delivered in Arabic to maximize comprehension and engagement across all staff levels.
4. **Metrics and Reporting:** Track completion rates, phishing simulation results, and knowledge assessment scores. Report quarterly to the CISO and annually to the board.
5. **Regulatory Scenario Training:** Include Saudi-specific scenarios — PDPL data handling, SAMA incident reporting obligations, and NCA notification duties.
**Exam Tip:** During SAMA examinations, auditors commonly request training completion records, phishing simulation reports, and evidence of board-level cybersecurity briefings. Maintain these artifacts meticulously to demonstrate a mature security culture.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Domain 4 (Third Party Management), banks must establish a formal vendor risk management program that includes due diligence, contractual security requirements, and continuous monitoring.
Key implementation steps include:
**1. Vendor Classification & Due Diligence:** Categorize vendors by criticality and data access. Critical vendors handling sensitive financial or personal data must undergo comprehensive security assessments before onboarding, including reviewing their ISO 27001 certification status and security posture.
**2. Contractual Obligations:** All vendor contracts must include security clauses covering data protection (aligned with PDPL Article 29), right-to-audit provisions, incident notification timelines (typically 72 hours), and compliance with NCA ECC controls where applicable.
**3. Ongoing Monitoring:** SAMA CSF requires periodic reassessment — at minimum annually for critical vendors. This includes reviewing SOC 2 Type II reports, conducting questionnaire-based assessments, and tracking regulatory changes affecting your vendors.
**4. Cloud & SaaS Vendors:** For cloud service providers, NCA CCC (Cloud Computing Controls) compliance must be validated. SAMA also requires that data residency within Saudi Arabia is confirmed for sensitive financial data.
**5. Offboarding Procedures:** Ensure data return or destruction obligations are enforced contractually and operationally upon vendor termination.
Our GRC platform provides a structured TPRM module with pre-built vendor questionnaires mapped to SAMA CSF, NCA ECC, and PDPL, enabling compliance officers to track vendor risk scores, automate reassessment schedules, and generate audit-ready reports — saving significant manual effort.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation for Saudi financial institutions. Under SAMA CSF Control 3.3, banks must establish a formal vendor risk management program that classifies suppliers based on the sensitivity of data accessed and criticality of services provided.
Key implementation steps include:
**1. Vendor Classification & Due Diligence:** Categorize vendors as critical, important, or standard. Conduct pre-onboarding security assessments including reviewing SOC 2 Type II reports, ISO 27001 certifications, and financial stability indicators.
**2. Contractual Obligations:** All vendor contracts must include cybersecurity clauses covering data protection (aligned with PDPL Article 21), incident notification timelines (within 72 hours per SAMA CSF), audit rights, and right-to-terminate provisions.
**3. Continuous Monitoring:** Implement ongoing monitoring using automated tools to track vendor security posture. NCA ECC Article 3-4 requires organizations to assess the cybersecurity controls of cloud and technology service providers periodically.
**4. Concentration Risk:** SAMA guidelines warn against over-reliance on a single vendor, particularly for critical infrastructure. Maintain fallback arrangements and exit strategies.
**5. Subcontractor Oversight:** Ensure primary vendors disclose and control their own subcontractors who may access your data or systems.
Practically, institutions should maintain a vendor risk register, conduct annual reassessments for critical vendors, and include TPRM findings in quarterly board-level cybersecurity reports as required by SAMA CSF's governance domain. A GRC platform can automate vendor questionnaires, track remediation, and generate audit-ready evidence for SAMA examinations.
Was this helpful?
Third-party risk management is a critical obligation under SAMA CSF Domain 4 (Third Party Cybersecurity), which requires Saudi financial institutions to establish a structured vendor risk program across the entire supplier lifecycle.
**Key Requirements:**
- **Pre-onboarding Due Diligence (SAMA CSF 4.1):** Conduct cybersecurity risk assessments before contracting any third party with access to sensitive systems or data. This includes reviewing ISO 27001 certifications, SOC 2 reports, and NCA ECC alignment.
- **Contractual Obligations (SAMA CSF 4.2):** All vendor contracts must include cybersecurity clauses covering data handling, incident notification timelines (typically within 72 hours), right-to-audit provisions, and compliance with PDPL data processing requirements.
- **Continuous Monitoring (SAMA CSF 4.3):** Implement ongoing monitoring of critical vendors using tools such as security ratings platforms and periodic reassessments (at least annually for Tier-1 vendors).
- **Concentration Risk:** SAMA guidance also highlights the risk of over-reliance on single vendors, particularly for cloud or core banking services.
**Practical Steps:**
1. Classify vendors by criticality (Tier 1–3) based on data access and operational impact.
2. Develop a standardized vendor security questionnaire aligned to SAMA CSF and NCA ECC controls.
3. Include third-party incidents in your incident response runbooks.
4. Maintain a live vendor risk register reviewed quarterly by the CISO.
Non-compliance with third-party risk requirements can result in regulatory findings during SAMA examinations and reputational exposure.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Control 3.3, banks must establish a formal vendor risk management program that includes pre-onboarding due diligence, contractual security requirements, and ongoing monitoring.
Key implementation steps include:
**1. Vendor Classification:** Categorize vendors by criticality — Tier 1 (critical/core systems), Tier 2 (significant), and Tier 3 (low-risk). Apply proportionate controls accordingly.
**2. Pre-Onboarding Assessment:** Require vendors to complete security questionnaires aligned with ISO 27001 Annex A controls and NCA ECC Article 2-14, which mandates that outsourced services meet equivalent cybersecurity standards.
**3. Contractual Obligations:** Contracts must include cybersecurity clauses covering incident notification timelines (typically within 24 hours per SAMA expectations), audit rights, data handling, and exit strategies.
**4. Continuous Monitoring:** Conduct annual reassessments for Tier 1 vendors and use automated tools (threat intelligence feeds, security ratings platforms) for real-time monitoring.
**5. Cloud Providers:** For cloud-based vendors, apply SAMA's Cloud Computing Framework requirements, including data residency confirmations for sensitive financial data within Saudi Arabia.
Practically, institutions should maintain a centralized vendor risk register, assign ownership per vendor, and integrate TPRM findings into the broader risk register reported to the board. Failure to manage third-party risk adequately is one of the most cited findings in SAMA regulatory examinations, making this a top-priority compliance area for CISOs and compliance officers alike.
Was this helpful?
Security Awareness Training (SAT) is a mandatory compliance requirement — not optional — for Saudi fintechs and financial institutions. Both SAMA CSF and NCA ECC explicitly require formal, ongoing awareness programs targeting all employees.
**Regulatory Requirements:**
- **SAMA CSF Control 3.2:** Mandates cybersecurity awareness programs covering phishing, social engineering, acceptable use policies, and incident reporting procedures. Programs must be role-based and conducted at least annually, with new hire onboarding training.
- **NCA ECC Article 2-5:** Requires organizations to implement cybersecurity awareness and training programs, maintain training records, and ensure personnel understand their cybersecurity responsibilities.
**Building an Effective SAT Program:**
**1. Role-Based Training Tracks:** Develop separate modules for general staff, IT/security teams, privileged users, executives, and developers. Each role faces distinct threats — developers need secure coding awareness, executives need spear-phishing and BEC (Business Email Compromise) training.
**2. Simulated Phishing Campaigns:** Run monthly or quarterly simulated phishing exercises. Track click rates and tailor follow-up training for vulnerable users. SAMA examiners frequently request phishing simulation data during reviews.
**3. Training Content Areas:** Cover password hygiene, data handling per PDPL, social engineering recognition, mobile device security, and insider threat awareness.
**4. Metrics and Reporting:** Track completion rates (target: 95%+), phishing simulation failure rates (target: below 5%), and post-training assessment scores. Present results quarterly to the CISO and annually to the board.
**5. Documentation:** Maintain training records for at least 3 years to support SAMA and NCA audit evidence requirements.
Integrating SAT into a broader human risk management strategy — rather than treating it as a checkbox exercise — significantly reduces the likelihood of successful social engineering attacks against your institution.
Was this helpful?
A robust Third-Party Risk Management (TPRM) program for Saudi financial institutions must address requirements across SAMA CSF Control Domain 3.3 and NCA ECC Article 2-7. Here is how to structure it effectively:
**1. Vendor Classification & Due Diligence:** Categorize all third parties by risk tier (critical, high, medium, low) based on data access, system integration depth, and service criticality. Per SAMA CSF Control 3.3.1, formal due diligence must be conducted before onboarding any vendor with access to financial or customer data.
**2. Contractual Obligations:** Ensure all vendor contracts include cybersecurity clauses covering data handling, incident notification timelines (within 72 hours per PDPL Article 27), audit rights, and compliance with NCA ECC standards. Offshore vendors must adhere to PDPL cross-border data transfer restrictions.
**3. Continuous Monitoring:** Implement ongoing monitoring through annual security assessments, quarterly performance reviews, and real-time threat intelligence feeds for critical vendors. SAMA CSF requires periodic reassessment aligned with vendor risk tier.
**4. Fourth-Party Risk:** Map your vendors' subcontractors to identify hidden concentration risks, particularly in cloud and payment processing chains.
**5. Incident Response Coordination:** Establish joint incident response procedures with critical vendors, ensuring alignment with your institution's overall IR plan per SAMA CSF Control 3.6.
**Practical Tip:** Maintain a centralized vendor registry with automated risk scoring updated at least annually. Regulators increasingly scrutinize TPRM documentation during SAMA examinations, so audit-ready records are essential.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Control 3.3 (Third Party Management), member organizations must establish a formal vendor risk program that covers the entire supplier lifecycle — from onboarding through offboarding.
Key requirements include:
**1. Pre-Engagement Due Diligence:** Before contracting any vendor, conduct a cybersecurity risk assessment aligned with SAMA CSF Annex requirements. Classify vendors by criticality (e.g., Tier 1 for core banking system providers).
**2. Contractual Security Clauses:** Ensure all vendor contracts include mandatory cybersecurity clauses covering data protection, incident notification timelines (typically within 24-72 hours), audit rights, and compliance with PDPL obligations when personal data is shared.
**3. Continuous Monitoring:** NCA ECC Article 2-12 requires periodic reassessment of third-party risks. Implement quarterly or annual security reviews depending on the vendor's risk tier. Use standardized questionnaires (e.g., SIG Lite or a SAMA-aligned template).
**4. Cloud and SaaS Vendors:** For cloud service providers, ensure compliance with NCA CCC (Cloud Computing Controls) and verify that data residency requirements are met — critical for banks storing customer financial data.
**5. Incident Escalation Paths:** Define clear escalation procedures if a vendor experiences a breach that could impact your institution. This should align with your internal SAMA-required incident response plan.
Best practice is to maintain a centralized Vendor Risk Register reviewed by your CISO or vCISO quarterly. Failure to manage third-party risks has been a leading cause of regulatory findings during SAMA examinations.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Control 3.3 (Third-Party Management), banks must establish a formal vendor risk program that covers the entire vendor lifecycle — from onboarding and due diligence through contract management to offboarding.
Key requirements include:
**1. Risk-Based Vendor Classification:** Categorize vendors by criticality (Tier 1–3) based on data access, system integration depth, and service criticality. Critical vendors providing core banking or cloud infrastructure services demand enhanced scrutiny.
**2. Pre-Engagement Due Diligence:** Before onboarding, assess vendors' security posture using standardized questionnaires aligned with NCA ECC controls. Obtain evidence of certifications such as ISO 27001, SOC 2, or equivalent.
**3. Contractual Security Obligations:** Per SAMA CSF Control 3.3.2, contracts must include mandatory cybersecurity clauses covering data protection, incident notification timelines (typically within 72 hours), audit rights, and compliance with Saudi regulations including PDPL.
**4. Ongoing Monitoring:** Conduct annual security assessments for Tier 1 vendors and periodic reviews for lower-tier suppliers. NCA ECC Article 2-6 emphasizes continuous monitoring of supply chain risks.
**5. Cloud and SaaS Vendors:** For cloud service providers, validate CSP compliance with NCA Cloud Cybersecurity Controls (CCC) and ensure data residency requirements within the Kingdom are met where applicable.
**6. Exit and Offboarding:** Ensure data destruction or return protocols are contractually mandated and verified upon vendor termination.
Practically, implement a centralized TPRM register within your GRC platform to track assessments, risk ratings, and remediation actions. This provides audit-ready documentation for SAMA regulatory examinations and NCA inspections.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3.3 and NCA ECC-1: 2-7, requiring financial institutions to establish a structured vendor risk lifecycle.
**Key Steps for Compliance:**
1. **Vendor Classification:** Categorize all third parties based on data sensitivity, service criticality, and access level. Distinguish between Tier 1 (critical/direct system access) and lower tiers accordingly.
2. **Pre-Onboarding Due Diligence:** Before contracting, assess vendors using security questionnaires aligned with SAMA CSF controls. Require evidence of ISO 27001 certification or equivalent for critical vendors.
3. **Contractual Controls (per SAMA CSF 3.3.5):** Ensure contracts include cybersecurity clauses covering: data protection obligations, right-to-audit provisions, incident notification timelines (typically within 72 hours), and compliance with PDPL if personal data is shared.
4. **Ongoing Monitoring:** Conduct annual cybersecurity assessments for Tier 1 vendors. Use automated tools to monitor for supply chain vulnerabilities and threat intelligence related to your vendors.
5. **NCA ECC Alignment:** NCA ECC Article 2-7 specifically requires that outsourced services maintain security controls equivalent to the institution's own standards. Document this equivalency formally.
6. **Offboarding Procedures:** Ensure data deletion, access revocation, and documentation of secure vendor exit.
A practical starting point is building a Vendor Risk Register that tracks vendor criticality, last assessment date, identified gaps, and remediation status. This register should be reviewed quarterly by the CISO and presented to the board risk committee annually.
Was this helpful?
Third-party risk management is a critical obligation under SAMA CSF Domain 3 (Cyber Security Risk Management), specifically Controls 3.3.1 through 3.3.5, which require financial institutions to formally assess, govern, and monitor all third-party relationships that could impact cybersecurity posture.
A compliant TPRM program for Saudi banks should include the following components:
**1. Vendor Classification & Risk Tiering:** Categorize all vendors based on data access, system connectivity, and service criticality. Tier 1 vendors (e.g., core banking providers, cloud platforms) require full due diligence.
**2. Pre-Onboarding Due Diligence:** Conduct security assessments before engaging any vendor. This includes reviewing ISO 27001 certifications, SOC 2 reports, and questionnaire-based assessments aligned with NCA ECC controls.
**3. Contractual Safeguards:** Per SAMA CSF Control 3.3.3, contracts must include cybersecurity clauses covering data handling, breach notification timelines (aligned with PDPL Article 19's 72-hour notification obligation), right-to-audit provisions, and exit strategies.
**4. Continuous Monitoring:** Implement ongoing monitoring of critical vendors using threat intelligence feeds, security ratings platforms, and periodic reassessments — at minimum annually for Tier 1 vendors.
**5. Concentration Risk Management:** SAMA specifically flags concentration risk when multiple critical services rely on a single vendor or technology provider.
**6. Incident Coordination:** Establish clear escalation procedures for vendor-related security incidents, ensuring alignment with your own incident response plan.
Practically, banks should maintain a centralized vendor register within their GRC platform, automated assessment workflows, and audit-ready documentation. Non-compliance in this area has been a recurring finding in SAMA examinations across the Saudi financial sector.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under both SAMA CSF Domain 4.3 and NCA ECC-2: 1-5. Saudi financial institutions must implement a structured, risk-based TPRM lifecycle covering the following stages:
**1. Vendor Onboarding & Classification:** Classify vendors by criticality — Tier 1 (critical/core banking systems), Tier 2 (significant), and Tier 3 (low-risk). Per SAMA CSF Control 4.3.2, all critical vendors must undergo security due diligence before contract execution.
**2. Contractual Security Requirements:** Contracts must include cybersecurity clauses covering data protection (aligned with PDPL Article 21), incident notification timelines (typically 72 hours), audit rights, and compliance with applicable Saudi regulations.
**3. Ongoing Monitoring:** Conduct annual security assessments or questionnaires for Tier 1 vendors. NCA ECC recommends periodic reviews of vendor access privileges and security posture. Use standardized frameworks like shared assessments or CAIQ (CSA Cloud) for cloud vendors.
**4. Concentration Risk:** SAMA specifically highlights the risk of over-reliance on single vendors for critical services. Maintain documented contingency plans and alternative sourcing strategies.
**5. Offboarding:** Ensure secure data deletion, access revocation, and documentation per PDPL data retention requirements.
**Practical Tip:** Build a centralized vendor register with risk ratings, assessment dates, and contract expiry. Automate reassessment triggers using your GRC platform. Assign a dedicated TPRM owner within the information security function to maintain accountability and audit-readiness during SAMA examinations.
Was this helpful?
SAMA CSF Domain 3 (Cybersecurity Operations & Technology) and specifically Controls 3.3.1–3.3.5 mandate that financial institutions maintain and regularly test an Incident Response Plan (IRP). A tabletop or simulation exercise must be conducted at least annually, with critical institutions advised to run them semi-annually.
**Step 1 – Define Scope and Scenario**
Select a realistic scenario relevant to your institution (e.g., ransomware attack on core banking, BEC fraud targeting SWIFT transactions, or insider data exfiltration). Align the scenario with your institution's crown jewels and recent threat intelligence.
**Step 2 – Assemble the Right Stakeholders**
Involve IT security, legal, compliance, communications, operations, and senior management. SAMA CSF requires board-level awareness of cyber incidents, so including C-suite members in tabletop exercises is strongly recommended.
**Step 3 – Define Injects and Timelines**
Structure the exercise with pre-planned injects that simulate real decision points: initial alert triage, escalation thresholds, regulatory notification to SAMA (within 72 hours per SAMA CSF Control 3.3.4), and customer communication decisions.
**Step 4 – Regulatory Notification Simulation**
Practice drafting the mandatory incident notification to SAMA, ensuring it covers: incident type and classification, affected systems and data, containment actions taken, and recovery timeline estimates.
**Step 5 – Post-Exercise Lessons Learned**
Document all gaps, decision delays, and communication breakdowns. Create a remediation action plan with owners and deadlines. SAMA assessors will specifically look for evidence that lessons learned are tracked and closed.
Pro tip: Integrate NCA ECC Article 2-7 crisis management requirements into your exercise design if your institution is also subject to NCA oversight, ensuring dual-framework compliance in a single exercise.
Was this helpful?
Under SAMA CSF Domain 4 (Cyber Resilience), Saudi banks must establish a comprehensive Business Continuity Management (BCM) program that addresses both IT and cybersecurity dimensions. Key requirements include:
**1. BCP and DRP Development:** Per SAMA CSF Control 4.3, institutions must develop, document, and maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that explicitly cover cyber disruption scenarios — not just traditional outages.
**2. Recovery Time and Point Objectives:** Banks must define and validate RTO and RPO targets for critical systems, ensuring alignment with SAMA's operational resilience expectations. Core banking systems typically require RTOs under 4 hours.
**3. Regular Testing:** SAMA CSF requires BCM tests at least annually, including tabletop exercises and full failover drills. Test results must be documented and gaps remediated within defined timelines.
**4. Cyber Incident Integration:** BCP must be integrated with the Cyber Incident Response Plan (CIRP) to ensure seamless escalation from incident containment to business recovery.
**5. Third-Party Dependencies:** Critical third-party and outsourced service providers must be included in BCP scope, with contractual SLAs supporting recovery objectives.
**6. Board and Senior Management Oversight:** BCM governance must include board-level approval of BCP policies and annual reporting on resilience posture.
Practically, institutions should conduct a Business Impact Analysis (BIA) annually to reprioritize critical processes and map dependencies. Aligning your BCM framework with ISO 22301 alongside SAMA CSF provides a robust, internationally recognized structure that also satisfies NCA ECC resilience controls.
Was this helpful?
Third-party risk management is one of the most scrutinized areas in SAMA examinations and NCA assessments. SAMA CSF Control 3.3.14 (Third-Party Management) and NCA ECC Article 2-9 establish clear expectations. For Saudi fintechs — which typically rely heavily on external technology providers, cloud platforms, and payment processors — a structured TPRM program is non-negotiable.
