Sentinel UnityGRC Platform
Back to Blog
Regulatory Update

SAMA CSF and Third-Party Risk: What Saudi Banks Need to Manage Vendor Cybersecurity

The SAMA Cyber Security Framework places significant obligations on Saudi financial institutions to assess and manage cybersecurity risk in their vendor and supplier relationships.

Sentinel Unity GRC Team20 November 20246 min read
SAMA CSFTPRMFinancial ServicesVendor Risk

Why Vendor Risk is a SAMA Priority

The Saudi Arabian Monetary Authority (SAMA) has long recognized that banks, insurers, and financial institutions are only as secure as their weakest vendor link. The SAMA Cyber Security Framework dedicates an entire domain — Third-Party Cyber Security — to ensuring that financial entities extend their cybersecurity governance to all vendors, service providers, and technology partners.

This is not a best-practice recommendation. It is a regulatory requirement with examination implications.

What SAMA CSF Requires for Third-Party Risk

SAMA's third-party cybersecurity requirements center on five key obligations:

1. Vendor Risk Classification

All vendors must be classified by the level of risk they represent to the organization. Classification criteria typically include:

  • Access to sensitive customer or financial data
  • Criticality to business operations
  • Integration points with core banking systems
  • Geographic location and jurisdiction

SAMA expects a tiered risk model — typically Critical, High, Medium, and Low — with controls scaled to the tier.

2. Due Diligence Before Engagement

Before onboarding a new vendor, financial institutions must conduct pre-engagement due diligence covering:

  • Vendor's own cybersecurity policy and certifications
  • Evidence of security assessments (penetration tests, ISO 27001 certificate)
  • Business continuity and disaster recovery capability
  • Sub-contractor security management

3. Contractual Security Requirements

SAMA expects that cybersecurity obligations are embedded in vendor contracts, including:

  • Right to audit vendor security posture
  • Incident notification requirements (timeline and scope)
  • Data handling and retention obligations
  • Minimum security standards and certifications required

4. Ongoing Assessment and Monitoring

The framework requires periodic reassessment of vendor risk — not just at onboarding. This includes:

  • Annual or bi-annual security questionnaires
  • Continuous monitoring of vendor security news and incidents
  • Contract renewal reviews incorporating security posture changes

5. Incident and Exit Planning

Financial institutions must have documented plans for what happens when a vendor suffers a breach or becomes unavailable, including data recovery and transition arrangements.

The TPRM Lifecycle for SAMA-Regulated Banks

A mature SAMA-compliant TPRM program operates as a continuous lifecycle:

Identification → Classification → Due Diligence →
Contract → Onboarding → Monitoring → Assessment →
Renewal / Exit

Each stage requires documented evidence that appropriate controls were applied.

Common SAMA TPRM Findings

Organizations frequently receive SAMA examination findings related to:

  • Incomplete vendor inventory — unable to identify all vendors with access to systems or data
  • Missing due diligence for legacy vendors — vendors onboarded before TPRM programs were formalized
  • Inconsistent contractual clauses — vendor agreements missing security or audit rights
  • No evidence of periodic reassessment — annual questionnaires not conducted or documented
  • Slow incident notification — no defined process for vendors to notify the bank of breaches

How Sentinel Unity Supports SAMA TPRM

Sentinel Unity's TPRM module was designed with SAMA CSF requirements explicitly in mind:

Vendor Registry & Tiering Maintain a complete vendor inventory with automatic risk tier calculation based on data access, operational criticality, and other configurable factors.

Due Diligence Requests (DDR) Send structured questionnaires to vendors during onboarding. Track completion status, scores, and responses in one place.

Contractual Control Tracking Record contract security clauses, expiry dates, and audit rights — with automated alerts 90/60/30 days before expiry.

Periodic Assessment Schedule and track annual vendor security assessments. Vendor risk scores update automatically based on responses.

SAMA-Aligned Reporting Generate TPRM portfolio reports showing tier distribution, assessment completion rates, and overdue items — ready for internal and regulatory review.

Conclusion

Managing third-party cybersecurity risk under SAMA CSF is operationally demanding. Without a systematic platform, compliance teams find themselves drowning in spreadsheets, email chains, and document folders — unable to provide the consolidated reporting regulators expect.

A purpose-built GRC platform transforms vendor risk management from a periodic audit exercise into a continuous, evidence-backed program.

Request a demo to see how Sentinel Unity handles SAMA TPRM requirements from vendor onboarding through annual assessment and renewal.

Ready to see Sentinel Unity in action?

Book a personalized demo with our GRC specialists.

Request a Demo