Cybersecurity News
CybersecurityCybersecurity Framework Sama

Implementing the Sama Cybersecurity Framework for Banks

Implementing the Sama Cybersecurity Framework for Banks
Implementing the Sama Cybersecurity Framework for Banks

The Saudi Arabian Monetary Authority (SAMA) implementing the cybersecurity framework in banks is not an academic exercise. It is a concrete program that includes clear procedures, defined timelines, and audit points. Currently, the Saudi Arabian Monetary Authority, which is in the position of the Saudi Central Bank, has set stricter standards for financial institutions. If you manage security, risk, or IT in a bank, this framework will change daily work: policy, monitoring, incident response. This article explains what the framework is, why it is important for banks, and primarily what should be done. I wrote it based on my years of experience working directly with banks and external auditors in the Gulf countries. Expect concrete steps, practical tools like Splunk, Tenable, CrowdStrike, and a short checklist you can start implementing in the next 30 days. There is no theory in this article. There are only clear actions that help reduce exposure and pass the SAMA assessment.

What is Sama's cybersecurity framework?

The cybersecurity framework of the Saudi Arabian Monetary Authority defines mandatory regulations and obligations for banks operating under the supervision of the Saudi Central Bank. This includes governance, risk management, technical controls, and incident response with a specific timeline. You can think of it as a set of rules linking policy to evidence and tests. Each manager is required to provide documents, monitoring, and regular tests. Many banks think there is more documentation compared to previous requirements. However, this has a purpose. Auditors prefer continuous monitoring rather than random inspections.

This framework organizes requirements according to the categories of governance and strategy, asset and change management, access control, data protection, threat detection, and incident response. While it also refers to standards such as ISO 27001 or NIST, it adds specific management measures for banks. For example, there are measures like stricter third-party management or mandatory penetration testing cycles. Furthermore, this framework defines minimum indicators related to record-keeping and detection scope. At a bank I worked at, we extended the record-keeping period from 90 days to 365 days to meet SAMA's testing requirements and added role-based access reviews every three months.

Basic materials and practical tools

Governance begins with board-approved policies and the appointment of the chief information security officer. Regarding detection, centralized logging and active threat hunting are expected from the central bank. Tools used here include Splunk, Elastic, and Azure Sentinel for the security information and event management system, and CrowdStrike or Cortex XDR for endpoint detection. Tenable, Qualys, or Nessus are frequently used for vulnerability management. Regarding identity control, the bank generally uses Azure AD's conditional access and multi-factor authentication for privileged users.

Practical procedures you can start with: Map your critical assets, comprehensively check for vulnerabilities using Tenable, collect logs in Splunk or Elastic, and conduct desktop exercises. Measure progress weekly, not monthly. Evidence is required for SAMA assessment. Keep tickets, reports, and screenshots. If you cannot show them, the auditor will consider it as not implemented.

Why SAMA's cybersecurity framework is important

Compliance of the Saudi Arabian Central Bank, the Saudi Arabian Monetary Authority, with the cybersecurity framework is important. The reason is that regulatory authorities do not accept partial responses and expect verified management measures. The risks the bank may face are financial losses, reputational impacts, and regulatory sanctions. Statistically, financial services have a higher attack target rate. According to sector reports, 40-60% of unauthorized access attempts target banks and payment systems. The requirements of the Saudi Arabian Central Bank encourage banks to demonstrate that they strengthen these vulnerabilities and continuously implement management measures.

Excluding sanctions, the framework improves the outcomes of the thought process. A bank with documented and centrally managed procedures reduced recovery time by weeks in the event of a real attack. A regional bank that received consultancy lowered its average detection time from 72 hours to under 6 hours by using a combination of Azure Sentinel, custom detection rules, and a dedicated Security Operations Center analyst. This reduction is important when operations and customer security are at risk.

Advantages, recruitment stages, and quick success

These advantages are practical in nature: interruptions are fewer, incident response is faster, and third-party requirements become clear. To implement this, a gap analysis is first conducted by comparing with asset management. Then, corrective priorities are determined to reduce overall risks: system updates, multi-factor authentication for all remote accesses, web application firewall. Regular penetration tests are conducted and vulnerability scans are automated. Finally, evidence is documented and an appropriate review schedule is created for the assets.

Quick results that can be achieved within 30 days: Implement multi-factor authentication for remote access, enable centralized data logging in a 90-day database, and perform a comprehensive vulnerability scan once using Nessus or Qualys. During the next 90 days: Fix the top 10 most critical vulnerabilities and conduct a tabletop incident response exercise with management.