**Vendor Inventory & Tiering:** Begin by building a comprehensive inventory of all third parties with access to your systems, data, or critical processes. Classify vendors into tiers based on criticality and data sensitivity. Tier-1 vendors (e.g., core banking system providers, cloud infrastructure, payment gateways) require the most rigorous controls.
**Pre-Engagement Due Diligence:** Before onboarding any Tier-1 or Tier-2 vendor, conduct formal security due diligence — review ISO 27001 certifications, SOC 2 Type II reports, NCA compliance attestations, and conduct questionnaire-based assessments mapped to SAMA CSF and NCA ECC controls. SAMA expects documented evidence of pre-contract security reviews.
**Contractual Security Requirements:** All vendor contracts must include cybersecurity clauses covering: right-to-audit, incident notification obligations (within 72 hours per SAMA guidance), data handling and sub-processor restrictions, and compliance with Saudi data residency requirements under PDPL.
**Ongoing Monitoring:** TPRM is not a one-time exercise. Implement continuous monitoring through annual reassessments for Tier-1 vendors, ongoing threat intelligence feeds tracking vendor-specific vulnerabilities, and real-time monitoring of vendor access logs where applicable.
**Concentration Risk:** SAMA specifically flags concentration risk — where a single third party supports multiple critical functions. Map your dependencies and maintain documented contingency plans and exit strategies for critical vendors.
**Board-Level Reporting:** Aggregate TPRM findings into quarterly risk reports presented to the Risk Committee, demonstrating active governance — a key SAMA CSF requirement under Control 3.1.
Was this helpful?
Business Continuity Management (BCM) under SAMA CSF (Domain 3.3) is a mandatory requirement for all Saudi financial institutions. Here is how to structure a compliant BCM program:
**1. Business Impact Analysis (BIA):** Conduct a formal BIA per SAMA CSF Control 3.3.2 to identify critical business functions, dependencies, and acceptable downtime thresholds (RTO/RPO). Financial institutions must document Maximum Tolerable Downtime (MTD) for each critical process.
**2. BCM Policy and Governance:** Establish a board-approved BCM policy. SAMA CSF requires senior management accountability for BCM, with clear roles assigned to a Business Continuity Manager and departmental owners.
**3. Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP):** Develop and maintain documented BCPs per SAMA CSF Control 3.3.4, covering manual workarounds, alternate processing sites, staff escalation trees, and communication protocols. DRPs must address IT system recovery with defined RTO objectives — typically 4 hours or less for critical banking systems.
**4. Testing and Exercising:** SAMA CSF mandates periodic testing (at minimum annually) including tabletop exercises, functional tests, and full failover simulations. Test results must be documented and gaps remediated within defined timelines.
**5. Integration with Cyber Incident Response:** Align BCM with your Cyber Incident Response Plan (CIRP) to ensure continuity during cyberattacks — particularly ransomware and DDoS scenarios common in the Saudi financial sector.
**6. Third-Party BCM:** Per SAMA CSF Control 3.3.6, assess and verify the BCM capabilities of critical third-party vendors annually.
Annual SAMA audits will review BCM documentation, test evidence, and board-level oversight. A well-structured BCM program also satisfies overlapping requirements under NCA ECC Section 2-7 and ISO 22301.
Was this helpful?
Business Continuity Management (BCM) for Saudi financial institutions is governed primarily by SAMA CSF Domain 4 (Resilience) and NCA ECC Article 3-5, which together require documented, tested, and board-approved continuity plans capable of sustaining critical operations during cyber incidents, natural disasters, and system failures.
**Core BCM Requirements Under SAMA CSF:**
- **Business Impact Analysis (BIA):** Identify critical business functions, dependencies, Recovery Time Objectives (RTOs), and Recovery Point Objectives (RPOs). SAMA expects RTOs for Tier-1 systems to be defined and technically achievable — typically under 4 hours for core banking.
- **Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP):** Separate but aligned documents. The BCP addresses operational continuity; the DRP addresses IT systems restoration.
- **Crisis Communication Plan:** Define internal escalation paths and external communication protocols with SAMA, NFIS, and the public where applicable.
**NCA ECC Additional Requirements (Art. 3-5):**
NCA requires cybersecurity-specific resilience controls integrated into the BCP, including secure backup architectures, offline/immutable backup storage, and cyberattack-specific recovery scenarios — not just traditional IT disaster scenarios.
**Testing and Validation:**
SAMA CSF mandates at minimum an annual full-scale BCP/DRP test, including tabletop exercises and live failover drills. Test results must be formally documented, gaps remediated, and executive sign-off obtained.
**Practical Recommendation:**
Align your BCM program with ISO 22301 as the international standard underpinning SAMA's expectations. Map ISO 22301 controls to SAMA CSF and NCA ECC requirements to produce a unified compliance artifact that satisfies all three frameworks simultaneously.
Was this helpful?
Business Continuity Management (BCM) is a critical pillar under the SAMA Cyber Security Framework (CSF), specifically addressed in Domain 4 (Cyber Resilience) and Control area 3.3 (Business Continuity & Disaster Recovery). Here is a structured approach for Saudi banks:
**1. Business Impact Analysis (BIA):** Identify and classify critical banking functions — core banking systems, payment gateways, SWIFT connectivity, and customer-facing digital channels. Per SAMA CSF Control 3.3.1, each critical process must have defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
**2. BCM Policy & Governance:** Establish a board-approved BCM policy assigning clear ownership to senior management. SAMA expects BCM to be treated as an enterprise-wide risk, not solely an IT function.
**3. Business Continuity Plan (BCP) Development:** Document response procedures for various disruption scenarios — cyberattacks, natural disasters, system failures, and pandemic events. Plans must include communication trees, escalation paths, and alternate site operations.
**4. Disaster Recovery (DR) for IT Systems:** Implement redundant infrastructure with geographically separated data centers within Saudi Arabia. SAMA CSF Control 3.3.4 requires documented DR plans tested at least annually, with evidence of test results maintained.
**5. BCM Testing & Exercising:** Conduct tabletop exercises, simulation drills, and full failover tests regularly. SAMA examiners will request test results and remediation logs during assessments.
**6. Integration with ISO 22301:** Aligning your BCM program with ISO 22301 (Business Continuity Management Systems) provides a globally recognized framework that also satisfies SAMA's structured documentation and audit requirements.
Maintain updated BCM documentation, review plans after every significant incident, and ensure third-party critical service providers also have verified continuity arrangements.
Was this helpful?
Under SAMA CSF Domain 4 (Cybersecurity Operations and Technology), Member Organizations must establish a formal, documented Incident Response Program that covers the full lifecycle: preparation, detection, containment, eradication, recovery, and post-incident review.
**Key Requirements:**
- **SAMA CSF Control 4.3.1** mandates a written Incident Response Policy and Procedure reviewed at least annually.
- **Control 4.3.2** requires classification of incidents by severity (Critical, High, Medium, Low) with defined SLAs for each tier.
- **Control 4.3.3** obligates notification to SAMA within specific timeframes for critical incidents — typically within 72 hours of confirmed breach, aligned with NCA ECC Article 4-3 reporting obligations.
**Practical Guidance:**
1. **Establish an Incident Response Team (IRT):** Assign clear roles — IR Lead, Legal/Compliance, Communications, IT/SOC — with documented escalation paths.
2. **Integrate a SIEM/SOAR Platform:** Automate detection and initial triage to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).
3. **Conduct Tabletop Exercises:** Simulate ransomware, data breach, and DDoS scenarios at least twice per year, per SAMA CSF best practice.
4. **Coordinate with NCA:** For critical infrastructure sectors, ensure your IR plan aligns with NCA's National Cybersecurity Incident Management Framework.
5. **Document Everything:** Maintain evidence logs and post-incident reports to demonstrate compliance during SAMA audits.
A mature IR program not only satisfies regulatory requirements but significantly reduces financial and reputational damage during an actual incident.
Was this helpful?
SAMA CSF uses five maturity levels: Level 1 (Initial/Ad-hoc) — informal controls; Level 2 (Developing) — repeatable but not documented; Level 3 (Defined) — documented and standardized; Level 4 (Managed) — measured and controlled; Level 5 (Optimizing) — continuous improvement. Financial institutions are expected to achieve at least Level 3 for most controls.
Was this helpful?
SAMA requires regulated entities to conduct an annual self-assessment against the Cybersecurity Framework. Results must be submitted to SAMA and used to drive remediation plans. SAMA may also conduct on-site inspections or request third-party audit reports.
Was this helpful?
SAMA can impose regulatory penalties including fines, supervisory warnings, mandatory remediation timelines, restrictions on business activities, or in severe cases, suspension of licenses. Exact penalties depend on the nature and severity of the non-compliance and SAMA's assessment discretion.
Was this helpful?
Under SAMA CSF Domain 3 (Cybersecurity Risk Management), specifically controls 3.3.1 through 3.3.5, Saudi banks and financial institutions must implement a structured Third-Party Risk Management (TPRM) program. This involves four critical phases:
**1. Pre-Onboarding Due Diligence:** Before engaging any vendor, conduct a cybersecurity risk assessment covering the vendor's security posture, data handling practices, and compliance certifications (e.g., ISO 27001, SOC 2). Classify vendors by risk tier — critical, high, medium, or low — based on data access and system integration levels.
**2. Contractual Security Requirements:** Embed security obligations into vendor contracts, including the right to audit, mandatory breach notification timelines (aligned with PDPL's 72-hour reporting requirement), data residency clauses for Saudi-hosted data, and compliance with NCA ECC controls where applicable.
**3. Ongoing Monitoring:** Conduct annual security assessments for critical vendors and biannual reviews for high-risk suppliers. Use continuous monitoring tools to track vendor security ratings and any publicly disclosed breaches.
**4. Offboarding Controls:** Ensure secure data deletion, access revocation, and documentation upon contract termination.
SAMA expects board-level oversight of TPRM programs, with the CISO responsible for maintaining a vendor risk register. Non-compliance may trigger regulatory findings during SAMA's annual supervisory review cycle. Platforms like CISO Consulting can help automate vendor assessments, map findings to SAMA CSF controls, and generate audit-ready reports for regulators.
Was this helpful?
Third-party risk management is a critical obligation under SAMA CSF Domain 3.3, which requires regulated entities to establish a formal vendor risk management program before onboarding any third party with access to sensitive systems or data. Practically, this means conducting a cybersecurity due diligence assessment for every vendor — covering their security controls, certifications (e.g., ISO 27001), incident response capabilities, and data handling practices. Per SAMA CSF Control 3.3.2, contracts with critical vendors must include mandatory cybersecurity clauses covering data protection, audit rights, breach notification timelines (typically within 72 hours), and the right to conduct or commission security assessments. Financial institutions should classify vendors by criticality — Tier 1 vendors (those with direct access to core banking systems) require the most rigorous scrutiny, including on-site assessments and continuous monitoring. Tier 2 and Tier 3 vendors may be managed through standardized questionnaires and periodic reviews. Additionally, PDPL intersects here: if vendors process personal data of Saudi residents, a Data Processing Agreement (DPA) must be in place, and the institution remains accountable as the data controller. Recommended actions include maintaining a live vendor inventory, performing annual reassessments for critical vendors, and establishing exit strategies to manage vendor offboarding securely. Our platform automates vendor risk scoring, tracks assessment cycles, and generates SAMA-ready reports to streamline this process.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Cybersecurity), Saudi banks and financial institutions must establish a structured, risk-based vendor management program that goes well beyond standard procurement due diligence. At a minimum, your program should include: **1) Pre-onboarding assessment:** Evaluate all third parties handling sensitive data or critical systems using standardized security questionnaires aligned to SAMA CSF controls. Classify vendors by inherent risk (critical, high, medium, low). **2) Contractual obligations:** Ensure all vendor contracts include cybersecurity clauses covering data protection per PDPL requirements, incident notification timelines (72-hour breach reporting is a benchmark), right-to-audit clauses, and minimum security baseline expectations. **3) Continuous monitoring:** Critical vendors (e.g., core banking providers, cloud platforms) should undergo annual on-site or remote security assessments. Use automated tools to monitor for vendor data breaches, dark web exposure, and certificate issues. **4) Concentration risk:** SAMA expects boards to understand and manage concentration risk — if multiple critical functions rely on a single third party, a formal risk acceptance or mitigation plan is required. **5) Offboarding controls:** Define procedures for data return, destruction, and access revocation when a vendor relationship ends. Practically, most Saudi banks find the greatest gaps in ongoing monitoring and contractual coverage. Start by inventorying all third parties, classifying them by risk, and ensuring your highest-risk vendors are assessed at least annually. Document everything — SAMA assessors look closely at evidence of active program management, not just policy documents.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation for Saudi financial institutions. Under SAMA CSF Control 3.3, regulated entities must establish a formal vendor risk management program that includes pre-onboarding security assessments, contractual security obligations, and ongoing monitoring throughout the vendor lifecycle.
Practically, your TPRM program should include:
**1. Vendor Tiering:** Classify vendors by criticality — Tier 1 (critical/core banking), Tier 2 (significant), Tier 3 (low impact) — and apply proportionate controls.
**2. Pre-Onboarding Due Diligence:** Require vendors to demonstrate compliance with ISO 27001 or equivalent. For Tier 1 vendors, conduct on-site security assessments or review independent audit reports (SOC 2 Type II).
**3. Contractual Requirements:** Embed security clauses covering data handling, breach notification (within 72 hours per PDPL Article 19), right-to-audit, and minimum security standards aligned with NCA ECC controls.
**4. Continuous Monitoring:** Use automated attack surface monitoring tools to track vendor exposure. NCA ECC Domain 2 (Asset Management) implicitly requires visibility into third-party connected systems.
**5. Offboarding Procedures:** Ensure secure data deletion and access revocation upon contract termination.
Financial institutions that outsource critical operations to cloud or fintech providers must also comply with SAMA's Outsourcing Rules, which require SAMA notification for material outsourcing arrangements. Failure to manage third-party risk adequately is a common finding in SAMA supervisory reviews and can directly impact your CSF maturity score.
Was this helpful?
Saudi financial institutions face overlapping incident response obligations from multiple regulators. Understanding each layer is essential to avoid both operational and legal exposure.
**SAMA CSF Requirements (Control 3.3.5 – Cybersecurity Incident Management):**
- Institutions must maintain a documented Cybersecurity Incident Response Plan (CIRP) reviewed at least annually.
- Security incidents must be classified using a defined severity matrix (Critical, High, Medium, Low).
- Critical incidents must be reported to SAMA within timeframes specified in the SAMA Cyber Incident Reporting Framework — typically within 4 hours of detection for major incidents.
- Post-incident reviews (PIRs) are mandatory and must be documented with root cause analysis and corrective actions.
**NCA ECC Requirements (Control 2-7 – Cybersecurity Incident Management):**
- NCA requires entities to maintain a 24/7 security operations capability or a contracted SOC.
- Incidents must be reported to the National Cybersecurity Authority through official channels when they involve national infrastructure or sensitive data.
**PDPL Requirements (Article 19):**
- If a breach involves personal data, organizations must notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the incident.
- Affected data subjects must also be notified if the breach poses a high risk to their rights or interests.
**Practical Readiness Checklist:**
✅ Documented CIRP with defined roles and escalation paths
✅ Incident classification and prioritization matrix
✅ Regulatory notification templates pre-drafted for SAMA, NCA, and SDAIA
✅ Tabletop exercises conducted at least twice per year
✅ Forensic investigation capability (internal or retained)
Building this capability in-house is resource-intensive. Many Saudi fintechs and mid-sized banks engage a vCISO service to design and maintain the CIRP while providing on-call incident support.
Was this helpful?
SAMA CSF Control 3.3 mandates that regulated entities establish a formal Third-Party Risk Management (TPRM) framework covering the full vendor lifecycle — from onboarding to offboarding. Practically, your program should include four pillars:
1. **Pre-Engagement Due Diligence**: Before contracting any vendor, conduct a cybersecurity risk classification (critical, high, medium, low) based on data access, system integration depth, and service criticality. Per SAMA CSF Control 3.3.1, vendors with access to sensitive financial or customer data must undergo rigorous security assessments.
2. **Contractual Security Requirements**: All vendor contracts must include enforceable cybersecurity clauses — right-to-audit provisions, incident notification timelines (typically 72 hours per PDPL Article 24 alignment), data handling standards, and compliance attestation obligations.
3. **Continuous Monitoring**: SAMA expects ongoing monitoring, not just point-in-time assessments. Implement quarterly security questionnaires for critical vendors, annual on-site audits, and automated monitoring of vendors' public threat intelligence posture.
4. **Exit and Transition Planning**: Document data return/destruction procedures and access revocation protocols for vendor offboarding, aligned with ISO 27001 Annex A.15.2.
Many Saudi banks fail SAMA assessments specifically on TPRM because they treat it as a procurement checkbox rather than a continuous risk process. Your GRC platform should map each vendor to relevant SAMA controls, assign risk owners, and track remediation timelines. A minimum viable TPRM program for a mid-sized bank typically covers 50–200 active vendors segmented by risk tier.
Was this helpful?
Business Continuity Management (BCM) is one of the most rigorously assessed domains in SAMA CSF audits. Under SAMA CSF Domain 4 (Operational Resilience) and specifically Control 4.2 (Business Continuity & Disaster Recovery), Saudi financial institutions must establish, implement, and regularly test a comprehensive BCM program.
**Core BCM Components Required by SAMA CSF:**
**1. Business Impact Analysis (BIA):** Conduct a formal BIA to identify critical business functions, their Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO). For banking systems, RTOs are often set at 4 hours or less for tier-1 systems.
**2. BCP & DRP Documentation:** Maintain documented Business Continuity Plans and Disaster Recovery Plans that are reviewed and updated at least annually, or after significant organizational changes.
**3. Testing Frequency:** SAMA requires a minimum of one full DR test annually, complemented by tabletop exercises for key scenarios (ransomware, data center failure, cyber incidents). Results must be formally documented.
**4. Backup & Recovery Controls:** Per SAMA CSF Control 3.3.8, backups must be encrypted, stored offsite or in a secondary data center, and tested regularly to confirm restorability. Backup integrity checks should occur at minimum quarterly.
**5. Communication Plans:** Define escalation matrices, stakeholder notification procedures, and regulatory reporting timelines — including SAMA notification requirements for major disruptions.
**6. Alignment with NCA ECC:** NCA ECC Article 2-12 (Resilience) adds complementary requirements around cyber resilience that should be integrated into your BCM framework to avoid duplication of effort.
Organizations should nominate a BCM Owner at the senior management level and ensure BCM is integrated into the enterprise risk management framework rather than treated as a standalone exercise.
Was this helpful?
Business continuity and cyber resilience are among the most scrutinized domains during SAMA examinations. SAMA CSF dedicates a full control domain (Domain 3.6 – Cyber Resilience) to ensuring financial institutions can withstand, recover from, and adapt to cyber incidents.
**SAMA CSF Core Requirements:**
- **Business Impact Analysis (BIA):** Institutions must conduct a formal BIA identifying critical business processes, their dependencies, and acceptable recovery timeframes (RTO/RPO).
- **Cyber Resilience Plans:** A documented Cyber Resilience Plan must exist, covering incident containment, recovery procedures, and communication protocols — integrated with the overall Business Continuity Plan (BCP).
- **Testing & Exercising:** SAMA requires annual testing of BCP/DRP, including tabletop exercises and simulated cyber incident scenarios. Results must be reviewed by senior management.
- **Recovery Time Objectives:** Critical banking services (e.g., core banking, payment systems) must have RTOs defined per SAMA's operational resilience expectations — typically under 4 hours for tier-1 services.
- **Supply Chain Resilience:** Continuity planning must account for critical third-party dependencies.
**Alignment with ISO 22301:**
ISO 22301 (Business Continuity Management Systems) complements SAMA CSF well. Key overlaps include BIA methodology, documented BCMS policies, competency requirements, and continual improvement cycles. Achieving ISO 22301 certification demonstrates maturity and can streamline SAMA examinations.
**Practical Guidance:**
1. Map SAMA CSF 3.6 controls directly to ISO 22301 clauses to identify gaps.
2. Integrate cyber incident scenarios (ransomware, DDoS, data breach) into your annual BCP testing.
3. Ensure your crisis communication plan covers SAMA notification obligations (within 72 hours for major incidents).
4. Review and update plans after every major incident or significant infrastructure change.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance domain under the SAMA Cyber Security Framework. SAMA CSF Control Domain 3.5 (Resilience) requires member organizations to establish, implement, test, and continuously improve BCM programs that address both cybersecurity incidents and broader operational disruptions.
