How SAMA CSF Shapes Cybersecurity in Saudi Banking

What is SAMA CSF?

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) is a mandatory cybersecurity standard for all financial institutions regulated by SAMA — including banks, insurance companies, finance companies, exchange companies, and credit bureaus operating in Saudi Arabia.

Issued by SAMA in 2017 and updated periodically since, the framework establishes minimum cybersecurity requirements that every regulated entity must meet. Unlike many international frameworks that are voluntary or certification-based, SAMA CSF compliance is assessed directly by SAMA during regulatory examinations — making it a hard compliance obligation with real consequences for non-compliance.

Understanding the framework's structure and expectations is essential for every CISO and compliance leader in the Saudi financial sector.

The Architecture of SAMA CSF

SAMA CSF is organized around a capability maturity model structure, covering five core cybersecurity domains. Each domain contains sub-domains and controls that financial institutions must assess and evidence.

1. Cyber Security Leadership and Governance

This domain establishes that cybersecurity is a board-level concern, not just an IT function. SAMA expects financial institutions to demonstrate:

An approved cybersecurity strategy aligned to business objectives
A designated Chief Information Security Officer (CISO) reporting to senior management
A cybersecurity committee with board or executive committee representation
An annual cybersecurity risk assessment integrated into enterprise risk management
A cybersecurity policy framework covering all key domains

The governance domain is assessed first — without a credible governance structure, the rest of the framework is difficult to sustain in practice.

2. Cyber Security Risk Management and Compliance

This domain requires financial institutions to implement a structured cybersecurity risk management program. Key requirements include:

A formal risk identification, assessment, and treatment process for cyber risks
Integration of cyber risk into the institution's overall risk management framework
Compliance management processes to track obligations across SAMA CSF and other applicable regulations
Third-party cyber security requirements — arguably the most operationally demanding sub-domain

3. Cyber Security Operations and Technology

The largest technical domain, covering the day-to-day controls that protect the institution's systems, data, and customers:

Identity and access management, including multi-factor authentication for privileged access
Network security architecture — segmentation, perimeter controls, and secure connectivity
Endpoint protection and device management
Application security — including security requirements for internet-facing banking applications
Data protection and encryption controls
Vulnerability management and penetration testing programs
Security monitoring, logging, and Security Operations Center (SOC) capabilities
Cloud security controls for cloud-hosted services

4. Third-Party Cyber Security

Financial institutions are only as secure as their vendor ecosystem. SAMA CSF dedicates significant attention to third-party risk:

Vendor classification and tiering by cyber risk level
Pre-engagement security due diligence
Contractual security requirements (audit rights, incident notification, data handling)
Ongoing periodic assessment of critical vendor security posture
Concentration risk management — particularly for cloud providers and critical technology vendors

5. Cyber Security Resilience

This domain covers the institution's ability to detect, respond to, and recover from cyber incidents:

Cyber incident detection and response capabilities
Business continuity and disaster recovery plans for cyber scenarios
Regular testing — tabletop exercises, recovery tests, business continuity drills
SAMA incident notification obligations — strict timelines for reporting significant cyber incidents
Post-incident review and lessons learned processes

The SAMA CSF Maturity Model

Like NCA ECC, SAMA CSF uses a maturity-based assessment model with five levels:

| Level | Description | |-------|-------------| | 1 — Initial | Ad-hoc, no formal processes | | 2 — Developing | Some processes exist; inconsistently applied | | 3 — Defined | Standardized, documented, consistently applied | | 4 — Managed | Measured, monitored with metrics | | 5 — Optimizing | Continuous improvement; proactive management |

SAMA generally expects financial institutions to demonstrate Level 3 (Defined) compliance as a baseline, with expectations for Level 4 in high-criticality areas such as incident response and data protection.

During regulatory examinations, SAMA assessors look for evidence of consistent execution — not just documented policies. Institutions that have policies but cannot evidence their application routinely receive Level 2 scores.

What SAMA Examinations Look Like

SAMA conducts periodic cybersecurity examinations of regulated institutions. The examination process typically involves:

Pre-examination questionnaire — Self-assessment submission covering all SAMA CSF domains
Document review — Policies, procedures, risk assessments, audit reports, and evidence packages
Interviews — With CISO, IT leadership, internal audit, and business line stakeholders
Technical verification — Review of system configurations, access controls, vulnerability management reports
Findings and remediation — SAMA issues findings with required remediation timelines; follow-up examinations check progress

Institutions with weak evidence management — relying on spreadsheets and email to track compliance — consistently struggle with examination preparation, particularly in producing organized, consistent evidence packages across all domains.

Common SAMA CSF Compliance Gaps

Financial institutions repeatedly receive examination findings in the following areas:

Governance documentation not kept current Policies and strategies exist but are not reviewed and updated annually as required. Board approval records are missing or cannot be produced.

Third-party vendor inventories incomplete Institutions cannot produce a complete inventory of all vendors with access to systems or data — a prerequisite for the third-party risk domain.

Missing due diligence for legacy vendors Vendors onboarded before formal TPRM programs were established have not been retrospectively assessed. SAMA expects all vendors to be assessed, regardless of when they were onboarded.

Vulnerability management evidence gaps Scan reports exist, but evidence of remediation within required SLAs is difficult to produce. Particularly challenging for legacy systems with known vulnerabilities.

Incident response testing records Incident response plans are documented but testing records — exercise minutes, scenario outcomes, lessons learned — are missing or informal.

SOC coverage gaps Security monitoring coverage is incomplete — particularly for cloud environments, remote access infrastructure, or recently acquired business units.

Why SAMA CSF Matters Beyond Compliance

SAMA CSF is not just a regulatory box to check. The framework represents a comprehensive, operationally realistic set of cybersecurity controls that — if genuinely implemented — significantly reduces an institution's exposure to cyber incidents.

Saudi financial institutions are high-value targets for cybercriminals, state-sponsored actors, and fraud networks. The SAMA CSF requirements for identity management, privileged access control, vulnerability management, and incident response directly address the most common attack vectors used against financial sector organizations globally.

Institutions that treat SAMA CSF as a genuine operational framework — not just a compliance exercise — build cybersecurity capability that delivers real protection, not just regulatory pass marks.

How a GRC Platform Supports SAMA CSF Compliance

Managing SAMA CSF compliance across multiple domains, with evidence requirements per control and annual examination cycles, is operationally demanding without a systematic platform.

Sentinel Unity supports SAMA CSF compliance with:

Pre-built SAMA CSF assessment templates mapped to all domains and sub-domains
Third-party risk management module — vendor registry, tiering, due diligence requests, contract tracking, and periodic assessment scheduling
Evidence management — attach documents to individual control assessments; maintain organized evidence packages ready for examination
Gap analysis reporting — automatically generated reports showing maturity levels, identified gaps, and remediation progress
Cross-mapping to NCA ECC and ISO 27001 — organizations regulated under both SAMA and NCA ECC can map controls once and evidence across both frameworks

Conclusion

SAMA CSF defines the cybersecurity baseline for Saudi Arabia's financial sector. Its maturity-based structure, examination-driven enforcement, and broad scope across governance, operations, third-party risk, and resilience make it one of the most comprehensive financial sector cybersecurity frameworks in the region.

Financial institutions that invest in systematic, evidence-backed compliance programs — rather than point-in-time audit preparation — are better positioned for examinations, better protected against real threats, and better able to demonstrate cybersecurity maturity to their boards and regulators.

Request a demo to see how Sentinel Unity supports SAMA CSF compliance for Saudi financial institutions.