LogoRegulatory Alerts
2019-05-13

Circular Re. Financial Entities Ethical Red-Teaming

The Saudi Arabian Monetary Authority (SAMA) has adopted a "Financial Entities Ethical Red Teaming Framework" to improve the financial sector's ability to counter and respond to cyberattacks by testing system resilience and enhancing cyber resilience. SAMA will conduct periodic tests on financial institutions to assess their systems' readiness against this framework. Financial entities are urged to independently and periodically conduct their own tests and develop their systems in accordance with the Information Security Regulatory Guide (Cyber Security Framework).

Saudi Central Bank logo

Saudi Arabia

Saudi Central Bank

Click to view thumbnail

In the name of Allah, the Most Gracious, the Most Merciful

Saudi Arabian Monetary Authority Head Office

Financial Sector IT Risk Supervision Department Number: 67 / 56224 Date: 09/09/1440 AH Attachments: None

Circular

Subject: Circular on the Regulatory Framework (Red Teaming)

To His Excellency/ .................................................................................................

Peace, mercy, and blessings of Allah be upon you,

Referring to the Authority's Cybersecurity Strategy, which aims to enhance the financial sector's readiness and security against cyberattacks, and in continuation of the Authority's commitment to governing procedures through cybersecurity regulatory guidelines. We inform you of the Authority's adoption of the Regulatory Framework for Simulating Cyberattack Scenarios (Financial Entities Ethical Red Teaming Framework), which has been developed based on international best practices and experiences. This framework aims to improve the ability of financial institutions to confront and respond to attacks by creating realistic scenarios to test the resilience of system infrastructure and enhance the cyber resilience of financial sectors in the Kingdom. The regulatory framework will be shared via email with the compliance departments of financial institutions.

Accordingly, and stemming from the Authority's supervisory and oversight role over the financial sector, we inform you that the Authority will conduct periodic tests to apply the aforementioned framework to financial institutions to assess the readiness of their systems. The Authority also urges financial entities to conduct independent and periodic tests to assess the readiness of their systems and work on developing them in accordance with the requirements of the Information Security Regulatory Guide (Cyber Security Framework).

In case of any inquiries regarding this matter, you may contact the Director of the Financial Sector IT Risk Supervision Department, Mr. Marwan bin Hamad Al-Luhaidan, Phone/ (0114633000) Extension No.: (5818) and Email: (maalohaidan@sama.gov.sa), or the Head of the Financial Sector Information Security Section, Mr. Rashid bin Sulaiman Al-Rashid, Extension No.: (5591) and Email: (ralrasheed@sama.gov.sa).

Please accept my regards,

Fahad bin Ibrahim Al-Shathri Deputy Governor for Supervision

Distribution Scope:

  • Banks operating in the Kingdom
  • Saudi Payments / Licensed Payment Companies
  • Insurance and Reinsurance Companies operating in the Kingdom / Najm for Insurance Services
  • Finance Companies operating in the Kingdom / Saudi Real Estate Refinance Company / Saudi Contract Registration Company
  • Credit Information Companies

P.O. Box 2992 Riyadh 11169, Phone: 4633000

Share