A SAMA-compliant BCM program should be structured around the following pillars:
**1. Business Impact Analysis (BIA)**
Identify critical business functions, their dependencies, and determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). SAMA expects that RTO/RPO targets for critical banking services align with the institution's risk appetite and customer commitments.
**2. Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP)**
Document step-by-step response procedures for various disruption scenarios — cyberattacks, system failures, facility unavailability. Ensure your DRP specifically covers IT system failover, data backup restoration, and alternate processing sites.
**3. Crisis Communication**
Define internal escalation paths and external communication protocols, including notification to SAMA within required timeframes during significant incidents (per SAMA's Cyber Incident Reporting guidelines).
**4. Testing & Exercising**
SAMA requires documented evidence of BCM tests — tabletop exercises, simulation drills, and full failover tests — at least annually. Gaps identified must feed into a formal improvement plan.
**5. Third-Party Dependencies**
Ensure critical vendors and cloud service providers have their own BCM capabilities validated as part of your vendor risk management process.
Integrating your BCM program with ISO 22301 best practices will strengthen your SAMA maturity score and demonstrate a structured, internationally aligned approach during regulatory examinations.
Was this helpful?
Business Continuity Management (BCM) is a mandatory regulatory obligation for Saudi financial institutions, governed primarily by SAMA CSF Domain 5 (Resilience) and NCA ECC Control 3-7. Institutions must establish a comprehensive BCM program that integrates cybersecurity resilience with broader operational continuity.
**Regulatory Baseline:**
SAMA CSF Control 5.1 requires institutions to develop, maintain, and regularly test Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs). Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) must be formally defined and aligned with the criticality of each system.
**Key Implementation Steps:**
1. **Business Impact Analysis (BIA):** Identify critical business processes, supporting IT assets, and maximum tolerable downtime. For core banking systems, RTOs are typically set at 4 hours or less.
2. **Cyber-Specific Scenarios:** BCM plans must explicitly address ransomware attacks, DDoS incidents, and data center outages—not just natural disasters or hardware failures.
3. **Testing Cadence:** SAMA CSF requires BCM tests at least annually. Tests should include tabletop exercises, simulation drills, and full failover tests for critical systems. NCA ECC reinforces this under its resilience controls.
4. **Third-Party Dependencies:** BCP documentation must address the continuity posture of critical suppliers and cloud providers, including contractual SLA obligations.
5. **Board Reporting:** BCM program status, test results, and identified gaps must be reported to senior management and the Board Risk Committee at least annually.
Documentation, test evidence, and gap remediation records should be maintained within your GRC platform to demonstrate regulatory compliance during SAMA examinations.
Was this helpful?
Business Continuity Management (BCM) is a regulatory imperative for Saudi financial institutions. SAMA CSF Domain 4 (Resilience) dedicates an entire section to BCM requirements, mandating that all member organizations maintain a documented, tested, and Board-approved BCM program. Alignment with ISO 22301 is strongly recommended and increasingly treated by SAMA examiners as the gold standard for BCM governance.
Here is a structured implementation roadmap:
**1. Business Impact Analysis (BIA)**
Identify critical business functions, acceptable Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO). SAMA CSF Control 4.2.1 requires that RTOs and RPOs be formally documented and approved by senior management.
**2. Risk Assessment Integration**
BCM must be tightly linked to your organization's cybersecurity and enterprise risk framework. Cyber incidents, ransomware, and DDoS attacks must be explicitly modeled as threat scenarios in your Business Continuity Plan (BCP).
**3. Develop Response Plans**
Create and maintain a BCP, Disaster Recovery Plan (DRP), and Crisis Communication Plan. Ensure these plans cover core banking systems, payment processing (SARIE/AFAQ connectivity), and customer-facing digital channels.
**4. Testing and Exercises**
SAMA CSF Control 4.2.5 requires at least annual BCP tests, including tabletop exercises and full simulation drills. Test results and gaps must be documented and reported to the Board Risk Committee.
**5. Third-Party Continuity**
Ensure that critical service providers also maintain BCM programs aligned with your own RTOs. This is a common gap flagged during SAMA examinations.
**6. Continuous Improvement**
Post-incident reviews and annual BCM audits (preferably by an independent party) are required to maintain ISO 22301 certification and SAMA compliance.
Was this helpful?
Business continuity and cyber resilience are among the most scrutinized areas during SAMA supervisory examinations. SAMA CSF Control Domain 3.4 (Cyber Resilience) requires financial institutions to develop, maintain, and regularly test Business Continuity Plans (BCPs) and Cyber Incident Recovery Plans that specifically address cybersecurity scenarios — not just traditional IT disaster recovery.
**Key Requirements:**
**1. Recovery Objectives:**
SAMA expects documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems, typically ranging from 4–24 hours for core banking depending on system criticality. These must be validated — not just estimated.
**2. Scenario-Based Testing:**
Annual BCP tests must include cyber-specific scenarios such as ransomware attacks, DDoS against core banking infrastructure, and third-party service provider outages. Tabletop exercises involving the CISO, CRO, and Executive Management are mandatory per SAMA guidance.
**3. Crisis Communication:**
SAMA CSF requires pre-approved communication templates and escalation matrices for cybersecurity incidents, including timely notification to SAMA within defined windows (typically within 72 hours of a significant incident).
**4. Integration with NCA ECC:**
NCA ECC Control 2-14 mandates that organizations maintain operational resilience capabilities. SAMA-regulated entities should ensure their BCPs are cross-referenced and consistent with NCA requirements to avoid duplication of gaps.
**5. Documentation & Evidence:**
Maintain test records, lessons-learned reports, and remediation logs in your GRC platform. SAMA examiners will request these during regulatory visits.
Weak BCP posture is a leading cause of downgraded SAMA CSF maturity scores. Treat resilience testing as a continuous program, not an annual checkbox.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance area governed by multiple Saudi regulatory frameworks. Here is how financial institutions should structure their BCM program: **SAMA CSF Requirements (Control 3.3.9)**: SAMA mandates a formalized BCM program that includes Business Impact Analysis (BIA), Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), and tested Disaster Recovery Plans (DRP). RTOs for critical banking services such as core banking, payment systems, and internet banking are typically expected to be under 4 hours, with RPOs of no more than 1 hour. **NCA ECC Alignment (Article 2-18)**: NCA ECC reinforces BCM requirements by mandating resilience controls for critical national infrastructure entities, including financial institutions. This includes documented continuity plans reviewed and tested at least annually. **Key Implementation Steps**: (1) Conduct a comprehensive BIA to identify critical processes and dependencies; (2) Define RTOs and RPOs per system criticality tier; (3) Establish alternate processing sites or cloud-based failover environments; (4) Develop and maintain a Crisis Communication Plan; (5) Conduct tabletop exercises and full DR drills at least annually; (6) Ensure BCM scope covers cybersecurity incidents, not just natural disasters or outages. **Testing & Documentation**: SAMA assessors will expect to review test results, lessons-learned reports, and evidence of executive sign-off on BCM plans. Gaps identified during drills must be tracked and remediated with clear ownership. Integrating BCM with your incident response plan ensures a seamless response to cyber-induced disruptions.
Was this helpful?
Business Continuity Management (BCM) is a mandatory domain under SAMA CSF (Domain 4: Resilience), and SAMA expects Saudi banks to maintain a comprehensive, tested, and board-approved BCM program. Here is what maturity looks like in practice:
**Foundation — Policy and Governance:**
- A Board-approved BCM Policy aligned with SAMA CSF Control 4.1 and ISO 22301.
- Clear ownership: a BCM Manager or function reporting to the CISO or COO.
- BCM scope covering critical business processes, technology systems, and third-party dependencies.
**Business Impact Analysis (BIA):**
- Identify and prioritize critical business functions with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- SAMA expects RTOs for critical banking services (e.g., payment processing, core banking) to be aggressive — typically under 4 hours for Tier-1 banks.
**Plans and Playbooks:**
- A documented **Business Continuity Plan (BCP)** covering people, process, and technology continuity.
- A separate **Disaster Recovery Plan (DRP)** for IT systems, with tested failover to a secondary data center.
- **Crisis Communication Plans** for internal staff, regulators (SAMA notification obligations), and customers.
**Testing and Exercises:**
- Full BCM tests must be conducted at least annually. SAMA CSF Control 4.3 requires documented test results and evidence of lessons learned.
- Tests should progress from tabletop exercises to full simulation drills.
**Integration with Cybersecurity:**
- Ransomware and cyber-incident scenarios must be embedded into BCP/DRP testing, reflecting SAMA's focus on cyber resilience.
- BCM findings should feed into your risk register and annual SAMA self-assessment.
A truly mature BCM program is not a document — it is a living capability that is continuously tested, updated, and embedded in your operational culture.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance area for Saudi fintechs, governed by SAMA CSF Domain 4 (Operational Resilience) and NCA ECC Control 2-14. Non-compliance can result in regulatory sanctions and reputational damage, particularly given the Central Bank's focus on payment system resilience.
**SAMA CSF Requirements (Domain 4):**
- Conduct a formal Business Impact Analysis (BIA) identifying critical processes, dependencies, and maximum tolerable downtime (MTD) for each function.
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) aligned with the BIA findings.
- Develop and document a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) reviewed and approved by senior management annually.
- Test BCM plans at least annually through tabletop exercises, and full failover drills for technology-dependent processes.
**NCA ECC Control 2-14 Requirements:**
- Establish a dedicated BCM policy and assign ownership at the executive level.
- Ensure cyber incident scenarios are embedded within BCP exercises, not treated separately.
- Document lessons learned from tests and update plans accordingly.
**Practical Implementation Steps:**
1. Map all fintech services (payments, lending, onboarding) to underlying IT systems and third-party dependencies.
2. Define tiered recovery priorities — payment processing should typically target RTO < 4 hours.
3. Use cloud-based geo-redundant infrastructure within Saudi Arabia or approved data residency regions per SAMA guidelines.
4. Integrate BCM with your Incident Response Plan to ensure seamless escalation.
5. Report BCM test results to the Risk Committee quarterly.
Aligning BCM with ISO 22301 principles provides an internationally recognized structure that satisfies both SAMA and NCA auditors simultaneously.
Was this helpful?
Business Continuity Management (BCM) is a mandatory domain under SAMA CSF, addressed comprehensively in Domain 4 — Resilience. Financial institutions must establish, maintain, and periodically test a BCM program that ensures the continued delivery of critical financial services during and after disruptive events.
**Core SAMA CSF Requirements:**
**Business Impact Analysis (BIA):** Per SAMA CSF Control 4.1, institutions must conduct a formal BIA to identify critical business functions, dependencies, Recovery Time Objectives (RTOs), and Recovery Point Objectives (RPOs). RTOs for critical banking systems are generally expected to be under 4 hours.
**Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP):** Documented plans must exist for all critical processes and IT systems, covering scenarios such as cyberattacks, data center failures, and pandemic events.
**Testing and Exercises:** SAMA CSF Control 4.3 requires BCM plans to be tested at least annually. Tests should include tabletop exercises, functional drills, and full failover simulations for critical systems. Results must be documented with lessons learned and improvement actions.
**Crisis Communication:** Plans must include defined communication trees for internal stakeholders, SAMA regulators, and customers during incidents.
**Third-Party Dependencies:** BCM must account for critical vendor and outsourcing continuity, ensuring suppliers maintain compatible BCM standards.
**Board Oversight:** The board and senior management are expected to review and approve BCM policies annually and receive test results.
**Integration with ISO 22301:** Many Saudi institutions align their BCM programs with ISO 22301 (Business Continuity Management Systems), which provides a globally recognized certification pathway that also satisfies SAMA's intent. Maintaining evidence of BCM testing, BIA updates, and board approvals is essential for SAMA regulatory examinations.
Was this helpful?
Under SAMA CSF Domain 3.7 (Resilience Management), Saudi financial institutions must establish a comprehensive Business Continuity Management (BCM) program that addresses both operational disruptions and cybersecurity incidents. Key requirements include: (1) **BIA and RTO/RPO Definition** — Conduct a formal Business Impact Analysis identifying critical processes, with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined per system criticality. SAMA CSF Control 3.7.2 mandates these be formally documented and approved by senior management. (2) **Tested DR Plans** — Disaster Recovery Plans must be tested at least annually, with results documented and remediation actions tracked. Tabletop exercises alone are insufficient; full failover tests are expected for Tier-1 systems. (3) **Cyber Resilience Integration** — BCM plans must explicitly address ransomware scenarios, DDoS attacks, and core banking system outages. This aligns with NCA ECC Article 2-14 requirements for continuity under cyber incidents. (4) **Third-Party Dependencies** — Continuity plans must account for critical vendor failures, including cloud providers and payment processors. (5) **Board Oversight** — SAMA expects the Board Risk Committee to receive annual BCM status reports. Practical implementation tip: map your BCM documentation directly to SAMA CSF control references to simplify regulatory examinations. Integrate your BCM framework with ISO 22301 standards for a defensible, internationally recognized posture that satisfies both SAMA examiners and international auditors.
Was this helpful?
The SAMA Cyber Security Framework (CSF) uses a structured maturity model to evaluate the cybersecurity posture of member organizations. Understanding this model and preparing systematically is critical for Saudi banks and financial institutions seeking to demonstrate regulatory compliance and build genuine cyber resilience.
**The SAMA CSF Maturity Model:**
SAMA CSF defines five maturity levels — from Level 1 (Initial/Ad-hoc) to Level 5 (Optimized). Most financial institutions are expected to achieve at minimum Level 2 (Developing) for foundational controls, with Tier 1 banks expected to target Level 3 (Defined) or higher across critical domains including Cybersecurity Leadership, Cybersecurity Risk Management, and Cybersecurity Operations.
**Key Assessment Domains:**
The framework covers five primary domains: (1) Cybersecurity Leadership & Governance, (2) Cybersecurity Risk Management & Compliance, (3) Cybersecurity Operations & Technology, (4) Third-Party Cybersecurity, and (5) Cybersecurity Resilience. Each domain contains subdomains with specific controls and maturity indicators.
**Preparation Best Practices:**
1. **Conduct a gap assessment first**: Map your current controls against each SAMA CSF subdomain using a structured gap analysis tool before the formal evaluation.
2. **Document everything**: Maturity assessors look for evidence — policies, procedures, meeting minutes, training records, and technical configurations all matter.
3. **Align your CISO reporting structure**: SAMA CSF Control 3.1.1 requires cybersecurity to report at the Board or senior executive level; ensure this is formalized.
4. **Prioritize high-risk domains**: Focus remediation efforts on Identity & Access Management, Incident Response, and Vulnerability Management, which are frequently cited in findings.
5. **Engage an independent assessor**: Use a qualified third party for pre-assessment to identify gaps before the regulatory review.
6. **Build a continuous monitoring program**: Demonstrate ongoing control effectiveness, not just point-in-time compliance.
Banks that treat the SAMA CSF assessment as an annual event rather than a continuous program consistently score lower. Embed maturity improvement into your cybersecurity roadmap for sustained results.
Was this helpful?
Business Continuity Management (BCM) is a critical regulatory obligation for Saudi fintechs. SAMA CSF dedicates an entire control domain (Domain 3.6 – Cyber Resilience) to BCM, while NCA ECC addresses it under Article 2-10 (Business Continuity and Disaster Recovery).
**Key Program Components:**
**1. Business Impact Analysis (BIA):**
Identify all critical business processes and their supporting IT systems. Define Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) for each. SAMA expects RTOs for critical payment services to be within 4 hours.
**2. Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP):**
Develop documented, tested plans covering people, processes, technology, and facilities. Plans must address cyber-induced outages specifically — not just physical disasters.
**3. Testing Requirements:**
SAMA CSF requires BCM tests at minimum annually. Tests must include tabletop exercises, functional drills, and full failover tests for critical systems. Results and lessons learned must be documented.
**4. Backup and Recovery Controls:**
NCA ECC Article 2-10 mandates encrypted, geographically separated backups. Restoration tests must confirm data integrity. Backups of critical systems should follow a 3-2-1 strategy.
**5. Governance and Ownership:**
A named BCM owner at senior management level is required. The CISO and Board must receive annual BCM status reports.
**6. Regulatory Notification:**
Under SAMA guidelines, significant disruptions to financial services must be reported to SAMA within defined timeframes, aligned also with PDPL breach notification obligations.
Integrating BCM into your GRC platform ensures continuous monitoring, automated testing reminders, and audit-ready evidence management.
Was this helpful?
Business Continuity Management (BCM) for Saudi fintechs must address overlapping requirements from both SAMA CSF (Domain 4 – Operational Resilience) and NCA ECC (Control 2-18). Here is a practical implementation roadmap: **1. Business Impact Analysis (BIA):** Identify critical business functions, define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). SAMA CSF requires RTOs to be formally approved by senior management. **2. BCM Policy and Governance:** Establish a formal BCM policy endorsed by the Board. SAMA CSF Control 4.1 mandates board-level oversight of operational resilience. **3. Disaster Recovery Planning:** Maintain a tested Disaster Recovery Plan (DRP) for all critical IT systems. NCA ECC Control 2-18 requires DR site separation and regular failover testing. **4. Crisis Management:** Define escalation procedures, communication trees, and regulatory notification timelines — SAMA requires notification within specific windows during major disruptions. **5. Testing and Exercises:** Conduct at least one full BCM simulation annually and tabletop exercises semi-annually. Maintain documented test results. **6. Third-Party Dependencies:** Map and test BCM arrangements with critical service providers. **7. Continuous Improvement:** Feed post-exercise lessons into annual BCM review cycles. Our platform provides BCM module templates pre-mapped to SAMA CSF and NCA ECC controls, enabling gap assessments and automated compliance scoring.
Was this helpful?
Business Continuity Management (BCM) is a mandatory governance obligation for Saudi financial institutions, deeply embedded in both SAMA CSF Domain 3.5 and NCA ECC Article 3.7. A compliant and mature BCM program must address the full lifecycle from risk assessment through to testing and continuous improvement.
**SAMA CSF BCM Requirements (Domain 3.5):**
- Establish a formal BCM policy approved by senior management.
- Conduct Business Impact Analysis (BIA) to identify critical processes and define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Develop and maintain Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP).
- Test BCM plans at least annually through tabletop exercises, functional drills, or full failover tests.
- Integrate cybersecurity scenarios (ransomware, DDoS, data center outage) into BCM exercises.
**NCA ECC Alignment:**
NCA ECC Article 3.7 requires organizations to ensure critical national infrastructure remains operational during disruptions. Financial institutions classified as Critical National Infrastructure (CNI) must align BCM with national resilience objectives and report major outages to NCA.
**Practical Implementation Steps:**
1. Appoint a BCM Owner at the VP or C-suite level with clear accountability.
2. Map dependencies between IT systems, third-party providers, and critical business processes.
3. Establish alternate processing sites (hot, warm, or cold) for critical systems.
4. Define escalation matrices and communication trees for crisis scenarios.
5. Document lessons learned after every test or real incident and update plans accordingly.
6. Ensure BCM documentation is reviewed and approved by the board at least annually.
Regulatory examinations routinely assess BCM maturity, and gaps in testing evidence are frequently cited as high-risk findings.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance domain for Saudi financial institutions, governed primarily by SAMA CSF Domain 4 (Resilience) and NCA ECC Controls 2-9 and 2-10. A compliant BCM program must address both cybersecurity-specific disruptions and broader operational resilience.
**SAMA CSF Requirements (Domain 4):**
- Maintain a formally approved Business Continuity Policy reviewed at least annually.
- Conduct Business Impact Analyses (BIA) to identify critical processes, Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO).
- Develop and test Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) at least once per year, including tabletop and live failover exercises.
- Ensure cyber incident scenarios are embedded in BCP testing, not treated separately.
**NCA ECC Alignment:**
NCA ECC Article 2-9 requires organizations to establish a resilience framework covering system redundancy, failover capabilities, and backup integrity verification. Article 2-10 mandates periodic DR drills with documented results reported to senior management.
**Practical Implementation Steps:**
1. Assign a BCM Owner accountable to the Board or Risk Committee.
2. Classify systems using a tiered criticality model (Tier 1: Mission Critical, Tier 2: Business Critical, Tier 3: Supporting).