Banks that accepted the Saudi Monetary Authority's requirements as proof of operational control rather than a pass list experienced a marked reduction in both the number of incidents and the time to recovery. Focus on detection and evidence. This is a matter that processes the auditor." - Ahmad Al-Fars, former Director of Information Security at Regional Banks
Area SAMA Focus NIST CSF ISO 27001
Governance Board approval, the CISO's duties are clear, and the main performance evaluation indicators have been documented Policy and governance guidelines Information security management system requirements according to the PDCA (Plan·Do·Check·Act) cycle
Detection Central security information management system, archive window, security operations center requirements Job search with analytical features Supervision rules
Third-Party Necessary field inspection, service level agreement based on the contract, regular review Advice about supply chain risk Access restriction with the supplier
Testing Regular penetration tests and red team training Recommended assessments and tests Internal audit and test
Evidence Thank you records, user manual, ticket Framework-based plan Document documents

How to Get Started

Let's start small. Let's start in a practical way. Almost all banks that move from policies to implementation start on a certain scale-such as a single business line, a critical application, or a high-value customer database. This allows you to test management measures, measure results, and improve processes before scaling more broadly. The Saudi Arabian Monetary Authority's cybersecurity framework sets expectations for governance, asset management, risk assessment, and incident response. Think of it as a continuously updated checklist rather than a one-time audit.

Start with specific steps:

  1. Inventory Principle - Tools such as Tenable, Qualys, and Rapid7 are used to scan and classify servers, endpoints, cloud workloads, and network devices. We aim to create a baseline chart within 30 days.
  2. Risk assessment - Conduct the center's risk assessment using the STRIDE or FAIR method. Match the threats with their impacts on the business and specify the responsible parties. Determine correction priorities based on exposure and business importance levels.
  3. SAMA gap analysis - Compares existing controls with SAMA's cybersecurity framework requirements. Gaps and quick wins are documented. Common gaps include log coverage, multi-factor authentication deployment, and third-party oversight.
  4. Expansion of basic control - Implementation of multi-factor authentication (Okta, Duo), endpoint protection (CrowdStrike, Microsoft Defender), and security information and event management (SIEM) (Splunk, Elastic SIEM) for centralized logging and alerts.
  5. Prepare the incident response plan - playbook, define escalation procedures, and plan a drill every 6 months. Use SOAR tools like Palo Alto Cortex XSOAR to automate recurring procedures in the playbook.

Measure progress using simple performance indicators: the proportion of critical assets inventoried, mean time to detect (MTTD), mean time to respond (MTTR), and the proportion of critical security vulnerabilities addressed under the service level agreement (SLA). According to IBM's 2023 Cost of a Data Breach Report, the average time to prevent breaches is 277 days, and the financial services sector is one of the sectors with the highest average costs. This illustrates why tracking detection and response is important.

Finally, set a realistic roadmap - 3 months to reach the basic level, 6 months to strengthen control, and 12 months to integrate third-party risks and automated monitoring. Appoint a program leader, secure tool and training funds, and conduct quarterly reviews with the board of directors. With these steps, you will progress toward repeatable security operations that meet the expectations of the Saudi Central Bank (SAMA) in compliance audits.

Frequently Asked Questions

What is SAMA's cybersecurity framework?

SAMA's cybersecurity framework is the set of rules and expectations set by the Saudi Central Bank for banks and financial institutions operating in Saudi Arabia. This framework uses governance, risk management, asset identification, access control, monitoring, and incident response when determining requirements. The framework expects documented policies, technical controls such as multi-factor authentication and Security Information and Event Management (SIEM), vendor audits, and regular testing to be implemented. Banks assess their current state according to the framework, prioritize gaps, and report progress to SAMA within the scope of regulatory compliance.

Conclusion

Launching SAMA's cyber framework means concrete planning, visible measurement, and continuous implementation. After inventorying assets and performing a gap analysis, you immediately apply the basic controls-multi-factor authentication (MFA), endpoint detection and response (EDR), security information and event management (SIEM). Monitor the mean time to detect (MTTD) and mean time to respond (MTTR), automate operational guidelines as much as possible, and test the plan with regular drills. After selecting and trialing a business area, learn quickly and expand the scope. When there is a clear owner, measurable KPIs, and appropriate tools, the bank can meet SAMA's expectations while also improving real-world security.