Key Regulatory Requirements
The new SAMA directive, effective June 30, 2025, introduces stringent requirements for financial institutions operating in the Kingdom. Organizations must now conduct comprehensive cybersecurity assessments of all third-party vendors handling sensitive financial data or providing critical services. This includes cloud service providers, payment processors, core banking system vendors, and fintech partners. The framework mandates continuous monitoring of vendor security posture, quarterly risk assessments, and immediate incident reporting protocols.
Financial institutions are required to maintain a centralized Third-Party Risk Register that documents all vendor relationships, their risk classifications, security assessment results, and remediation timelines. SAMA has specified that vendors handling customer data or providing critical infrastructure services must undergo annual penetration testing and security audits by SAMA-approved firms. The regulation also introduces mandatory contractual clauses requiring vendors to comply with SAMA Cybersecurity Framework controls and grant audit rights to financial institutions.
"This regulatory update reflects SAMA's proactive stance on addressing the evolving threat landscape. Third-party breaches have become the primary attack vector globally, and Saudi financial institutions must ensure their entire ecosystem meets the highest security standards," noted a senior SAMA cybersecurity official during the regulatory briefing.
Impact on Saudi Organizations
The directive will significantly impact Saudi Arabia's 24 licensed banks, 34 insurance companies, and over 80 licensed fintech firms. Major institutions like Saudi National Bank, Al Rajhi Bank, and SABB will need to reassess hundreds of vendor relationships and potentially terminate contracts with providers unable to meet the new security standards. The insurance sector, which heavily relies on third-party claims processors and actuarial service providers, faces particular challenges in achieving compliance within the six-month timeline.
Cloud service adoption, which has accelerated among Saudi financial institutions with 67% now using public cloud services according to recent industry surveys, will require enhanced due diligence. Organizations must ensure their cloud providers maintain data residency within Saudi Arabia or approved jurisdictions, implement encryption for data at rest and in transit, and provide detailed security audit reports. The fintech sector, particularly digital payment providers and lending platforms, must urgently review their technology stack dependencies and API integrations with third-party services.
Recommendations for Compliance
- Immediately establish a Third-Party Risk Management Office with dedicated resources and executive sponsorship to oversee the compliance program and vendor assessment process
- Conduct a comprehensive inventory of all third-party relationships by February 2025, categorizing vendors by risk level based on data access, service criticality, and geographic location
- Develop standardized vendor security questionnaires aligned with SAMA CSF domains and implement a vendor onboarding process that includes security assessments before contract execution
- Engage with critical vendors immediately to communicate new requirements and assess their readiness to meet SAMA standards, allowing time for remediation or vendor replacement if necessary
- Implement continuous monitoring solutions that provide real-time visibility into vendor security posture, including threat intelligence feeds and security rating services
- Update all vendor contracts to include SAMA-compliant security clauses, audit rights, incident notification requirements, and termination provisions for non-compliance
💬 Comments (0)
🔒 Please log in to comment
Be the first to comment