Data Cybersecurity Controls (DCC-1:2022)

Abdulaziz T. Alotaibi From: Payment Policy Sent: Tuesday, January 31, 2023 2:28 PM Cc: Husam A. Al Mahmoud; Dr. Yazeed A. Alissa; Payment Policy (PaymentPolicy@SAMA.GOV.SA)

Subject: Circular - Data Cybersecurity Controls (DCC-1:2022) Attachments: Data-Cybersecurity-Controls-DCC.pdf; DCC_Assessment_and_Compliance_Tool_V1.0.xlsx

Dear Colleagues, Peace, mercy and blessings of God be upon you.

We inform you that the Information Security Manual issued by the Saudi Central Bank (SAMA) requires financial institutions to establish a mechanism for applying regulatory evidence and standard measurement criteria issued by national and international bodies, and implementing them according to the following scope controls: • Regulatory Compliance (3.2.2) • Compliance with (inter)national industry standards (3.2.3)

We further inform you that the National Cybersecurity Authority (NCA) has issued the Data Cybersecurity Controls (DCC-1:2022), which serve as an extension to the Basic Cybersecurity Controls and complement them, and require financial institutions to:

1. Implement measures that achieve permanent and continuous compliance with these controls.
2. Conduct a self-assessment of the financial institution's current status using the assessment and compliance measurement tool (attached).
3. Fully apply the controls no later than the end of Q3 2023.

The Saudi Central Bank further emphasizes the necessity of adhering to the above-mentioned instructions within the specified timeframe, with the necessary assessment and management of cybersecurity risks in a timely manner to address potential risks. In case of any inquiries, you may contact the General Directorate for Cybersecurity Risk Control via the following email: (SA.GOV.SAMA@Compliance.CRC).

Yours sincerely,

2 S A M A . G O V . S A