The Saudi Arabian Monetary Authority (SAMA), also known as the Saudi Central Bank, is a pioneer in setting national standards for cybersecurity. Among its most significant contributions is the Cybersecurity Framework, first released in May 2017. This blog examines how this Framework influences Third-Party Risk Management (TPRM) in Saudi Arabia and why compliance is more than a mere checkbox. It's a necessity.

Understanding SAMA's Role

SAMA is the Kingdom's central bank, established in 1952, with responsibilities that range from issuing the national currency to regulating the banking and insurance sectors. Its CSF was developed to address rising cyber threats and aligns with global best practices such as:

1. NIST Cybersecurity Framework

2. ISO/IEC 27001

3. PCI-DSS

4. BASEL Principles

Scope of the SAMA Cyber Security Framework

The SAMA Cyber Security Framework applies to all entities regulated by SAMA, including:

1. Banks operating in Saudi Arabia

2. Insurance and Reinsurance companies

3. Financing companies

4. Credit bureaus

5. Financial Market Infrastructure providers

Covered Assets:

The Framework applies to:

1. Electronic and physical information (including hardcopies)

2. Applications, software, databases, and e-services

3. IT and OT infrastructure, including computers, ATMs, and storage devices

4. Network environments, data centers, and communication systems

5. Third-party systems, vendors, and cloud environments

Interdependencies:

While focusing on cybersecurity, the Framework also intersects with:

• Business Continuity Management (handled separately under SAMA BCP Guidelines)

• Physical security, HR policies, and fraud management (for alignment but not within CSF scope)

SAMA mandates that all applicable domains be implemented in full by banking institutions. For other entities, limited exclusions may apply (e.g., payment systems or electronic banking standards).

The Structure of the SAMA Cyber Security Framework

The SAMA Cyber Security Framework is a robust, principle-based guideline structured around four core domains. Each domain contains multiple subdomains, and every subdomain includes:

• A Principle (the overarching requirement)

• An Objective (the outcome it aims to achieve)

• A set of Control Considerations (detailed mandatory measures)

Four Main Domains

1. Cybersecurity Leadership and Governance – Establishes the foundation of cybersecurity governance, from board-level accountability to training and awareness.

2. Cybersecurity Risk Management and Compliance – Aligns cybersecurity risk with enterprise risk and enforces compliance with regulatory and industry standards.

3. Cyber Security Operations and Technology – Covers operational safeguards such as asset protection, access controls, event monitoring, incident response, and more.

4. Third-Party Cyber Security – Enforces vendor risk management practices and ensures third parties uphold equivalent cybersecurity standards.

This structured layout ensures the Framework is modular, actionable, and adaptable to varying organization sizes and complexities.

Saudi Arabian Monetary Authority Cyber Security Framework Version 1.0 (Figure 2 - Cyber Security Framework)

Key Features That Set SAMA's Framework Apart

Principle-Based and Outcome-Oriented

Rather than prescribing specific technologies, SAMA CSF emphasizes outcomes. This allows organizations flexibility in meeting requirements while maintaining strong governance.

Continuous Improvement Cycle

Entities must not only implement controls but also evaluate, improve, and adapt them in light of emerging threats.

Documented Governance and Compliance

Organizations must maintain policies, procedures, and audit trails to demonstrate compliance with every control domain.

Integration with Enterprise Risk Management (ERM)

SAMA emphasizes the integration of cyber risk, including third-party risks, with broader Enterprise Risk Management (ERM) programs.

The Cyber Security Maturity Model

Explanation

The Cybersecurity Maturity Model, defined by SAMA, serves as a structured benchmark to help financial institutions assess and improve their cybersecurity posture. Each level builds upon the previous one, creating a clear path for continuous improvement. Here's how each level translates into real-world practices:

1. Level 0 – Non-Existent: No formal cyber practices exist. The organization is entirely vulnerable to attacks, with no plans or recognition of cyber risks.

2. Level 1 – Ad-hoc: Cybersecurity activities are reactive and inconsistent. Measures may be taken following incidents, but they often lack coordination or strategy.