3. Ensure backup systems are geographically separated and tested for restoration integrity quarterly.
4. Integrate BCM with the Cyber Incident Response Plan to create a unified crisis management framework.
5. Document lessons learned from every exercise and update plans accordingly.
Regulators frequently assess BCM maturity during on-site examinations, so maintaining an evidence portfolio of test results, BIA reports, and plan updates is essential.
Was this helpful?
Business Continuity Management (BCM) under SAMA CSF (Domain 4.3) requires Saudi banks to establish a comprehensive, tested, and regularly updated BCM program. Here are the key implementation requirements:
**1. BIA and Risk Assessment:** Conduct a formal Business Impact Analysis (BIA) to identify critical business functions, acceptable downtime thresholds (RTO/RPO), and dependencies on IT systems and third parties — per SAMA CSF Control 4.3.1.
**2. BCP and DRP Documentation:** Develop and maintain written Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) that cover cybersecurity scenarios, not just physical disasters. Plans must be approved by senior management.
**3. Testing and Exercises:** SAMA CSF Control 4.3.4 mandates periodic testing — at minimum annually — including tabletop exercises, simulations, and full failover tests. Results must be documented and gaps remediated.
**4. Cyber Incident Integration:** BCM plans must explicitly address cyber incidents such as ransomware, DDoS attacks, and critical system compromise. Recovery procedures should align with your Cyber Incident Response Plan (CIRP).
**5. Communication Plans:** Define clear internal and external communication protocols, including SAMA notification timelines and customer communication procedures during disruptions.
**6. Third-Party Dependencies:** Map all critical vendor dependencies and ensure vendors have their own tested BCM/DRP plans, reviewed as part of your third-party risk management process.
**Practical Tip:** Align your BCM program with ISO 22301 standards for additional assurance — this strengthens your SAMA CSF posture and is increasingly expected by examiners during regulatory reviews.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance domain under SAMA CSF Domain 4, specifically Controls 4.2 through 4.5. Saudi financial institutions must build a structured BCM program that goes beyond documentation to demonstrate operational resilience.
**Governance Structure:** Appoint a dedicated BCM owner at the senior management level, with clear accountability reported to the board. BCM policy must be reviewed and approved annually per SAMA CSF Control 4.2.1.
**Business Impact Analysis (BIA):** Conduct a formal BIA to identify critical business processes, dependencies, Maximum Tolerable Downtime (MTD), Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO). SAMA expects RTOs for critical banking systems (core banking, payment rails, internet banking) to be aggressive — typically under four hours.
**Plan Development:** Maintain separate but integrated plans: Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), and Crisis Communication Plan. Each plan must include activation triggers, escalation paths, and designated recovery teams.
**Testing Requirements:** SAMA CSF mandates regular testing — at minimum an annual full-scale simulation exercise and quarterly tabletop exercises. Test results, including gaps identified, must be documented and remediated.
**Third-Party & Technology Dependencies:** BCM must account for critical third-party providers (cloud vendors, payment processors, core banking vendors). SAMA CSF Control 4.3.5 requires continuity clauses in vendor contracts.
**Integration with Cyber Incident Response:** BCM and cyber incident response plans must be integrated, especially for ransomware or DDoS scenarios that could trigger a continuity event.
**Practical Tip:** Use your GRC platform to automate BIA reviews, track exercise outcomes, and link BCM controls directly to SAMA CSF control mappings for audit-ready reporting.
Was this helpful?
Business Continuity Management (BCM) for Saudi financial institutions sits at the intersection of SAMA CSF's Cyber Resilience domain and NCA ECC Article 3-7 (Resilience and Continuity Controls), making a unified, framework-aligned BCM program essential.
**SAMA CSF Requirements (Control 3.5.x):**
SAMA requires institutions to maintain a Cyber Resilience program encompassing Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), and Crisis Management procedures. Key obligations include:
- Formal BIA (Business Impact Analysis) identifying critical business processes and Maximum Tolerable Downtime (MTD)
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined per system criticality
- Annual BCP/DR testing, with results reviewed by senior management
- Integration of cyber incident scenarios into BCM exercises
**NCA ECC Alignment (Art. 3-7):**
NCA ECC reinforces continuity requirements by mandating that organizations maintain documented recovery procedures for all critical national infrastructure-adjacent systems, with particular emphasis on data backup integrity and alternate site readiness.
**Practical Implementation Steps:**
1. Conduct a unified BIA mapping both operational and cyber-specific risks
2. Define and document RTOs/RPOs aligned with SAMA's criticality tiers
3. Establish hot/warm/cold site strategies for critical payment and core banking systems
4. Run tabletop exercises quarterly and full failover tests annually, documenting outcomes
5. Ensure BCM documentation is reviewed by the CISO, CRO, and Board Risk Committee annually
6. Maintain offline, immutable backups tested for restoration integrity per SAMA's ransomware resilience guidance
Our platform maps your BCM controls directly to both SAMA CSF and NCA ECC control families, providing real-time compliance gap visibility.
Was this helpful?
Identity and Access Management (IAM) is a foundational pillar under the SAMA Cyber Security Framework (CSF), specifically addressed in Domain 4 (Cybersecurity Operations) and Domain 3 (Cybersecurity Risk Management). Saudi banks must implement the following key IAM controls:
**1. Privileged Access Management (PAM):** Per SAMA CSF Control 4.2, privileged accounts must be strictly governed, with just-in-time access provisioning, session recording, and regular privilege reviews. No shared admin accounts should exist.
**2. Multi-Factor Authentication (MFA):** MFA is mandatory for all remote access, privileged user sessions, and access to critical banking systems. This aligns with SAMA CSF Control 4.3 and NCA ECC-1-4-3, which mandates strong authentication mechanisms.
**3. Role-Based Access Control (RBAC):** Access rights must follow the principle of least privilege. Roles should be formally defined, approved, and reviewed at least semi-annually, with user access recertification campaigns documented.
**4. Joiner-Mover-Leaver (JML) Process:** Automated workflows must ensure timely provisioning and, critically, de-provisioning of access. SAMA CSF requires that terminated employee access is revoked within defined SLAs — typically within 24 hours for critical systems.
**5. Identity Governance:** Banks should maintain a centralized identity directory with audit logs for all access changes, reviewed by internal audit periodically.
**Practical Recommendation:** Conduct a quarterly Access Rights Review (ARR) exercise using your IAM platform and document findings for SAMA CSF assessment evidence. Integrate your IAM solution with SIEM to correlate access anomalies in real time. Non-compliance in this domain is a recurring finding in SAMA CSF maturity assessments.
Was this helpful?
Under SAMA CSF Domain 3 (Cybersecurity Operations), Saudi banks are required to implement a robust Identity and Access Management program covering several critical controls. Per SAMA CSF Control 3.3.1, organizations must enforce the principle of least privilege, ensuring users are granted only the minimum access necessary for their roles. Control 3.3.2 mandates multi-factor authentication (MFA) for all privileged accounts, remote access sessions, and critical system interfaces. Banks must also maintain a formal joiner-mover-leaver process, ensuring access rights are reviewed during role changes and immediately revoked upon employee termination per Control 3.3.4. Privileged Access Management (PAM) solutions should be deployed to monitor, record, and audit all privileged sessions. Quarterly access reviews are required for critical systems, while annual reviews apply to standard user accounts. Additionally, shared or generic accounts must be eliminated or strictly controlled with individual accountability maintained. From an NCA ECC perspective, Article 2-6 reinforces these obligations for entities within scope, requiring documented IAM policies, automated provisioning workflows, and integration with a centralized directory service. Practical steps include deploying a PAM solution such as CyberArk or BeyondTrust, integrating Single Sign-On (SSO) with MFA via solutions like Azure AD or Okta, and conducting automated quarterly access certification campaigns. Non-compliance with these controls can result in regulatory findings during SAMA examination cycles and increased risk of insider threats or unauthorized access incidents.
Was this helpful?
Under SAMA CSF Domain 3 (Cybersecurity Operations), specifically Controls 3.3.1 through 3.3.6, Saudi banks must implement a comprehensive Identity and Access Management program that governs how users — especially privileged users — access critical systems and data.
Key requirements include:
**1. Least Privilege Principle:** Every user, system, and application should have only the minimum access needed to perform their function. Per SAMA CSF Control 3.3.2, access rights must be formally approved, documented, and periodically reviewed (at least annually or upon role changes).
**2. Privileged Access Management (PAM):** Privileged accounts (admins, DBAs, network engineers) must be tightly controlled. Implement a dedicated PAM solution (e.g., CyberArk, BeyondTrust) to vault credentials, enforce session recording, and require multi-factor authentication (MFA) for all privileged sessions.
**3. Multi-Factor Authentication:** SAMA CSF mandates MFA for remote access, privileged accounts, and critical system access. This aligns with NCA ECC Control ECC-2-2-6, reinforcing its importance across both frameworks.
**4. Access Reviews:** Conduct quarterly access recertification for privileged accounts and annual reviews for standard users. Automated joiner-mover-leaver (JML) processes should revoke access within 24 hours of employee departure.
**5. Separation of Duties (SoD):** No single individual should have end-to-end control over critical processes. Conflicting roles must be identified and mitigated via compensating controls.
**Practical Tip:** Integrate your IAM solution with your SIEM to alert on anomalous privileged activity. Document your IAM policy, access request workflow, and exception process — SAMA assessors will review these during maturity evaluations.
Was this helpful?
Identity and Access Management (IAM) is a foundational control domain that sits at the intersection of SAMA CSF and ISO 27001. Here is how Saudi fintechs can design a unified, compliant IAM program:
**SAMA CSF Alignment (Control Domain 3.4 – Identity & Access Management):**
- Implement a formal access control policy covering role-based access control (RBAC), need-to-know principles, and separation of duties.
- Enforce privileged access management (PAM): all privileged accounts must be individually assigned, logged, and reviewed quarterly.
- Multi-factor authentication (MFA) is mandatory for remote access, privileged accounts, and customer-facing portals.
- Conduct access recertification reviews at least every 90 days for privileged users and every 6 months for standard users.
**ISO 27001 Alignment (Annex A Controls A.9.x – Access Control):**
- Maintain a formal User Access Management procedure covering joiner, mover, and leaver (JML) processes.
- Document a Business Need justification for each access grant.
- Ensure privileged utility programs are restricted and monitored per A.9.4.4.
**Practical Implementation Steps:**
1. Deploy an Identity Governance & Administration (IGA) platform to automate provisioning and de-provisioning workflows.
2. Integrate Single Sign-On (SSO) with your IGA tool to reduce credential sprawl.
3. Log all access events to your SIEM and retain logs per SAMA's 12-month minimum retention requirement.
4. Map your IAM controls to both SAMA CSF and ISO 27001 in a unified controls register to avoid duplicating audit evidence.
**Common Gap:** Many fintechs overlook service accounts and API tokens — these must be included in your PAM scope and rotated regularly.
Was this helpful?
This is one of the most common strategic questions from CISOs at Saudi banks, and the short answer is: yes, pursuing both is highly recommended — they are complementary, not duplicative.
**How They Relate:**
ISO 27001 provides a globally recognized Information Security Management System (ISMS) framework with rigorous process and governance requirements. SAMA CSF, on the other hand, is a sector-specific regulatory framework tailored to the risks and operational realities of Saudi financial institutions. The two share significant overlap — particularly in risk management, access control, incident management, and supplier security — which means ISO 27001 implementation work directly accelerates SAMA CSF compliance.
**Key Areas of Overlap:**
- Risk Assessment & Treatment (ISO 27001 Clause 6.2 ↔ SAMA CSF Control 3.2)
- Asset Management (ISO 27001 Annex A.8 ↔ SAMA CSF Control 3.3)
- Supplier Relationships (ISO 27001 Annex A.15 ↔ SAMA CSF Third-Party Risk Controls)
- Incident Management (ISO 27001 Annex A.16 ↔ SAMA CSF Control 3.6)
**What ISO 27001 Adds:**
ISO 27001 certification signals to international partners, regulators, and customers that your institution meets a globally audited security standard. It also introduces structured continual improvement cycles (PDCA) that institutionalize security maturity over time.
**Practical Recommendation:**
Conduct an integrated gap assessment mapping your current controls against both frameworks simultaneously. Use a unified control library to avoid redundant documentation. Sequence your effort: establish your ISMS foundation first, then layer SAMA-specific controls. Most mid-sized Saudi banks achieve both within 12–18 months with proper program management.
Our platform's GRC module supports cross-framework mapping to eliminate duplication and track compliance posture across SAMA CSF, ISO 27001, NCA ECC, and NIST CSF in a single dashboard.
Was this helpful?
Identity and Access Management (IAM) is one of the most scrutinized control domains during SAMA examinations. Under SAMA CSF Control 3.3.3 (Access Control), banks must enforce a formal access management lifecycle covering provisioning, periodic review, and de-provisioning. Key mandatory controls include: (1) Role-Based Access Control (RBAC) — all system access must be granted based on documented job roles with least-privilege principles; standing privileged access must be eliminated in favor of just-in-time (JIT) access; (2) Multi-Factor Authentication (MFA) — SAMA CSF requires MFA for all remote access, privileged accounts, and critical system interfaces; NCA ECC Article 2-5 further mandates MFA for administrative access to national infrastructure-connected systems; (3) Privileged Access Management (PAM) — privileged sessions must be recorded and stored for a minimum of 12 months; shared administrative accounts are prohibited; (4) Access Reviews — quarterly access certification reviews are expected for privileged users; annual reviews for standard users, with evidence retained for regulatory inspection; (5) Segregation of Duties (SoD) — SAMA CSF Control 3.3.3 explicitly requires SoD matrices to prevent conflicts such as a single user having both transaction initiation and approval rights; (6) Directory Hardening — Active Directory or equivalent IAM systems must be hardened per CIS Benchmarks, with service accounts inventoried and managed. Integration with a SIEM for failed login monitoring, account lockout alerting, and anomalous access detection is also required per SAMA CSF Control 3.3.6. Banks should target maturity Level 3 (defined and implemented) across all IAM sub-domains in their SAMA CSF self-assessment.
Was this helpful?
Under SAMA CSF Control 3.3.1 (Cybersecurity Awareness and Training), Saudi financial institutions are required to establish a formal, role-based security awareness program that covers all employees, contractors, and third parties with access to critical systems. The program must be conducted at least annually, with targeted sessions for privileged users and IT staff delivered more frequently — ideally quarterly.
A well-structured program should include: (1) onboarding training for new joiners before system access is granted; (2) annual refresher training for all staff covering phishing, social engineering, password hygiene, and data handling; (3) role-specific modules for developers (secure coding), finance teams (fraud awareness), and executives (cyber risk governance); and (4) simulated phishing exercises with measurable outcomes tracked over time.
SAMA expects institutions to document training completion rates, maintain evidence of attendance, and report gaps to senior management and the board. Completion rates below 90% across departments should trigger escalation. Additionally, per NCA ECC Article 2-6, awareness programs must align with the national cybersecurity culture framework.
Practically, platforms like the CISO Consulting GRC portal allow you to track training completion by department, generate audit-ready reports, and schedule automated reminders — helping you maintain continuous compliance posture rather than treating awareness as a one-time annual checkbox.
Was this helpful?
SAMA CSF Control 3.3.1 mandates that Member Organizations establish a formal cybersecurity awareness and training program tailored to roles and responsibilities. Here is a practical implementation roadmap:
**1. Program Structure:**
Design a tiered training model — general staff receive foundational security awareness, IT teams get technical training, and executives and board members receive governance-focused briefings. All new hires must complete onboarding security training before accessing systems.
**2. Mandatory Content Areas (per SAMA CSF):**
- Phishing and social engineering recognition
- Acceptable use of information assets
- Password hygiene and multi-factor authentication
- Incident reporting procedures
- Data classification and handling
**3. Delivery Frequency:**
SAMA expects at minimum annual training for all staff, with quarterly phishing simulations recommended. High-privilege users (system admins, privileged access holders) should receive role-specific training every six months.
**4. Measurement and Metrics:**
Track completion rates (target: 100% within 30 days of assignment), phishing simulation click rates (benchmark: below 5% after 12 months), and post-training assessment scores. Report metrics to the CISO and board risk committee.
**5. Documentation for Audit:**
Maintain training records including completion timestamps, assessment scores, and training material version history. SAMA examiners will request these during regulatory reviews.
**6. Alignment with NCA ECC:**
NCA ECC Article 2-6 also requires cybersecurity culture promotion across the organization. A unified program satisfies both frameworks simultaneously.
Platforms like our GRC solution can automate training assignment, track compliance status per employee, and generate audit-ready reports aligned with SAMA CSF control evidence requirements.
Was this helpful?
A robust Cyber Incident Response Plan (CIRP) is not optional for Saudi financial institutions — it is a regulatory necessity under both SAMA CSF and NCA ECC, with specific reporting timelines that carry compliance consequences if missed.
**SAMA CSF Requirements (Control 3.5 – Cybersecurity Incident Management):**
SAMA requires Member Organizations to maintain a documented CIRP that covers: preparation, detection and analysis, containment, eradication, recovery, and post-incident review. Critically, SAMA must be notified of significant cybersecurity incidents within **72 hours** of detection. Material breaches may require escalation to the Financial Sector Cyber Threat Intelligence (FinCERT) platform.
**NCA ECC Reporting Obligations (Article 2-9):**
NCA requires reporting of high-impact incidents to the National Cybersecurity Authority within **24 hours** of identification. This creates a dual-reporting obligation — organizations must maintain separate notification workflows for SAMA and NCA.
**Key CIRP Structural Elements:**
1. **Incident Classification Matrix** — define severity levels (P1–P4) with escalation thresholds tied to regulatory reporting triggers.
2. **Response Team (CSIRT)** — assign roles: Incident Commander, Technical Lead, Legal/Compliance Liaison, Communications Officer, and Executive Sponsor.
3. **Playbooks** — develop scenario-specific playbooks for ransomware, DDoS, insider threat, data exfiltration, and payment fraud.
4. **Communication Templates** — pre-draft regulatory notification letters for SAMA, NCA, and PDPL authority (SDAIA) to minimize delay during crisis.
5. **Evidence Preservation** — define chain-of-custody procedures for forensic artifacts; critical for post-incident regulatory inquiries.
6. **Post-Incident Review (PIR)** — conduct within 14 days; document root cause, timeline, and corrective actions. SAMA examiners will review PIR reports.
**Testing Frequency:**
Conduct tabletop exercises at least annually and full simulation drills every 18–24 months. Document results and remediation actions for regulatory evidence.
Our platform provides pre-built CIRP templates mapped to SAMA CSF controls, dual-reporting workflow automation for SAMA and NCA, and incident timeline tracking for regulatory evidence.
Was this helpful?
Third-party risk management is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Domain 4.3 (Third Party Management), regulated entities must establish a formal vendor risk assessment program before onboarding any third party with access to critical systems or data.
Key requirements include:
**Pre-Onboarding:** Conduct cybersecurity due diligence assessments covering the vendor's security posture, certifications (e.g., ISO 27001), and incident response capabilities. SAMA CSF Control 4.3.1 requires risk classification of all third parties based on data sensitivity and system access levels.
**Contractual Controls:** Embed cybersecurity clauses in all vendor contracts, including data handling obligations, breach notification timelines (aligned with PDPL's 72-hour notification requirement), audit rights, and right-to-terminate clauses.
**Ongoing Monitoring:** Per SAMA CSF Control 4.3.3, annual reassessments are mandatory for high-risk vendors. NCA ECC Article 2-5 further requires that critical infrastructure dependencies on third parties are documented and tested during business continuity exercises.
**Cloud & SaaS Vendors:** For cloud service providers, additional controls apply under the NCA Cloud Cybersecurity Controls (CCC-1), requiring data residency confirmation within the Kingdom or explicit SAMA approval for offshore processing.
**Practical Steps:** Maintain a live vendor inventory, tier suppliers by risk level (Critical/High/Medium/Low), and conduct annual or triggered reassessments. Use standardized questionnaires aligned with SAMA CSF and ISO 27001 Annex A.15. Ensure your TPRM policy is reviewed and approved by the board or relevant risk committee annually.
Was this helpful?
