Laws & RegulationsSAMA CSF (Saudi Arabia)
In ForceBanking, Insurance, Financial market institutions, Payment services
SAMA Cybersecurity Framework
Also known as: SAMA CSF (Saudi Arabia)
Saudi Arabia Monetary Authority's cybersecurity framework for financial institutions. Based on international standards including NIST CSF and ISO 27001, it mandates cybersecurity governance, risk management, security controls, and incident response for banks, insurance companies, and financial market institutions.
Jurisdiction
Saudi Arabia
Regulator
—
Effective
5/1/2017
Sector
Banking, Insurance, Financial market institutions, Payment services
Full Text / Summary
Saudi Arabia's Monetary Authority (SAMA) Cybersecurity Framework, first issued in 2017 and updated in 2021, establishes cybersecurity requirements for all financial institutions regulated by SAMA including banks, insurance companies, and finance companies. The Framework is structured around four domains: cybersecurity leadership and governance; cybersecurity risk management and compliance; cybersecurity operations and technology; and third-party cybersecurity. The Framework requires financial institutions to achieve maturity levels across 140 cybersecurity controls, with minimum maturity levels specified based on the institution's risk profile. Key requirements include: board-level cybersecurity oversight; CISO appointment; annual cybersecurity risk assessments; security operations center; vulnerability management; incident response; and business continuity. The Framework mandates reporting of cybersecurity incidents to SAMA within 72 hours. SAMA conducts regular cybersecurity assessments of regulated institutions and can impose sanctions for non-compliance. The Framework is aligned with international standards including NIST CSF, ISO 27001, and PCI DSS.