3. Level 2 – Repeatable but Informal: Some practices are in place and might be repeated across departments, but they are undocumented and not standardized.

4. Level 3 – Structured and Formalized: The organization establishes clear documentation, formal processes, and governance structures. There is board-level visibility, KPIs are tracked, and compliance is enforced. This is the minimum acceptable level by SAMA.

5. Level 4 – Managed and Measurable: Organizations actively evaluate the effectiveness of controls using Key Risk Indicators (KRIs) and performance metrics. Internal audits and compliance reviews are conducted on a routine basis.

6. Level 5 – Adaptive: The institution integrates cybersecurity into enterprise risk management and continuously improves controls based on lessons learned, threat intelligence, and peer benchmarking. Automation and analytics play a significant role.

The goal is to move beyond compliance and toward resilience and agility in the face of evolving cyber threats.

SAMA includes a detailed Cyber Security Maturity Model, which defines the level of cybersecurity implementation within an organization. This model is used during self-assessments and regulatory audits.

SAMA mandates regulated entities to operate at Level 3 or higher.

At Level 3, an organization must have:

1. Board-approved policies

2. Cybersecurity standards and procedures

3. Defined roles (e.g., full-time CISO with Saudi nationality)

4. Measured performance using KPIs

Level 5 organizations exhibit:

1. Continuous improvements

2. Peer benchmarking

3. Real-time threat response automation

TPRM-Specific Controls in the Framework

SAMA's CSF takes a robust stance on Third-Party Risk Management, requiring vendors to maintain the same level of cybersecurity rigor as regulated financial entities. These are the main controls that target TPRM:

1. Contract & Vendor Management (Section 3.4.1)

• Define baseline cybersecurity requirements in contracts

• Conduct due diligence before onboarding

• Include audit rights and data ownership clauses

• Track SLA compliance and vendor performance metrics

• Plan for contract termination and exit strategies

2. Outsourcing (Section 3.4.2)

• Pre-approval by SAMA for all material outsourcing

• Cybersecurity risk assessment before and during engagement

• Include requirements for incident handling and data privacy

• Ensure subcontractors comply with the same standards

3. Cloud Computing (Section 3.4.3)

• Covers hybrid and public cloud (private cloud excluded)

• Conduct a formal risk assessment and vendor due diligence

• Mandate encryption, multi-factor authentication, and monitoring

• Assess and document compliance with agreed SLAs

4. Risk Management Lifecycle (Section 3.2.1)

• Identify risks from third-party access, systems, and dependencies

• Evaluate business impact and assign risk ownership

• Define risk treatments and residual risk acceptance

• Align with the enterprise risk appetite

5. Incident Management (Section 3.3.15)

• Require vendors to report cybersecurity incidents immediately

• Conduct forensic analysis and preserve evidence

• Share post-incident analysis with SAMA

• Implement corrective actions and measure their effectiveness

6. Cybersecurity Audits and Reviews (Sections 3.2.4 and 3.2.5)

• Schedule periodic cybersecurity audits of vendor controls

• Test internet-facing third-party platforms annually

• Enforce remediation of identified vulnerabilities

7. Compliance & Regulatory Alignment (Section 3.2.2 & 3.2.3)

Ensure vendors comply with:

1. PCI-DSS

2. SWIFT CSCF

3. SAMA outsourcing circulars

4. Track and update vendor compliance as regulations evolve

Why This Matters

1. Enforces Accountability Beyond the Organization

SAMA requires vendors to be part of the cybersecurity ecosystem, not outside it. That means binding contracts, monitoring, and transparency.

2. Promotes Measurable Performance

Organizations must collect and report vendor key performance indicators (KPIs) and key risk indicators (KRIs). This quantifies risk and guides continuous improvement.

3. Mitigates Supply Chain Threats

With rising threats from software supply chains, SAMA's Framework builds systemic resilience by mandating layered vendor controls.

4. Embeds TPRM into Corporate Strategy

From boardroom to frontline teams, vendor risk is no longer a procurement issue, it's a core cybersecurity pillar.