SAMA CSF Domain 3 (Cybersecurity Operations) and specifically Control 3.3 mandate that all regulated financial institutions maintain a formally documented and tested Cyber Incident Response Plan (CIRP). Non-compliance is a common finding during SAMA examinations and can result in significant regulatory consequences.
**Core CIRP Requirements under SAMA CSF:**
- **Detection & Triage:** Implement 24/7 security monitoring capabilities (SOC or managed SIEM) capable of detecting incidents within defined timeframes. SAMA CSF requires clear severity classification criteria aligned with impact to operations and customer data.
- **Escalation & Notification:** Critical incidents must be escalated to senior management and the Board within defined SLAs. Importantly, SAMA requires member institutions to report significant cybersecurity incidents to SAMA's Cyber Threat Intelligence Unit within 72 hours of discovery — failure to report is treated as a separate regulatory violation.
- **Containment, Eradication & Recovery:** Document specific technical playbooks for common attack scenarios (ransomware, data breach, DDoS, insider threat). NCA ECC Control 3-5 also requires maintaining forensic evidence integrity throughout the response process.
- **Post-Incident Review:** Conduct formal lessons-learned reviews within 30 days of incident closure, with findings feeding back into risk registers and control improvements.
**Structural Recommendation:** Your CIRP should reference and integrate with your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure seamless activation. Test the plan via tabletop exercises at least annually, with results documented for SAMA examiner review. For smaller fintechs, engaging a vCISO or managed security provider to maintain CIRP readiness is a cost-effective approach.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance requirement for Saudi financial institutions. Under SAMA CSF Control 3.3 (Third-Party Management), organizations must establish a formal vendor risk program covering the entire vendor lifecycle — from onboarding and due diligence to ongoing monitoring and offboarding.
Key implementation steps include:
**1. Vendor Classification & Risk Tiering:** Classify vendors based on data access, criticality, and service nature. High-risk vendors (e.g., cloud providers, core banking system vendors) require deeper scrutiny per SAMA CSF Control 3.3.2.
**2. Pre-Onboarding Due Diligence:** Require vendors to complete cybersecurity questionnaires, provide ISO 27001 certificates or SOC 2 Type II reports, and sign Data Processing Agreements (DPAs) aligned with PDPL Article 29 obligations.
**3. Contractual Security Requirements:** Embed mandatory clauses covering incident notification timelines (per SAMA CSF Control 3.3.4), right-to-audit provisions, and minimum security baselines aligned with NCA ECC Article 2-7.
**4. Continuous Monitoring:** Conduct annual security assessments for critical vendors and quarterly reviews for high-risk ones. Use threat intelligence feeds to monitor vendor breach disclosures.
**5. Concentration Risk Management:** SAMA specifically flags risks from over-reliance on a single vendor for critical services — document contingency plans accordingly.
**6. Offboarding Controls:** Ensure secure data deletion, access revocation, and certificate/key rotation upon vendor termination.
Our platform provides automated vendor risk scorecards, pre-built questionnaire templates mapped to SAMA CSF and NCA ECC controls, and audit-ready reporting — helping your compliance team reduce manual effort while maintaining full regulatory traceability.
Was this helpful?
Incident reporting obligations in Saudi Arabia's financial sector are among the most stringent in the region, governed by multiple overlapping frameworks that CISOs must navigate carefully.
**SAMA CSF Reporting Requirements (Control 3.4.3):**
- **Immediate notification (within 2 hours):** Critical incidents involving core banking disruption, large-scale data breach, or ransomware affecting production systems must be reported to SAMA via the official incident reporting portal.
- **Full incident report (within 72 hours):** A comprehensive report detailing the nature, scope, affected systems, customer impact, and initial containment actions must be submitted.
- **Post-incident report (within 30 days):** A root cause analysis (RCA) with remediation plan and lessons-learned documentation is mandatory.
**NCA Reporting Obligations:**
Under the National Cybersecurity Authority's Cybersecurity Event Management (CEM) framework, organizations operating Critical National Infrastructure (CNI) must report significant incidents to the National Cybersecurity Operations Center (NCOC) — with initial notification expected within 4 hours of detection.
**PDPL Breach Notification (Article 19):**
If the incident involves personal data exposure, PDPL mandates notification to the Saudi Data & AI Authority (SDAIA) within 72 hours, and affected data subjects must be informed without undue delay if there is a high risk to their rights.
**Practical Preparation Checklist:**
- Maintain a pre-approved incident response retainer with 24/7 escalation contacts for SAMA and NCA.
- Document your Incident Classification Matrix aligned to SAMA CSF severity tiers.
- Conduct tabletop exercises simulating breach scenarios at least twice annually.
- Ensure your SIEM/SOAR platform timestamps and logs all detection-to-notification steps for audit evidence.
Failure to meet these timelines can result in regulatory sanctions, reputational damage, and heightened supervisory scrutiny.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Management), Saudi banks must establish a comprehensive TPRM program that covers the full vendor lifecycle — from onboarding to offboarding. Key requirements include:
**1. Risk-Based Vendor Classification:** Categorize vendors by criticality (Critical, High, Medium, Low) based on data access, system connectivity, and service dependency. Vendors with access to core banking systems or customer PII require the highest scrutiny.
**2. Pre-Engagement Due Diligence:** Before contracting, conduct security assessments covering ISO 27001 certification status, data handling practices, incident response capabilities, and sub-contractor dependencies. Per SAMA CSF 3.3.2, banks must obtain documented security assurances before granting access.
**3. Contractual Security Obligations:** All vendor contracts must include cybersecurity clauses: right-to-audit, incident notification timelines (typically 72 hours under SAMA guidance), data return/destruction upon termination, and compliance with NCA ECC where applicable.
**4. Ongoing Monitoring:** Conduct annual reassessments for Critical/High-risk vendors and biennial reviews for others. Use questionnaires aligned with SAMA CSF and cross-reference with NCA ECC Article 2-6 controls for technology service providers.
**5. Cloud and SaaS Vendors:** For cloud providers, apply SAMA's Cloud Framework requirements alongside NCA's Cloud Cybersecurity Controls (CCC-1), ensuring data residency within KSA for sensitive financial data.
Practically, banks should maintain a central vendor registry within their GRC platform, automate assessment workflows, and produce board-level reports on third-party risk exposure. CISO Consulting's platform supports automated TPRM workflows mapped directly to SAMA CSF control requirements.
Was this helpful?
Security awareness is not optional — it is a formal regulatory requirement under SAMA CSF Domain 2 (Cybersecurity Leadership & Governance) and NCA ECC Article 3-3. A well-structured program goes far beyond annual e-learning modules.
**Regulatory Baseline Requirements**
SAMA CSF Control 2.3 requires institutions to establish a cybersecurity awareness program covering all staff, contractors, and third parties with system access. Programs must be documented, tracked, and evidence must be available for SAMA examiners.
**Program Structure Best Practices**
*Role-Based Training:* Generic training is insufficient. Tailor content by role — developers need secure coding training, finance staff need phishing and social engineering awareness, executives need cyber risk governance modules.
*Frequency:* Conduct mandatory awareness training at onboarding and at minimum annually. Supplement with monthly micro-learning content, newsletters, and simulated phishing campaigns.
*Phishing Simulations:* SAMA expects evidence of phishing simulation exercises. Track click rates, report rates, and remedial training completion. Benchmark quarterly to demonstrate improvement.
*Privileged User Training:* Staff with elevated access (system admins, IT ops) require additional specialized training per SAMA CSF Control 3.3.7, covering insider threat, access abuse, and incident reporting obligations.
*Metrics & Reporting:* Report awareness program effectiveness to senior management and the board annually. Key metrics include training completion rates, phishing simulation improvement trends, and security incident attribution to human error.
*Arabic Language Content:* Ensure training materials are available in Arabic to maximize staff comprehension and regulatory credibility with SAMA auditors.
A mature awareness program demonstrably reduces your human-layer risk and provides auditable evidence of SAMA CSF compliance.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation for Saudi financial institutions under SAMA CSF Domain 3.3 and NCA ECC-1:2-6.3. A compliant and mature TPRM program should be built around the following pillars:
**1. Vendor Classification & Tiering:** Categorize all third parties based on criticality, data access level, and service dependency. Vendors with access to customer data or core banking systems should be classified as Tier 1 and subjected to the most rigorous due diligence.
**2. Pre-Onboarding Due Diligence:** Before contracting, conduct a formal cybersecurity assessment covering the vendor's security posture, certifications (e.g., ISO 27001), incident history, and subcontractor dependencies. SAMA CSF Control 3.3.3 explicitly requires documented assessments prior to engagement.
**3. Contractual Security Requirements:** Ensure all vendor contracts include clauses on data protection obligations aligned with PDPL, incident notification timelines (typically within 72 hours), audit rights, and the right to terminate upon non-compliance.
**4. Continuous Monitoring:** TPRM is not a one-time exercise. Implement ongoing monitoring using threat intelligence feeds, periodic reassessments (at least annually for Tier 1), and automated alerts for changes in vendor risk profiles.
**5. Offboarding Controls:** Establish secure data return or destruction procedures when a vendor relationship ends, consistent with PDPL Article 19 on data retention and disposal.
A practical starting point is maintaining a centralized vendor risk register reviewed quarterly by the CISO and risk committee. Institutions that treat TPRM as a living program — not just a checkbox — are far better positioned during SAMA regulatory examinations.
Was this helpful?
Security awareness training is not optional for Saudi fintechs — it is explicitly mandated under SAMA CSF Control 3.2.2 and NCA ECC Article 2-10-1, which require institutions to establish a formal, recurring human security program. Here is how to build one that is both compliant and impactful:
**1. Define a Training Policy:** Start with a documented Cybersecurity Awareness Policy that sets scope, frequency, roles, and accountabilities. SAMA CSF requires this to be reviewed at least annually.
**2. Role-Based Curriculum Design:** Generic training fails. Design separate modules for: General staff (phishing, social engineering, password hygiene), IT/security teams (technical threat awareness, secure coding), and Senior management/Board (cyber risk governance, regulatory obligations). NCA ECC Control 2-10-2 specifically calls for tailored content by role.
**3. Phishing Simulation Exercises:** Run quarterly simulated phishing campaigns to test employee vigilance. Track click rates, credential submission rates, and reporting rates as measurable KPIs. SAMA examiners frequently request evidence of these exercises.
**4. Onboarding & Refresher Training:** All new employees must complete security awareness training before being granted system access. Existing staff should receive refresher training at least annually, with additional targeted sessions following any security incident.
**5. Awareness Metrics & Reporting:** Track completion rates, assessment scores, and phishing simulation outcomes. Report these metrics to senior management quarterly and include them in your annual SAMA self-assessment submission.
**6. Regulatory & Cultural Localization:** Ensure training content references Saudi-specific regulations (SAMA, NCA, PDPL) and uses Arabic-language materials where applicable to maximize comprehension and engagement among your workforce.
A mature awareness program transforms your employees from your greatest vulnerability into your most effective first line of defense.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3 (Cybersecurity Risk Management) and specifically referenced in Control 3.3, which mandates that member organizations establish a formal supplier and third-party risk management program.
Practical implementation steps include:
1. **Vendor Classification**: Categorize all third parties by risk level — critical, high, medium, and low — based on the data they access, services they provide, and systemic impact if compromised.
2. **Pre-Onboarding Assessment**: Before engagement, conduct cybersecurity due diligence using standardized questionnaires aligned with SAMA CSF controls, ISO 27001 Annex A, and NCA ECC requirements.
3. **Contractual Controls**: Ensure all vendor contracts include cybersecurity clauses covering data protection (per PDPL obligations), incident notification timelines (typically within 72 hours), right-to-audit provisions, and acceptable use policies.
4. **Ongoing Monitoring**: Perform annual reassessments for critical vendors and bi-annual reviews for high-risk suppliers. Use threat intelligence feeds and continuous monitoring tools to detect supply chain threats.
5. **Concentration Risk**: SAMA specifically flags technology concentration risk — if a single vendor supports multiple critical functions, a dedicated contingency plan must exist.
6. **Cloud and SaaS Vendors**: For cloud-hosted services, verify CSP compliance with NCA Cloud Cybersecurity Controls (CCC) and confirm data residency within the Kingdom where required.
Failure to maintain a documented TPRM program can result in SAMA examination findings, remediation obligations, and reputational damage. Institutions should maintain a live vendor register reviewed at least annually by the CISO and risk committee.
Was this helpful?
Security Awareness Training (SAT) is not optional for Saudi financial institutions — SAMA CSF Domain 2 (Leadership and Governance) and Control 3.2.1 explicitly mandate a formalized, role-based security awareness program reviewed at least annually.
**Program Design Essentials:**
1. **Audience Segmentation**: Design differentiated training tracks for: general staff, IT and security personnel, privileged users, and the Board/C-suite. SAMA CSF distinguishes awareness needs across organizational levels.
2. **Mandatory Topics**: At a minimum, cover phishing and social engineering, password hygiene, acceptable use of IT assets, data handling per PDPL obligations, and incident reporting procedures.
3. **Phishing Simulations**: Conduct simulated phishing campaigns at least quarterly. Track click rates, credential submission rates, and remediation completion to demonstrate measurable risk reduction — a key expectation in SAMA examinations.
4. **Role-Specific Modules for High-Risk Roles**: Treasury, payments, and customer-facing staff require specialized training on fraud, BEC (Business Email Compromise), and social engineering tactics given their exposure profile.
5. **Metrics and Reporting**: Maintain training completion records (minimum 90% completion rate recommended), phishing simulation results, and trend analysis. Present these metrics to the Board Risk Committee at least annually per SAMA CSF governance requirements.
6. **Regulatory Alignment**: NCA ECC Article 2-5 also mandates cybersecurity awareness as a foundational control. Align your SAT calendar with the broader cybersecurity governance cycle.
7. **Continuous Reinforcement**: Move beyond annual training — use micro-learning, security newsletters, and real-incident case studies to embed security culture year-round.
A well-documented SAT program with evidence of effectiveness is increasingly scrutinized during SAMA regulatory examinations and demonstrates genuine cybersecurity maturity.
Was this helpful?
Under SAMA CSF Control Domain 3.3 (Third-Party Management), Saudi banks must establish a formal, risk-based vendor management program that covers the entire lifecycle of third-party relationships — from onboarding through offboarding.
**Key requirements include:**
1. **Risk Classification:** Categorize all vendors by criticality (e.g., Tier 1 for core banking processors, cloud providers) based on data access, system integration depth, and regulatory exposure.
2. **Pre-Onboarding Due Diligence:** Conduct cybersecurity assessments before contracting, including reviewing the vendor's ISO 27001 certification status, SOC 2 reports, and vulnerability management practices.
3. **Contractual Controls:** Ensure all contracts include clauses mandating incident notification within defined timeframes (aligned with SAMA's 72-hour reporting window), the right to audit, and data return/deletion obligations consistent with PDPL Article 19.
4. **Continuous Monitoring:** Perform annual reassessments for Tier 1 vendors and biennial reviews for lower-risk suppliers. Use threat intelligence feeds to monitor vendors for breaches disclosed externally.
5. **Concentration Risk:** SAMA specifically flags risks arising from over-reliance on a single technology vendor — ensure contingency plans exist if a critical supplier fails.
6. **Offboarding Controls:** Mandate secure data deletion and revoke all access credentials within 24 hours of contract termination.
Financial institutions should also cross-reference NCA ECC Article 2-14 (Supply Chain Security) when procuring technology services. Maintaining a centralised vendor register with real-time risk scores is a recommended best practice that simplifies SAMA examination responses.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation for Saudi financial institutions under SAMA CSF Domain 3.3 (Third-Party Management) and NCA ECC-1:2018 Control 2-7. Institutions must implement a structured TPRM lifecycle covering vendor onboarding, ongoing monitoring, and offboarding.
Key requirements include:
1. **Risk-Based Classification**: Classify all third parties by their access level to critical systems and sensitive data. Vendors with direct access to core banking infrastructure or customer PII should be categorized as high-risk and subject to enhanced due diligence.
2. **Contractual Security Obligations**: Per SAMA CSF Control 3.3.3, all vendor contracts must include enforceable cybersecurity clauses covering incident notification timelines (typically within 24–72 hours), data handling standards, and the right to audit.
3. **Cybersecurity Assessments**: Conduct annual cybersecurity assessments for critical vendors using standardized questionnaires aligned to ISO 27001 Annex A or NIST CSF. On-site audits should be reserved for Tier-1 suppliers.
4. **Concentration Risk Monitoring**: SAMA expects institutions to identify and mitigate concentration risk where multiple critical functions rely on a single third party.
5. **Cloud and SaaS Vendors**: NCA ECC Control 2-7-3 specifically addresses cloud service provider (CSP) oversight, requiring institutions to ensure CSPs meet local data residency and security standards before onboarding.
Practically, institutions should maintain a centralized Third-Party Risk Register, integrate TPRM into the annual risk assessment cycle, and assign clear ownership to a dedicated vendor risk team or the CISO's office. Automated GRC platforms can streamline evidence collection and continuous monitoring across your supplier ecosystem.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3.3, which requires financial institutions to establish a structured lifecycle for managing vendor relationships from onboarding through offboarding.
**Key Requirements:**
- **Pre-onboarding Due Diligence:** Per SAMA CSF Control 3.3.1, institutions must assess the cybersecurity posture of all third parties before engagement. This includes reviewing SOC 2 Type II reports, ISO 27001 certifications, and conducting vendor security questionnaires.
- **Contractual Controls:** SAMA CSF Control 3.3.2 mandates that contracts with third parties include explicit cybersecurity obligations, right-to-audit clauses, data breach notification timelines (aligned with PDPL Article 29), and incident response coordination procedures.
- **Continuous Monitoring:** Vendors must be re-assessed periodically — at minimum annually for critical vendors — using risk tiering to prioritize effort.
- **Cloud and SaaS Providers:** When outsourcing to cloud providers, NCA ECC Article 7 cloud security controls also apply, requiring data residency validation and access control reviews.
**Practical Steps:**
1. Build a vendor inventory classified by criticality (critical, high, medium, low).
2. Use standardized security questionnaires mapped to SAMA CSF and NCA ECC controls.
3. Establish a vendor risk register and escalation thresholds.
4. Include TPRM reporting in your board-level cybersecurity dashboards.
Failure to manage third-party risk exposes institutions to regulatory penalties and supply-chain breaches. SAMA has increasingly scrutinized vendor management during examination cycles, making this a top compliance priority for CISOs in 2024 and beyond.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions. Under SAMA CSF Control 3.3.1, institutions must establish a formal vendor risk management program that covers the entire vendor lifecycle — from onboarding and due diligence through to contract termination.
Key requirements include:
**1. Pre-onboarding Due Diligence:** Conduct cybersecurity assessments of all critical vendors, reviewing their ISO 27001 certifications, audit reports (SOC 2 Type II), and security policies before contract signing.
**2. Contractual Obligations:** Embed security clauses into vendor contracts mandating breach notification timelines (aligned with PDPL's 72-hour reporting obligation), right-to-audit provisions, and data handling requirements per PDPL Articles 19–21.
**3. Continuous Monitoring:** Per SAMA CSF Control 3.3.3, perform annual reassessments for critical vendors and quarterly reviews for those with access to sensitive financial or personal data. NCA ECC Article 2-14 also requires that outsourced services maintain equivalent security controls to those applied internally.
**4. Concentration Risk:** Assess single-vendor dependencies, especially for cloud providers, to avoid systemic exposure.
**5. Fourth-Party Risk:** Identify and assess subcontractors used by your primary vendors, particularly in cloud and SaaS environments.
Our GRC platform provides a structured vendor risk register, automated assessment workflows, and real-time compliance dashboards that map vendor risks directly to SAMA CSF and NCA ECC control requirements — enabling your compliance team to demonstrate regulatory adherence efficiently during SAMA examinations.
Was this helpful?
Third-party risk management is a critical compliance area under SAMA CSF Domain 3.4 and NCA ECC Article 2-7. Saudi financial institutions must establish a formal Third-Party Risk Management (TPRM) program that covers the entire vendor lifecycle — from onboarding to offboarding.
Key requirements include:
**1. Pre-Engagement Due Diligence:** Before contracting any vendor, conduct a cybersecurity risk assessment that evaluates the vendor's security posture, certifications (e.g., ISO 27001), and data handling practices. Per SAMA CSF Control 3.4.1, vendors with access to critical systems or sensitive data must undergo enhanced scrutiny.
**2. Contractual Security Obligations:** All vendor contracts must include cybersecurity clauses mandating compliance with SAMA CSF and PDPL data protection standards, incident notification timelines (typically within 72 hours per PDPL Article 20), right-to-audit provisions, and data return/destruction obligations upon contract termination.
**3. Continuous Monitoring:** SAMA CSF requires ongoing monitoring of critical vendors, not just point-in-time assessments. Implement automated vendor risk scoring using tools integrated with your GRC platform, and schedule periodic reassessments — at least annually for Tier-1 vendors.
**4. Vendor Tiering and Criticality Classification:** Classify vendors by criticality (Tier 1–3) based on data sensitivity and operational dependency. NCA ECC Article 2-7-3 specifically requires documented risk treatment plans for high-criticality third parties.
**5. Cloud and SaaS Vendors:** For cloud service providers, ensure compliance with NCA Cloud Cybersecurity Controls (CCC-1) in addition to standard TPRM controls.
A GRC platform like CISO Consulting automates vendor questionnaires, risk scoring, and compliance gap tracking, significantly reducing the manual burden on your security and procurement teams.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under both SAMA CSF (Domain 3.3 – Third Party Management) and NCA ECC (Control 2-14). Saudi financial institutions must establish a formal, risk-based vendor management program that covers the entire vendor lifecycle — from onboarding to offboarding.
**Key implementation steps include:**
1. **Vendor Classification:** Categorize vendors by criticality and data access level. Vendors handling personal financial data or core banking infrastructure require the highest scrutiny.
2. **Pre-Onboarding Due Diligence:** Conduct cybersecurity assessments before contracting. Request evidence of ISO 27001 certification, penetration test results, and SOC 2 reports where applicable.
3. **Contractual Obligations:** Ensure all vendor contracts include cybersecurity clauses covering data protection (aligned with PDPL Article 21), incident notification timelines (typically 72 hours), audit rights, and right-to-terminate for security failures.
4. **Continuous Monitoring:** Per SAMA CSF Control 3.3.4, institutions must conduct periodic reassessments — at minimum annually for critical vendors. Use automated vendor risk platforms or structured questionnaires (e.g., CAIQ, SIG).
5. **Concentration Risk:** SAMA expects banks to identify and manage concentration risk where multiple critical functions rely on a single vendor or cloud provider.
6. **Offboarding Controls:** Ensure secure data deletion, access revocation, and credential rotation when a vendor relationship ends.
Our GRC platform provides pre-built TPRM workflows mapped directly to SAMA CSF and NCA ECC controls, enabling compliance teams to automate assessments, track vendor risk scores, and generate audit-ready reports with minimal manual effort.
Was this helpful?
Security awareness training is a mandatory control under both SAMA CSF Domain 2 (Cybersecurity Leadership & Governance) and NCA ECC Control 1-3 (Cybersecurity Awareness and Training). For Saudi fintechs, building a compliant and effective program requires more than generic annual training — it demands a structured, role-based, and continuously measured approach.
**Program Design Essentials:**
**1. Role-Based Training Tracks:** Not all employees face the same threats. Separate training modules should be developed for general staff, IT/security teams, privileged users, executives, and board members. SAMA CSF specifically requires board-level cybersecurity awareness per Control 2.1.2.
**2. Training Frequency:** Annual training alone is insufficient. SAMA recommends at minimum annual formal training supplemented by monthly micro-learning, phishing simulations (quarterly), and just-in-time training triggered by security incidents or policy changes.
**3. Content Requirements:** Programs must cover phishing and social engineering, password hygiene, data handling aligned with PDPL obligations, acceptable use policies, incident reporting procedures, and secure remote work practices.
**4. Phishing Simulation:** Regular simulated phishing campaigns are considered a baseline control. Track click rates, report rates, and repeat offenders. Results should feed back into targeted remedial training.
**5. Measurement & Reporting:** SAMA CSF requires documented training completion rates and effectiveness metrics. These must be reported to senior management and can be requested during regulatory examinations.
**6. New Employee Onboarding:** Security training must be completed before new hires are granted system access, as required under SAMA CSF Control 3.3.2.
Our platform provides a pre-built awareness training framework with content mapped to SAMA, NCA, and PDPL requirements, automated scheduling, completion tracking, and executive dashboards for audit readiness.
Was this helpful?
Security awareness training is a foundational control under SAMA CSF Domain 2 (Cybersecurity Leadership & Governance), specifically Control 2.3, which mandates that all employees — regardless of role — receive structured, role-appropriate cybersecurity training.
**Baseline Requirements:**
- **Frequency:** General security awareness training must occur at least annually for all staff. Privileged users (system admins, developers, finance personnel) require more frequent, role-specific training — typically semi-annually.
- **New Hire Onboarding:** All new employees must complete security awareness training before or immediately upon gaining system access, per SAMA CSF 2.3.1.
- **Phishing Simulations:** SAMA CSF strongly recommends periodic simulated phishing campaigns to measure and improve employee resilience. Results should feed back into training content.
**Content Requirements:**
- Social engineering and phishing awareness
- Password hygiene and MFA usage
- Data classification and handling (aligned with PDPL obligations for personal data)
- Incident reporting procedures
- Acceptable use of IT systems and BYOD policies
- Remote work security practices
**Governance & Documentation:**
- Maintain training completion records for all employees — SAMA examiners frequently request these during assessments.
- Track completion rates via an LMS (Learning Management System) and report results to senior management and the Board Risk Committee at least annually.
- Tailor training for the Board and C-suite on cyber risk governance topics.
**Maturity Consideration:** Institutions targeting SAMA CSF Maturity Level 3+ should demonstrate measurable improvements in training effectiveness through metrics such as phishing click-rate reduction over time.
A well-executed awareness program significantly reduces the human-factor risk that remains the top attack vector for Saudi financial institutions.
Was this helpful?
Identity and Access Management (IAM) is a foundational requirement under SAMA CSF Domain 4 (Access Control), specifically controls 4.2 and 4.3, which mandate that financial institutions enforce least-privilege access, role-based access control (RBAC), and periodic access reviews. Here's a practical implementation roadmap:
**1. Privileged Access Management (PAM):** Deploy a PAM solution (e.g., CyberArk, BeyondTrust) to manage, monitor, and audit all privileged accounts. SAMA CSF Control 4.3.2 explicitly requires privileged access to be logged and reviewed.
**2. Multi-Factor Authentication (MFA):** Enforce MFA for all remote access, administrative consoles, and critical banking systems. This also aligns with NCA ECC-1:2018 Article 3-5-3.
**3. Access Reviews:** Conduct quarterly access recertification campaigns, ensuring managers formally approve or revoke user entitlements. Document all outcomes for audit evidence.
**4. Segregation of Duties (SoD):** Implement SoD controls, especially in core banking, treasury, and payment systems, to prevent fraud and unauthorized transactions.
**5. Identity Lifecycle Management:** Automate provisioning and de-provisioning workflows tied to your HR system. Terminated employees' accounts must be disabled within 24 hours per SAMA CSF guidelines.
**6. Directory Services Hardening:** Secure Active Directory or LDAP with tiered administration models and monitor for Kerberoasting, pass-the-hash, and lateral movement indicators.
Regular IAM audits, mapped against SAMA CSF maturity levels (1–5), will help identify gaps. Aim for at least Maturity Level 3 (Defined) for core IAM controls, with Level 4 (Managed) for privileged access in larger institutions.
Was this helpful?
Under SAMA CSF Control 3.3.1 and NCA ECC Article 2-7, Saudi financial institutions are required to establish a formal, risk-based Security Awareness Training (SAT) program that covers all employees, contractors, and privileged users. Here's how to structure it effectively:
**Program Design:**
- Conduct an annual training needs analysis aligned to your threat landscape and role-based risk profiles.
- Develop at least three training tiers: general staff, IT/security staff, and senior management/board.
- Include topics such as phishing recognition, social engineering, password hygiene, data classification under PDPL, and incident reporting procedures.
**Delivery & Frequency:**
- Mandatory onboarding training for all new joiners within 30 days.
- Annual refresher training for all staff, with quarterly phishing simulations.
- Role-specific deep-dives for privileged users at least twice annually.
**Measurement & Reporting:**
- Track completion rates, phishing simulation click-through rates, and post-training assessment scores.
- Report SAT effectiveness metrics to the CISO and Board Risk Committee at least semi-annually.
- Maintain training records for a minimum of 3 years to support SAMA examination requests.
**Practical Tip:** Integrate SAT outcomes into your SAMA CSF maturity assessment under Domain 3 (Human Resources Security). Low awareness scores can negatively impact your maturity level, so remediation plans should be documented and tracked. Linking the program to PDPL awareness—particularly around data handling and breach reporting obligations—adds dual compliance value.
Was this helpful?
Security Awareness Training is a mandatory control under SAMA CSF (Control 3.3.1) and NCA ECC (Article 2-7), requiring Saudi financial institutions to maintain a structured, ongoing awareness program for all staff. Here's how to implement one effectively:
**Program Structure:**
- Conduct a role-based training curriculum — differentiate between general staff, IT teams, executives, and privileged users. SAMA CSF requires tailored content for different user groups.
- Deliver training at least annually, with mandatory onboarding sessions for new hires. NCA ECC recommends quarterly refreshers for high-risk roles.
**Required Content Areas:**
- Phishing and social engineering recognition
- Password hygiene and multi-factor authentication (MFA) use
- Incident reporting procedures
- Acceptable use of organizational assets
- Data classification and handling (aligned with PDPL obligations)
**Measurement and Evidence:**
- Run simulated phishing campaigns at least quarterly to measure click rates and improve training effectiveness
- Track completion rates and maintain documented records — SAMA examiners will request training logs and completion evidence during assessments
- Conduct pre- and post-training assessments to measure knowledge improvement
**Governance:**
- Assign program ownership to the Information Security function with executive sponsorship
- Include SAT metrics in your quarterly security reporting to the Board Risk Committee, as required under SAMA CSF Control 3.1.2
**Practical Tip:** Integrate real-world Saudi-specific threat scenarios (e.g., SADAD phishing, WhatsApp-based fraud) to increase relevance and engagement. Localized Arabic content significantly improves training retention among staff.
Was this helpful?
Security awareness training is a mandatory control under SAMA CSF Domain 2 (Cybersecurity Leadership & Governance), specifically Control 2.4, which requires all staff — including board members and senior management — to receive role-appropriate cybersecurity education.
**Structuring a compliant program involves:**
1. **Audience Segmentation:** Design separate training tracks for general staff, IT personnel, privileged users, and executive leadership. SAMA CSF distinguishes between general awareness and technical role-based training requirements.
2. **Training Frequency:** Conduct mandatory awareness sessions at least annually, with additional targeted modules triggered by significant threat events, new regulatory guidance, or after a security incident. Phishing simulation exercises should run quarterly.
3. **Content Requirements:** Programs must cover phishing recognition, social engineering, password hygiene, data handling per PDPL obligations, acceptable use policies, and incident reporting procedures. For fintech staff, include topics specific to open banking and API security risks.
4. **Measurement & Reporting:** Track completion rates, phishing simulation click rates, and pre/post assessment scores. SAMA CSF Control 2.4.3 expects measurable outcomes — present these metrics in the quarterly Cybersecurity Risk Report to the board.
5. **New Hire Onboarding:** Integrate security awareness into the onboarding process so new employees complete baseline training before accessing production systems.
6. **Documentation & Evidence:** Maintain training records, attendance logs, and assessment results for at least three years to support SAMA examinations and ISO 27001 Annex A.7.2.2 audit evidence.
Institutions that gamify training content and integrate real-world threat scenarios relevant to Saudi banking (e.g., CEO fraud targeting remittance operations) typically achieve significantly higher engagement and retention rates.
Was this helpful?
A well-structured Cyber Incident Response Plan (CIRP) is a regulatory necessity, not just a best practice. Both SAMA CSF and NCA ECC impose specific, enforceable obligations around incident response.
**SAMA CSF Requirements:**
Under SAMA CSF Domain 3 (Cyber Security Operations), Control 3.4 mandates that financial institutions maintain a documented CIRP that is tested at least annually through tabletop exercises or simulations. The plan must define clear escalation paths, incident classification tiers (low, medium, high, critical), and mandatory reporting to SAMA within specific timeframes — critical incidents must be reported within 3 hours of detection.
**NCA ECC Requirements:**
Per NCA ECC Control 2-8 (Cybersecurity Incident and Threat Management), organizations must establish a Cyber Defense Center (CDC) or equivalent function capable of 24/7 monitoring, triage, and response. The ECC also requires post-incident reviews and lessons-learned documentation to be retained for a minimum of 5 years.
**Key CIRP Components:**
1. **Preparation:** Defined roles (Incident Commander, Technical Lead, Legal/Compliance, Communications), contact lists, and pre-authorized response playbooks.
2. **Detection & Analysis:** Integration with SIEM/SOAR tools; incident triage criteria aligned with SAMA's severity classification.
3. **Containment, Eradication & Recovery:** Step-by-step procedures per incident type (ransomware, DDoS, insider threat, data breach).
4. **Notification:** Regulatory reporting to SAMA and NCA; PDPL breach notification to SDAIA within 72 hours if personal data is involved.
5. **Post-Incident Review:** Root cause analysis, control gap identification, and plan updates.
Regularly testing and refining your CIRP ensures both regulatory compliance and operational resilience.
Was this helpful?
Third-party risk management (TPRM) is a critical compliance obligation for Saudi financial institutions under SAMA CSF Domain 3.3 (Third-Party Management) and NCA ECC-1:2018 Article 3-3. Here is a structured approach:
**1. Vendor Classification & Due Diligence**
Begin by classifying all vendors based on data sensitivity and criticality. SAMA CSF Control 3.3.1 requires institutions to assess cybersecurity posture before onboarding. Conduct pre-contract security assessments including SOC 2 Type II reviews, ISO 27001 certification checks, and questionnaire-based evaluations.
**2. Contractual Obligations**
Embed cybersecurity clauses in all vendor contracts — covering incident notification timelines (typically within 24–72 hours), right-to-audit provisions, data handling obligations under PDPL Article 21, and minimum security baseline requirements aligned with NCA ECC controls.
**3. Continuous Monitoring**
SAMA CSF Control 3.3.3 mandates ongoing monitoring of third-party performance. Use threat intelligence feeds, security ratings platforms (e.g., BitSight or SecurityScorecard), and conduct periodic reassessments — at least annually for critical vendors.
**4. Offboarding Controls**
Establish secure data deletion and access revocation procedures when vendor relationships end, consistent with PDPL data retention principles.
**5. CISO-Level Oversight**
Maintain a third-party risk register reviewed quarterly by the CISO or risk committee. Escalate critical findings to the board where required under SAMA governance expectations.
Organizations that treat TPRM as a checkbox exercise often discover supply-chain vulnerabilities during incidents. A mature TPRM program should be risk-based, continuously updated, and integrated into your overall cybersecurity governance framework.
Was this helpful?
Incident response (IR) is a foundational requirement under SAMA CSF Domain 3.6 and NCA ECC Domain 2-10. Saudi banks must maintain a documented, tested, and board-approved IR capability.
**Mandatory IR Program Components (SAMA CSF 3.6):**
1. **IR Policy and Plan:** A formal Incident Response Plan (IRP) covering preparation, detection, containment, eradication, recovery, and lessons learned — aligned with the NIST CSF Respond function.
2. **IR Team Structure:** Designate a Computer Security Incident Response Team (CSIRT) with clearly defined roles, escalation paths, and 24/7 contact availability for critical incidents.
3. **Incident Classification:** Classify incidents by severity (Critical, High, Medium, Low) with corresponding response SLAs. SAMA expects Critical incidents to trigger immediate executive notification.
4. **Regulatory Reporting Obligations:**
- **SAMA:** Report significant cyber incidents within **3 hours** of detection for critical incidents, followed by a detailed report within **72 hours**. SAMA's Cyber Incident Reporting portal (via REGTECH) must be used.
- **NCA (via CERT-SA):** Report incidents affecting national infrastructure or government-connected systems to CERT-SA promptly.
- **PDPL:** If the incident involves personal data breach, the National Data Management Office (NDMO) must be notified within **72 hours** of discovery.
5. **Tabletop Exercises:** SAMA CSF 3.6.5 requires IR exercises at least **annually**, with evidence of lessons learned integrated into plan updates.
6. **Forensic Readiness:** Maintain forensic logging capabilities with at least **12 months** of log retention to support post-incident investigation.
Failing to report a significant incident to SAMA within the required window is a serious compliance violation — ensure your SOC team has the reporting playbook ready and tested before an incident occurs.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3 (Cybersecurity Risk Management) and NCA ECC controls related to supply chain security. Here is a practical implementation approach:
**1. Vendor Classification & Due Diligence**
Classify vendors by criticality — Tier 1 (critical systems access), Tier 2 (sensitive data access), Tier 3 (general services). Per SAMA CSF Control 3.3.1, conduct formal cybersecurity due diligence before onboarding any third party with access to your infrastructure or data.
**2. Contractual Security Requirements**
Embed cybersecurity clauses in all vendor contracts covering: data protection obligations aligned with PDPL, minimum security baseline (ISO 27001 certification preferred), right-to-audit provisions, and breach notification timelines (within 72 hours per SAMA incident reporting guidelines).
**3. Continuous Monitoring**
Do not treat TPRM as a one-time checkbox. Implement ongoing monitoring through annual security questionnaires, periodic penetration test evidence requests from critical vendors, and automated threat intelligence feeds tracking vendor exposure.
**4. NCA ECC Alignment**
NCA ECC Article 2-14 requires organizations to enforce cybersecurity requirements on third parties and service providers operating within their environment. This includes cloud providers, managed security service providers (MSSPs), and software vendors.
**5. Practical Tip**
Maintain a centralized vendor risk register within your GRC platform, updated at least quarterly. Assign ownership to each vendor relationship and escalate critical findings to the CISO and board risk committee.
Non-compliance in this area is one of the most frequently cited gaps in SAMA regulatory examinations.
Was this helpful?
Under SAMA CSF Domain 3 (Cybersecurity Risk Management), Saudi banks must establish a formal Third-Party Risk Management program that governs the entire vendor lifecycle — from onboarding to offboarding. Specifically, SAMA CSF Control 3.3 mandates that institutions assess the cybersecurity posture of all third parties who access, process, or store bank data.
Key program components include:
**1. Vendor Classification:** Tier vendors by criticality — critical (core banking, payment processors), high, medium, and low — with risk assessments scaled accordingly.
**2. Pre-Onboarding Due Diligence:** Require vendors to submit cybersecurity questionnaires, evidence of certifications (ISO 27001, SOC 2), and penetration test results before contract execution.
**3. Contractual Obligations:** Embed cybersecurity clauses covering data handling, incident notification (within 72 hours per PDPL Article 19), right-to-audit provisions, and compliance with NCA ECC Art. 2-3 where applicable.
**4. Ongoing Monitoring:** Conduct annual reassessments for critical vendors and trigger event-based reviews following any vendor security incident or significant operational change.
**5. Offboarding Controls:** Ensure secure data deletion, revocation of all access credentials, and documented confirmation of data return or destruction.
From a practical standpoint, banks should integrate their TPRM platform with the institution's GRC system to maintain a live vendor risk register. SAMA examiners increasingly scrutinize whether banks have real-time visibility into critical vendor posture rather than point-in-time assessments. Aligning TPRM with ISO 27001:2022 Annex A Control 5.19 (Information Security in Supplier Relationships) further strengthens audit readiness across multiple frameworks simultaneously.
Was this helpful?
Incident response in Saudi banking is governed by multiple overlapping frameworks, creating layered reporting obligations that CISOs must navigate carefully.
**SAMA CSF Requirements (Domain 4 — Cybersecurity Resilience):**
SAMA CSF Control 4.1 requires banks to maintain a formally documented Incident Response Plan (IRP) covering preparation, detection, containment, eradication, recovery, and post-incident review. The IRP must be tested at least annually through tabletop exercises or simulations.
**Regulatory Notification Timelines:**
- **SAMA:** Banks must notify SAMA of significant cybersecurity incidents within **3 hours** of detection via the SAMA Cybersecurity Notification Portal. A follow-up detailed report is required within **72 hours** covering root cause, affected systems, data exposure, and remediation steps.
- **PDPL (Article 19):** If personal data of Saudi residents is compromised, the National Data Management Office (NDMO) must be notified within **72 hours**, and affected individuals notified without undue delay where there is high risk to their rights.
- **NCA ECC:** Critical infrastructure entities must additionally report to the National Cybersecurity Authority through the CERT-SA reporting channel.
**Practical Guidance:**
Banks should maintain pre-approved communication templates for each regulator to avoid delays under pressure. Designate a dedicated Incident Response Coordinator who owns regulatory notifications. Conduct quarterly reviews of the incident classification matrix to ensure all staff distinguish between a security event, incident, and crisis — each triggering different escalation paths. Align playbooks with NIST CSF's Respond function (RS.CO-2, RS.CO-3) to maintain internationally recognized standards alongside local compliance.
Was this helpful?
Under SAMA CSF Control Domain 3.5 (Third-Party Management), Saudi banks must establish a comprehensive TPRM program that covers the full vendor lifecycle — from onboarding to offboarding. Here is a practical framework to follow:
**1. Vendor Classification & Risk Tiering:** Categorize all vendors by criticality (Tier 1: critical, Tier 2: significant, Tier 3: low-risk). Critical vendors handling customer data or core banking functions require the most rigorous due diligence.
**2. Pre-Onboarding Due Diligence:** Before contracting, assess vendors against SAMA CSF controls, NCA ECC requirements, and ISO 27001 alignment. Request evidence of certifications, penetration test results, and data handling practices especially under PDPL obligations.
**3. Contractual Safeguards:** Contracts must include cybersecurity obligations, right-to-audit clauses, SLA definitions for incident notification (per SAMA CSF 3.5.3), data residency requirements, and exit/termination procedures.
**4. Continuous Monitoring:** Conduct annual reassessments for Tier 1 vendors and biennial reviews for Tier 2. Use automated tools to monitor vendor security posture, track vulnerability disclosures, and assess compliance drift.
**5. Incident Notification Requirements:** Vendors must notify the bank within defined timeframes (typically 24–72 hours) of any security incident that may impact bank systems or customer data.
**6. Cloud & SaaS Vendors:** For cloud service providers, additional controls per SAMA Cloud Computing Guidelines apply, including data classification, shared responsibility matrix documentation, and exit strategy planning.
A mature TPRM program not only satisfies SAMA CSF expectations but also reduces supply chain risk — a growing threat vector for Saudi financial institutions.
Was this helpful?
SAMA CSF dedicates a specific domain to third-party and outsourcing risk, requiring financial institutions to maintain a formal Vendor Risk Management (VRM) program that spans the entire vendor lifecycle — from onboarding through offboarding. Per SAMA CSF Control 3.3.1, institutions must conduct risk-based due diligence on all third parties before engagement, assessing their cybersecurity posture, data handling practices, and regulatory compliance status.
Key program components include:
**1. Vendor Classification & Tiering:** Categorize vendors by criticality (e.g., Tier 1 for core banking system providers, Tier 3 for low-risk suppliers). Apply proportionate controls based on the data and system access each vendor holds.
**2. Contractual Security Requirements:** All contracts must embed cybersecurity clauses covering incident notification timelines (typically ≤72 hours), right-to-audit provisions, data handling obligations aligned with PDPL, and compliance with NCA ECC where applicable.
**3. Continuous Monitoring:** Annual reassessments are insufficient for high-risk vendors. Implement continuous monitoring via security ratings platforms, periodic questionnaires, and mandatory penetration test evidence submission.
**4. Concentration Risk:** SAMA explicitly expects institutions to assess and mitigate concentration risk — where multiple critical functions depend on a single third party (e.g., a dominant cloud provider).
**5. Fourth-Party Risk:** Extend due diligence to subcontractors used by your vendors, particularly for outsourced IT and managed security services.
Practically, institutions should maintain a centralized vendor risk register, assign ownership to each vendor relationship, and report aggregated third-party risk exposure to the Board Risk Committee quarterly. Alignment with ISO 27001 Annex A.15 further strengthens your VRM framework and supports audit readiness.
Was this helpful?
SAMA CSF dedicates Domain 4 (Third-Party Management) to vendor risk, requiring financial institutions to establish a formal Third-Party Risk Management (TPRM) framework that covers the full vendor lifecycle — from initial due diligence to contract termination.
Key requirements include:
**Pre-engagement:** Conduct cybersecurity risk assessments before onboarding any vendor with access to systems or data. Classify vendors by criticality (critical, significant, standard) per SAMA CSF Control 4.1.2.
**Contractual controls:** Ensure contracts mandate security standards, right-to-audit clauses, incident notification obligations (typically within 72 hours), and data protection terms aligned with PDPL.
**Ongoing monitoring:** Perform periodic reassessments — at minimum annually for critical vendors. This includes reviewing SOC 2 Type II reports, ISO 27001 certificates, or conducting direct security assessments.
**Concentration risk:** SAMA specifically requires banks to assess and manage over-reliance on single vendors, particularly cloud and technology providers.
**Exit strategy:** Maintain documented exit plans for critical vendors to ensure business continuity under SAMA CSF Control 4.3.1.
Practically, build a vendor register categorizing all third parties, automate reassessment workflows through your GRC platform, and align your questionnaires with SAMA CSF, NCA ECC, and ISO 27001 Annex A.15 controls. Ensure your information security team signs off on all critical vendor engagements before the procurement team finalizes contracts. Many Saudi banks also require critical vendors to demonstrate NCA ECC compliance, especially when those vendors operate within the Kingdom.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 4 (Third Party Management), which requires Saudi financial institutions to establish a formal, risk-based vendor governance framework. Here's how to structure it effectively:
**1. Vendor Classification (SAMA CSF Control 4.1):** Categorize all vendors by criticality — critical, high, medium, and low — based on data access, system integration depth, and business impact. Critical vendors supporting core banking or payment infrastructure require the most rigorous oversight.
**2. Pre-Onboarding Due Diligence:** Before contracting, conduct cybersecurity assessments covering ISO 27001 certification status, penetration testing history, data handling practices, and incident response capabilities. Require vendors to complete a standardized security questionnaire aligned with NCA ECC Art. 3-4 controls.
**3. Contractual Security Obligations (SAMA CSF Control 4.3):** Embed mandatory cybersecurity clauses covering right-to-audit, breach notification timelines (ideally within 24–72 hours), data residency requirements under PDPL, and compliance with SAMA's outsourcing regulations.
**4. Continuous Monitoring:** Implement ongoing risk monitoring using automated vendor risk scoring tools, periodic reassessments (annually for critical vendors, biennially for others), and real-time threat intelligence feeds related to your vendor ecosystem.
**5. Incident and Exit Management:** Define clear escalation paths if a vendor suffers a breach, and maintain documented exit strategies to ensure business continuity without vendor lock-in.
SAMA also requires that outsourced critical functions remain under the institution's effective control — meaning your internal team must retain oversight authority at all times. Document all TPRM activities in a centralized register reviewable by SAMA examiners during assessments.
Was this helpful?
SAMA CSF Domain 3.3 (Cybersecurity Incident Management) mandates that all Saudi banks and financial institutions maintain a formally documented and regularly tested incident response (IR) program. Here's what compliance requires and how CISOs should build it:
**Mandatory IR Program Components (SAMA CSF Control 3.3.1–3.3.5):**
- A formally approved Incident Response Plan (IRP) covering detection, containment, eradication, recovery, and lessons learned phases
- Defined severity classification levels aligned to business impact
- Clear escalation procedures, including board and executive notification thresholds
- Dedicated IR roles and responsibilities documented in a RACI matrix
**Regulatory Notification Obligations:** SAMA requires institutions to report significant cybersecurity incidents to SAMA within defined timelines. Incidents affecting critical financial infrastructure or customer data must be reported promptly — typically within 24 hours of discovery for high-severity events. Coordinate simultaneously with NCA's Cybersecurity Operations Center (CSOC) for incidents that may have national significance.
**Practical Build-Out Steps for CISOs:**
1. Develop playbooks for your top 10 incident scenarios: ransomware, insider threat, DDoS on banking platforms, SWIFT fraud, mobile banking compromise, etc.
2. Integrate your SIEM/SOAR with the IRP workflow to enable automated alerting and ticket creation
3. Conduct tabletop exercises at minimum quarterly; full simulation exercises annually
4. Align forensic evidence preservation procedures with Saudi legal requirements to maintain admissibility
5. Cross-reference NIST CSF's Respond and Recover functions for international best-practice alignment
Document all exercises, incidents, and post-incident reviews in a centralized log available to SAMA examiners. Continuous improvement cycles are a key evaluation criterion during SAMA assessments.
Was this helpful?
SAMA CSF Domain 4.5 mandates that all Member Organizations establish a formal Cybersecurity Incident Management capability. For CISOs at Saudi banks and fintechs, this translates into a structured program with the following key requirements:
**Regulatory Reporting Obligations:** Per SAMA CSF Control 4.5.3 and SAMA's Cyber Incident Reporting Framework, significant incidents must be reported to SAMA within 72 hours of detection. Incidents affecting payment systems or customer data may also trigger parallel reporting to NCA (per ECC-2: 2-3) and SDAIA under PDPL Article 24.
**IR Program Components (SAMA CSF 4.5):**
- Documented Incident Response Plan (IRP) reviewed at least annually
- Defined incident classification matrix (P1–P4 severity levels)
- Designated Incident Response Team (IRT) with clear roles and escalation paths
- 24/7 monitoring capability or SOC coverage (in-house or managed)
- Evidence preservation and forensic investigation procedures
- Post-incident review and lessons-learned process
**NIST CSF Alignment:** Structure your IR capability around NIST's five functions — Identify, Protect, Detect, Respond, Recover — which maps well to SAMA CSF's control domains.
**Tabletop Exercises:** SAMA CSF requires periodic IR drills. Conduct at least one tabletop exercise annually, simulating scenarios such as ransomware, BEC fraud, or data exfiltration. Document results and remediation actions.
**Practical Tip:** Integrate your IR workflows directly into your GRC platform to auto-generate incident tickets, track SLA compliance with SAMA reporting timelines, and produce audit-ready evidence for SAMA examinations.
Was this helpful?
Under SAMA CSF Domain 4 (Third-Party Management), Saudi financial institutions must implement a structured, lifecycle-based approach to vendor risk. Here's a practical framework:
**1. Pre-Onboarding Due Diligence**
Before contracting any third party, conduct a cybersecurity risk assessment covering the vendor's security posture, certifications (e.g., ISO 27001), and compliance with NCA ECC controls. Classify vendors by criticality — Tier 1 (critical systems access), Tier 2 (sensitive data access), Tier 3 (general services).
**2. Contractual Security Requirements (per SAMA CSF 4.3)**
Ensure all vendor contracts include mandatory clauses for: data protection aligned with PDPL, incident notification within 72 hours, right-to-audit provisions, and minimum security baselines mirroring your internal standards.
**3. Continuous Monitoring**
Establish quarterly security reviews for Tier 1 vendors and annual reviews for Tier 2/3. Use automated vendor risk platforms where possible. Review vendor access logs, patch compliance, and any reported breaches.
**4. Concentration Risk**
SAMA also expects institutions to assess concentration risk — if multiple critical services rely on a single vendor (e.g., a cloud provider), your BCP must account for vendor failure scenarios.
**5. Offboarding Controls**
Upon contract termination, revoke all access immediately, retrieve or securely destroy data per PDPL Article 19, and document the offboarding in your risk register.
A mature TPRM program integrates with your ISO 27001 Annex A.15 controls and feeds directly into your board-level risk reporting cycle. SAMA inspectors increasingly focus on vendor risk during regulatory examinations — treat this as a first-class risk domain.
Was this helpful?
SAMA CSF Domain 3 (Cybersecurity Operations & Resilience) mandates a formal, tested incident response capability. Here is what a CISO must build:
**1. Documented IR Policy and Playbooks (SAMA CSF 3.3)**
Maintain a board-approved IR policy with specific playbooks for high-probability scenarios: ransomware, data breach, DDoS against banking systems, and insider threat. Each playbook must define roles, escalation paths, and communication templates.
**2. Classification and Severity Thresholds**
Adopt a clear severity matrix (P1–P4). Critical incidents affecting customer funds, core banking availability, or involving confirmed data exfiltration must escalate to the CISO and CEO within 1 hour.
**3. Regulatory Notification Obligations**
SAMA requires financial institutions to notify SAMA's cybersecurity team within 72 hours of detecting a significant cyber incident. Coordinate this with PDPL Article 26 obligations — if personal data is involved, the National Data Management Office (NDMO) must also be notified. Maintain a dual-notification checklist.
**4. Digital Forensics and Evidence Preservation**
Ensure your SOC or retained IR firm follows a proper chain-of-custody process for digital evidence — this is critical if legal proceedings or regulatory investigation follow.
**5. Post-Incident Review and Lessons Learned**
Within 2 weeks of incident closure, conduct a structured post-mortem. Findings must feed back into your risk register, control improvements, and training program per ISO 27001 Clause 10.1.
**6. Annual IR Drills**
Conduct at least one tabletop exercise and one technical simulation annually. SAMA inspectors will ask for evidence of testing — document everything including attendance, scenarios, and action items.
Was this helpful?
SAMA CSF Domain 4 (Operational Resilience) mandates that financial institutions establish, document, and regularly test Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). Per SAMA CSF Control 4.3, institutions must define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems, with annual testing at minimum.
Practical implementation steps include:
1. **Business Impact Analysis (BIA):** Identify critical business processes and their dependencies, classifying systems by criticality tier. Core banking and payment systems typically require RTOs of less than 4 hours.
2. **Scenario-Based Testing:** Conduct tabletop exercises, parallel run tests, and full failover drills. SAMA expects evidence of testing results, gaps identified, and remediation actions.
3. **Third-Party Dependencies:** Map and test continuity plans for critical vendors and cloud providers, especially given SAMA's outsourcing guidelines.
4. **ISO 22301 Alignment:** Aligning your BCP framework with ISO 22301 strengthens SAMA CSF compliance and provides an internationally recognized structure for documentation and audits.
5. **Board Reporting:** SAMA CSF requires that BCP/DRP status and test results be reported to senior management and the Board Risk Committee annually.
Failure to demonstrate tested and effective continuity plans is one of the most common findings in SAMA cybersecurity assessments. Ensure your DRP includes cyber incident scenarios such as ransomware attacks, which are increasingly relevant for Saudi financial institutions.
Was this helpful?
Under SAMA CSF Domain 4 (Third-Party Management), Saudi banks must implement a structured, risk-based vendor oversight program covering the entire supplier lifecycle. Here's a practical implementation roadmap:
**1. Vendor Classification & Risk Tiering**
Classify all third parties based on data access, system criticality, and service type. SAMA CSF Control 4.1.2 requires you to distinguish between critical, significant, and standard suppliers, applying proportionate controls accordingly.
**2. Pre-Onboarding Due Diligence**
Before contracting, conduct security assessments that include: review of the vendor's ISO 27001 or equivalent certification, network architecture diagrams, incident response procedures, and PDPL compliance posture if they process personal data.
**3. Contractual Security Requirements**
All vendor contracts must embed cybersecurity obligations per SAMA CSF Control 4.2.1, including: right-to-audit clauses, breach notification timelines (typically within 72 hours aligned with PDPL Article 28), data handling standards, and subcontractor disclosure requirements.
**4. Continuous Monitoring**
Conduct annual security assessments for critical vendors and bi-annual assessments for significant ones. Use automated tools to monitor vendor risk scores, and track any changes in their security posture or regulatory standing.
**5. Offboarding Controls**
Establish formal offboarding procedures ensuring secure data deletion, revocation of all access credentials, and documented confirmation of data return or destruction.
A common gap we see is treating third-party risk as a one-time procurement checklist rather than an ongoing governance function. Appoint a dedicated vendor risk owner and integrate third-party findings into your board-level cybersecurity reporting to demonstrate SAMA CSF maturity at Tier 3 and above.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 3.3 and NCA ECC-1:2-6, requiring Saudi financial institutions to maintain a structured vendor risk program. Here's a practical implementation roadmap:
**1. Vendor Classification & Tiering**
Categorize vendors by criticality — Tier 1 (critical system access), Tier 2 (significant data access), Tier 3 (limited exposure). SAMA CSF Control 3.3.1 mandates formal risk classification before onboarding.
**2. Due Diligence & Contractual Controls**
Conduct pre-onboarding cybersecurity assessments including security questionnaires, ISO 27001 certification verification, and penetration testing results review. Contracts must include right-to-audit clauses, incident notification SLAs (typically 24–72 hours), and data handling obligations aligned with PDPL Articles 18–21.
**3. Continuous Monitoring**
Implement ongoing monitoring using threat intelligence feeds and periodic reassessments (at minimum annually for Tier 1 vendors). NCA ECC requires evidence of vendor compliance documentation being maintained.
**4. Concentration Risk**
SAMA specifically flags concentration risk where multiple critical services rely on a single vendor — this must be flagged in your risk register and escalated to the Board Risk Committee.
**5. Exit Strategy**
Document vendor exit plans ensuring business continuity per SAMA CSF Control 3.3.6, including data recovery, transition timelines, and service continuity assurance.
Practically, your GRC platform should automate vendor risk scoring, track assessment lifecycles, and generate Board-ready TPRM dashboards to demonstrate regulatory compliance during SAMA examinations.
Was this helpful?
Third-party risk management (TPRM) is a critical obligation under SAMA CSF Domain 4 (Third-Party Management), requiring Saudi financial institutions to implement a structured, lifecycle-based approach to vendor oversight.
**Key Requirements:**
1. **Vendor Classification & Due Diligence (SAMA CSF 4.1):** Classify vendors by criticality — Tier 1 (critical/core banking), Tier 2 (important), Tier 3 (standard). Conduct cybersecurity due diligence before onboarding, including reviewing SOC 2 Type II reports, ISO 27001 certifications, and penetration testing results.
2. **Contractual Controls (SAMA CSF 4.2):** Embed mandatory cybersecurity clauses covering data protection, incident notification (within 24–48 hours), right-to-audit, and compliance with SAMA CSF and PDPL obligations.
3. **Continuous Monitoring:** Perform annual security assessments for Tier 1 vendors and biennial reviews for Tier 2. Use automated threat intelligence feeds and vendor risk platforms to monitor ongoing risk posture.
4. **Concentration Risk:** SAMA also expects institutions to assess concentration risk — over-reliance on a single vendor (e.g., a sole cloud provider) must be documented with contingency plans.
5. **Offboarding Controls:** Ensure data deletion, access revocation, and exit procedures are formally managed upon vendor termination.
**Practical Tip:** Establish a Vendor Risk Committee with representation from IT, Legal, Procurement, and the CISO's office. Maintain a centralized vendor risk register updated quarterly. For fintechs relying heavily on SaaS providers, map each vendor's data access to PDPL Article 29 obligations to ensure cross-border data transfer compliance is addressed simultaneously.
Was this helpful?
Business Continuity Management (BCM) is a foundational requirement under SAMA CSF Domain 6 (Cyber Resilience) and strongly aligns with ISO 22301 (Business Continuity Management Systems). Saudi banks must treat BCM not as a checkbox exercise but as a living, tested program integrated with cybersecurity incident response.
**SAMA CSF BCM Requirements (Domain 6):**
1. **Business Impact Analysis (BIA):** Identify critical business processes, systems (especially core banking, payment infrastructure, and SWIFT), and establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). SAMA expects RTOs for Tier 1 systems to be less than 4 hours.
2. **BCM Policy & Governance:** The BCM program must be approved at Board level, with a designated BCM Owner (often the COO or CISO) and reviewed annually.
3. **Disaster Recovery Plans (DRP):** Technical recovery runbooks must exist for all critical systems, with documented failover procedures to geographically separated data centers (SAMA mandates primary and DR sites within the Kingdom).
4. **Crisis Communication Plans:** Define communication trees for internal staff, SAMA notifications, customer communications, and media handling during a major disruption.
**ISO 22301 Alignment:**
- Conduct a formal gap assessment against ISO 22301 clauses 6–10 to identify BCM maturity gaps.
- ISO 22301 Clause 8.5 specifically addresses testing requirements — tabletop exercises, functional drills, and full failover tests.
**Testing Cadence:**
- Tabletop exercises: Twice annually.
- Technical DR failover tests: Annually.
- Full-scale business continuity exercises: Every two years.
**Practical Tip:** Integrate BCM testing scenarios with cybersecurity incident response drills. A ransomware simulation that triggers the DR plan is far more valuable than isolated testing. Document all lessons learned and update plans within 30 days post-exercise. Ensure SAMA is notified per CSF reporting timelines if a real incident triggers BCM activation.
Was this helpful?
Business continuity and cyber resilience represent one of the most rigorously assessed domains for Saudi financial institutions, with obligations spanning both SAMA CSF and NCA ECC frameworks.
**SAMA CSF Requirements (Domain 3 — Cybersecurity Resilience):**
SAMA CSF Control 3.3 mandates that member organizations develop, maintain, and regularly test a Cyber Resilience Plan (CRP) that specifically addresses cyber-triggered disruptions — distinct from general IT disaster recovery. Key requirements include:
- **Recovery Time Objectives (RTO)**: Core banking systems must have RTOs defined and tested, typically ≤4 hours for Tier-1 institutions.
- **Recovery Point Objectives (RPO)**: Data recovery capabilities must be validated against defined RPOs with evidence of backup integrity testing.
- **Tabletop and Simulation Exercises**: At minimum annual cyber resilience exercises simulating ransomware, DDoS, or data breach scenarios involving senior leadership and the CISO.
- **Third-Party Dependencies**: BCP must document and test recovery procedures that account for critical vendor or cloud provider outages.
**NCA ECC Alignment (Article 2-13 — Business Continuity):**
NCA ECC extends these requirements to government-affiliated financial entities and critical national infrastructure, mandating:
- Formal BCM policy approved at executive level.
- Annual BIA (Business Impact Analysis) reviews with cybersecurity scenarios explicitly included.
- Integration of cybersecurity incident response timelines within BCP documentation.
**Practical Integration Steps:**
1. Map SAMA CSF CRP controls against ISO 22301 (Business Continuity Management) for international alignment.
2. Include cloud failover and data sovereignty provisions in BCP for institutions using hyperscaler environments.
3. Conduct joint exercises between cybersecurity and BCM teams — SAMA examiners look for this integration evidence.
Our vCISO consulting service helps institutions build, test, and document BCPs that satisfy both SAMA and NCA examiners.
Was this helpful?
Under SAMA CSF Domain 4 (Cybersecurity Resilience), Saudi banks must establish a robust Business Continuity Management program that addresses cyber-induced disruptions specifically — not just traditional operational risks.
**Core Requirements:**
- **Business Impact Analysis (BIA):** Identify critical systems, acceptable Recovery Time Objectives (RTO), and Recovery Point Objectives (RPO) per SAMA CSF Control 4.1. For core banking systems, SAMA typically expects RTOs under 4 hours.
- **BCM Policy & Plans:** Maintain documented Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) aligned with SAMA CSF Control 4.2, covering cyber incident scenarios such as ransomware, DDoS, and data destruction attacks.
- **Crisis Communication:** Define escalation paths, internal notification trees, and SAMA regulatory notification timelines (within 72 hours for major incidents per SAMA incident reporting guidelines).
**Testing Requirements:**
SAMA CSF mandates annual testing at minimum, but best practice for Tier-1 banks includes:
- **Tabletop exercises** (quarterly) simulating cyber breach scenarios
- **Functional drills** testing failover to DR sites
- **Full simulation tests** annually involving IT, operations, legal, and senior management
Test results must be documented, gaps tracked as findings, and remediation plans presented to the Board Risk Committee.
**NCA ECC Alignment:** NCA ECC Article 2-14 also requires BCM integration with cybersecurity controls, so dual-framework mapping is recommended.
Our platform provides pre-built BCM control templates mapped to both SAMA CSF and NCA ECC, with automated testing schedule reminders and gap tracking dashboards.
Was this helpful?
SAMA CSF Control 3.3.1 mandates that all financial institutions implement a formal cybersecurity awareness and training program covering all employees, contractors, and third parties with system access. The program must be risk-based, role-specific, and conducted at least annually — with additional targeted training for privileged users and IT/security staff.
To build a compliant and effective program, Saudi banks and fintechs should:
**1. Establish a Training Policy:** Document objectives, target audiences, frequency, and measurement criteria aligned with SAMA CSF and NCA ECC Section 2-7.
**2. Segment by Role:** General staff should receive phishing awareness, password hygiene, and data handling training. IT teams need technical modules covering secure development, access control, and incident reporting. Executives require risk governance and regulatory obligation briefings.
**3. Use Simulated Attacks:** Run quarterly phishing simulations to measure human risk. Track click rates and report-to-IT rates as KPIs.
**4. Integrate Regulatory Context:** Include PDPL obligations (e.g., data subject rights, breach notification duties) to ensure employees understand their personal liability under Saudi law.
**5. Maintain Records:** SAMA examiners expect evidence of completion rates, assessment scores, and remediation actions for failed participants. Maintain audit-ready logs for at least three years.
**6. Measure Effectiveness:** Conduct pre/post assessments and annual program reviews. Link training metrics to your cybersecurity risk register.
A mature awareness program not only satisfies SAMA CSF compliance but also directly reduces the likelihood of social engineering attacks — the leading initial access vector in Saudi financial sector breaches.
Was this helpful?
Security awareness training is a foundational requirement under SAMA CSF and is critical for reducing human-factor risks in Saudi financial institutions.
**SAMA CSF Requirements:** Under SAMA CSF Domain 3 (Cybersecurity Governance), Control 3.2.2 mandates that all employees, contractors, and third-party users with access to organizational systems must complete role-based cybersecurity awareness training. The training program must be:
- Conducted at least annually for all staff
- Delivered upon onboarding for new employees
- Tailored to specific roles (e.g., privileged users, executives, IT staff)
- Documented with completion records maintained for audit purposes
**Designing an Effective Program:**
1. **Role-Based Curriculum:** Develop separate training tracks for general staff (phishing awareness, password hygiene, social engineering), IT and security teams (secure coding, incident handling), and executives (cyber risk governance, regulatory obligations under SAMA and NCA)
2. **Phishing Simulations:** Run quarterly simulated phishing campaigns and use click-rate data to measure human risk exposure. Link simulation results to targeted micro-training
3. **Regulatory Content Integration:** Include modules specifically covering PDPL obligations, SAMA CSF responsibilities, and reporting duties under NCA ECC Art. 3-3 to build compliance literacy
4. **Metrics and Reporting:** Track completion rates, simulation performance, and knowledge assessment scores. Report quarterly to the CISO and Board Risk Committee as part of your GRC dashboard
5. **Continuous Reinforcement:** Supplement annual training with monthly security newsletters, awareness posters in Arabic, and real-time alerts following emerging threats relevant to the Saudi financial sector
An underdeveloped awareness program is consistently flagged during SAMA CSF assessments. Institutions scoring Maturity Level 1 or 2 in this domain face increased scrutiny and remediation requirements.
Was this helpful?
Security Awareness Training (SAT) is a mandatory control under both SAMA CSF (Domain 3.6 — Cybersecurity Awareness and Training) and NCA ECC (Control 2-6), and regulators increasingly scrutinize program maturity during assessments. A compliant and effective program should include the following elements:
**Role-Based Training Curricula:** Generic training is insufficient. Develop tailored content for executive leadership, IT and security staff, privileged users, and general employees. SAMA CSF 3.6.2 specifically requires role-specific awareness programs.
**Mandatory Induction and Annual Refresh:** All staff — including contractors and third parties with system access — must complete onboarding security training and annual refreshers. Track completion rates as a KPI for regulatory evidence.
**Phishing Simulation Exercises:** Conduct regular simulated phishing campaigns (at minimum quarterly) to measure real-world susceptibility. Results must be documented and used to refine training content. NCA ECC Control 2-6-3 references awareness exercises as a required activity.
**Specialized Training for Security Teams:** Your SOC analysts, incident responders, and CISO staff require advanced training covering threat intelligence, forensics, and framework-specific knowledge (SAMA CSF, NCA ECC). Align certifications like CISSP, CISM, or CEH to role requirements.
**Metrics and Reporting:** Report SAT metrics — completion rates, phishing click-through rates, and training effectiveness scores — to senior management and the board at least annually, as required under SAMA CSF 3.6.1.
**Localization:** Deliver content in Arabic to ensure comprehension and cultural relevance across your Saudi workforce. An Arabic-first approach significantly improves engagement and retention.
Was this helpful?
Business Continuity Management (BCM) is a mandatory compliance domain under SAMA CSF Control Domain 6, requiring Saudi banks to maintain resilient operations even during major cyber incidents or operational disruptions. Achieving maturity in this domain requires both a well-structured program and a rigorous testing cadence.
**Program Design Requirements (per SAMA CSF 6.1–6.4):**
- Conduct a formal Business Impact Analysis (BIA) to identify critical business functions and their Maximum Tolerable Downtime (MTD).
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical system — SAMA typically expects RTOs of 4 hours or less for core banking functions.
- Establish a documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that cover cyber incident scenarios, not just natural disasters.
- Ensure BCM governance is owned at the board and senior management level, with a designated BCM Officer.
**Testing Requirements:**
- SAMA CSF requires BCM tests at least annually, with results documented and reviewed by senior management.
- Testing types should progress from tabletop exercises to full simulation drills that include IT failover, data recovery validation, and communication tree activation.
- Penetration testing findings should feed directly into BCM scenario updates.
- Align BCM testing schedules with NCA ECC Article 3-7 resilience controls for government-regulated entities.
**Practical Guidance:**
- Maintain an always-current contact directory and escalation matrix.
- Test backup restoration — not just backup creation — at least quarterly.
- Ensure cloud-based recovery environments are validated against the same RTO/RPO commitments as on-premise systems.
- Document lessons learned after every test and track remediation actions to closure.
Was this helpful?
Business Continuity Management (BCM) is a critical obligation for Saudi financial institutions under SAMA CSF Domain 4 (Cyber Resilience) and specifically Control 4.3, which mandates that banks establish, test, and maintain robust BCM and Disaster Recovery (DR) programs aligned with cybersecurity risks.
Key requirements include:
**1. Business Impact Analysis (BIA):** Identify critical business processes, systems, and assets. Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each. Per SAMA CSF Control 4.3.2, RTOs must reflect the criticality of financial services.
**2. BCM Policy and Plan:** Develop a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) approved by senior management and the Board. Plans must cover cybersecurity incident scenarios, including ransomware and data breaches.
**3. Testing and Exercises:** SAMA CSF Control 4.3.5 requires regular BCM testing — at minimum annually — including tabletop exercises, simulation drills, and full failover tests. Results must be documented and gaps remediated.
**4. Third-Party and Cloud Dependencies:** BCM plans must address continuity risks from critical third-party providers and cloud platforms, ensuring contractual SLA alignment.
**5. Regulatory Reporting:** Any activation of the BCP due to a cyber incident must be communicated to SAMA within defined timelines per the Cyber Incident Reporting Framework.
**Practical Tip:** Integrate your BCM program with your ISO 22301 certification roadmap to demonstrate dual compliance. Use tabletop scenarios specific to Saudi banking threats — such as payment system outages and core banking disruptions — to make exercises realistic and regulatorily defensible.
Was this helpful?
SAMA CSF dedicates Domain 4 (Cyber Resilience) to Business Continuity Management, making it a mandatory capability for all regulated banks and financial institutions. A compliant BCM program must cover the following pillars: (1) **Business Impact Analysis (BIA)** — identify critical business functions, recovery time objectives (RTO), and recovery point objectives (RPO) per SAMA CSF Control 4.1. Critical banking systems (core banking, payment rails, internet banking) typically require RTOs under 4 hours. (2) **BCM Policy and Plan Development** — document Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) addressing cybersecurity-specific scenarios including ransomware, DDoS, and data center failure. Plans must integrate with the institution's Incident Response Plan per SAMA CSF Control 3.5. (3) **Testing and Validation** — SAMA CSF Control 4.3 mandates that BCM plans be tested at least annually. Testing types should progress from tabletop exercises and walkthrough drills to full simulation exercises involving IT, operations, and executive leadership. Results must be documented, gaps remediated, and plans updated accordingly. (4) **Third-Party and Outsourcing Continuity** — BCM must extend to critical service providers, ensuring their RTOs align with the bank's requirements. (5) **Regulatory Reporting** — significant disruptions must be reported to SAMA in accordance with the Cyber Incident Reporting Framework. Aligning BCM with ISO 22301 (Business Continuity Management Systems) provides an internationally recognized structure that satisfies SAMA's expectations and prepares institutions for regulatory examination. Annual SAMA inspections frequently assess BCM maturity using a 1–4 capability scale.
Was this helpful?
SAMA CSF Domain 4 — Resilience — mandates that member organizations establish, implement, and continuously improve a Business Continuity Management (BCM) program that directly integrates cybersecurity resilience. Here is how Saudi banks should approach this: (1) BIA and Risk Assessment — conduct a Business Impact Analysis (BIA) per SAMA CSF Control 4.1 to identify critical business processes, acceptable downtime (RTO), and data loss tolerances (RPO). Cybersecurity-driven scenarios — ransomware, DDoS, and insider sabotage — must be explicitly included. (2) BCP and DRP Documentation — develop Business Continuity Plans and Disaster Recovery Plans that are reviewed and updated at least annually or after significant changes, per SAMA CSF Control 4.3. (3) Cyber Incident Integration — BCM plans must be tightly linked to your Cyber Incident Response Plan (CIRP). SAMA expects that a cyber event triggering BCM activation follows defined escalation and communication protocols reaching executive and board level. (4) Testing Regime — SAMA CSF requires regular testing: tabletop exercises at minimum annually, and full simulation or failover tests at least every two years. Test results must be documented and remediation actions tracked to closure. (5) Third-Party Dependencies — BCM must account for critical vendor and infrastructure dependencies, particularly for payment processing, core banking, and cloud services. (6) Regulatory Reporting — SAMA expects BCM test summaries and any major incidents affecting continuity to be reportable. Practically, CISOs should ensure BCM ownership sits with a cross-functional team including IT, operations, legal, and communications, with CISO oversight on the cyber resilience components. Align BCM documentation with ISO 22301 to satisfy both SAMA expectations and international best practice simultaneously.
Was this helpful?
Business Continuity Management (BCM) for Saudi financial institutions is governed by multiple overlapping frameworks. SAMA CSF Subdomain 3.3 mandates a comprehensive BCM program, while NCA ECC Article 2-13 sets specific resilience requirements for critical national infrastructure entities — which includes major banks and payment processors.
**Step 1 — Business Impact Analysis (BIA):** Identify and prioritize critical business functions, systems, and interdependencies. Per SAMA CSF Control 3.3.1, institutions must define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for each critical process. Typical SAMA expectations for core banking systems are RTOs under 4 hours and RPOs under 1 hour.
**Step 2 — Risk Assessment:** Conduct a threat-based risk assessment covering cyber incidents, natural disasters, third-party failures, and pandemic scenarios. Link this to your existing SAMA CSF Risk Management framework (Subdomain 2.1).
**Step 3 — Plan Development:** Develop four interconnected plans: Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Crisis Communication Plan, and IT Incident Response Plan. NCA ECC requires these plans to address cyberattack scenarios specifically, not just physical disruptions.
**Step 4 — Testing & Exercises:** SAMA CSF Control 3.3.5 requires at minimum an annual full simulation exercise and quarterly tabletop exercises for critical systems. Results must be documented and remediation tracked.
**Step 5 — Continuous Improvement:** BCM plans must be reviewed after any significant incident, major system change, or annually. Appoint a dedicated BCM Owner and establish a Steering Committee with executive representation.
Also ensure alignment with SAMA's dedicated BCM circular (issued 2022) which introduced stricter testing documentation requirements for Tier-1 banks.
Was this helpful?
Under SAMA CSF Domain 4 (Resilience), Saudi banks must establish a comprehensive Business Continuity Management (BCM) program that addresses both operational resilience and cyber-specific recovery scenarios. Key requirements include:
**Per SAMA CSF Control 4.1 – Business Continuity Planning:**
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems, with SAMA typically expecting RTOs of 4 hours or less for core banking functions.
- Conduct Business Impact Analyses (BIA) annually or whenever significant changes occur to identify critical processes, dependencies, and acceptable downtime thresholds.
**Per SAMA CSF Control 4.2 – Disaster Recovery:**
- Maintain a tested, documented Disaster Recovery Plan (DRP) that is separate from but aligned with the BCP.
- DR environments must be geographically separated — SAMA recommends a minimum of 50km between primary and secondary data centers for systemically important banks.
- Full DR tests must be conducted at least annually, with results documented and gaps remediated within defined timelines.
**Cyber-Specific BCM Additions:**
- BCM plans must now explicitly address ransomware scenarios, including offline backups tested for integrity quarterly.
- Incident Response Plans (IRP) must be integrated into BCM workflows so cyber events trigger appropriate BCP activation.
**Practical Guidance:**
Most Saudi banks fall short by treating BCM as an IT exercise rather than an enterprise-wide program. Involve business unit owners in BIA workshops, ensure executive sign-off on RPO/RTO commitments, and coordinate BCP drills with SAMA's supervisory expectations. Align your BCM documentation with ISO 22301 standards to demonstrate maturity during SAMA examinations.
Was this helpful?
Building a cyber incident response plan (IRP) for a Saudi financial institution requires aligning with SAMA CSF Control Domain 3.4 (Cyber Incident Management) and NCA's Cybersecurity Event Management guidelines. Both frameworks demand a formally documented, tested, and board-approved IRP that covers the full incident lifecycle.
Your IRP must define six core phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Critically, it must include escalation thresholds and regulatory notification timelines. Under SAMA CSF Control 3.4.4, significant cybersecurity incidents must be reported to SAMA within 72 hours of detection, with an initial notification followed by detailed incident reports and a final root cause analysis.
NCA's CSCC (National Cybersecurity Operations Center) additionally requires reporting of incidents affecting critical information infrastructure (CII), with immediate notification for Severity 1 events. Your plan must define what constitutes a reportable event per NCA classification criteria, including unauthorized access, ransomware, data breaches, DDoS attacks, and system compromise.
Practically, the IRP should include: a designated Incident Response Team (IRT) with clearly assigned roles; pre-approved communication templates for regulators, customers, and media; integration with your SIEM/SOAR tools for automated alert triage; evidence preservation procedures aligned with forensic best practices; and a mandatory post-incident review process.
Regulatory examiners from both SAMA and NCA will assess whether your IRP is not just documented but operationally exercised — tabletop exercises and full simulation drills must occur at least annually. Our platform provides IRP templates pre-mapped to SAMA CSF and NCA requirements, automated notification workflows, and drill scheduling tools to keep your team audit-ready.
Was this helpful?
Business Continuity Management (BCM) is a critical compliance domain for Saudi financial institutions. SAMA CSF Control Domain 3.5 (Cybersecurity Resilience) and NCA ECC Control 2-18 jointly define the minimum expectations for BCM programs.
**SAMA CSF Key Requirements (Domain 3.5):**
- Develop and maintain a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering cyber-incident scenarios
- Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for all critical systems, with SAMA expecting RTOs of 4 hours or less for Tier-1 banking services
- Conduct BCP/DRP testing at least annually, including tabletop exercises and full failover simulations
- Integrate cybersecurity incident response into BCM frameworks
**NCA ECC Control 2-18 Requirements:**
- Classify systems by criticality and ensure BCM plans align with national critical infrastructure protection goals
- Maintain geographically separated disaster recovery sites within the Kingdom
- Document and test backup and restoration procedures, ensuring data integrity post-recovery
**Practical Implementation Steps:**
1. Conduct a Business Impact Analysis (BIA) to identify critical processes and maximum tolerable downtime
2. Map IT dependencies for each critical business process
3. Establish a Crisis Management Team with defined roles and escalation paths
4. Integrate BCM testing results into SAMA's annual cybersecurity maturity assessment
5. Ensure BCM documentation is reviewed and approved by the Board at least annually
Institutions that treat BCM as a standalone IT exercise — rather than an enterprise-wide governance function — consistently underperform in SAMA maturity evaluations.
Was this helpful?
No matching questions found.
Didn't find what you're looking for?
✉️ Contact Us