In May 2017, the Saudi Arabian Monetary Authority (SAMA) proposed a framework to strengthen the security of financial organizations. As new security demands and trends emerge, this Framework is continually reviewed and redesigned to meet those needs. It is based on the European Payment Services Directive’s robust consumer authentication services. Implementation of this Framework is required for financial institutions regulated by SAMA in order to establish a consistent procedure to address growing cyber risks.
The objective of the Framework is as follows:
- To create a common approach for addressing cyber security within the Member Organizations.
- To achieve an appropriate maturity level of cyber security controls within the Member Organizations
- To ensure cyber security risks are properly managed throughout the Member Organizations.
In Saudi Arabia, one of the most serious threats is Cybersecurity
Cybersecurity is one of the biggest threats confronting companies and financial institutions in the Middle East and North Africa (MENA) region. Globally, banks are searching for new methods to tackle cyber risks such as phishing and account takeover fraud while improving the client experience and ensuring compliance with regulatory requirements.
Businesses and financial institutions in the Middle East and North Africa (MENA) suffer a variety of cybersecurity concerns. Banks across the world are looking for innovative ways to combat cyber threats like phishing and account takeover fraud while also enhancing the customer experience and maintaining regulatory compliance. The need to safeguard data, transactions, devices, and users through fraud prevention, mobile app security, and robust consumer authentication is becoming firmly ingrained in banks’ development plans. The focus in the Middle East is on using emerging technology to innovate in this area, especially as mobile banking gets traction in our region. To support this innovation, Information Security in MENA is expected to Reach $171 Billion in 2021, according to Gartner.
Key Cybersecurity Issues To Consider
SAMA Cyber Security Framework Compliance
Globally, government and banking industry authorities adopt cybersecurity guidelines and recommendations, and the United States is no exception. The Saudi Arabian Monetary Authority (SAMA) launched the SAMA Cyber Security Framework to increase resilience against cyber attacks. For example, strong Customer Authentication requirements in the updated European Payment Services Directive (PSD2) have spurred safe Open Banking throughout the globe, including in Bahrain.
The Saudi Arabian Monetary Authority developed the regulation based on industry-standard frameworks such as the:
- National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
- Payment Card Industry Data Security Standard (PCI DSS)
- ISO 27001/27002 Information Security Management Standards
- Information Security Forum-Standard of Good Practice for Information Security
- Basel II International Convergence of Capital Measurement and Capital Standards (note: new adjustments were just endorsed on January 14, 2019 as part of Basel III)
It is mandatory for all banks, insurance companies, and finance companies operating in Saudi Arabia to adopt the SAMA Cyber Security Framework.
Stay Protected The 4 Key Focus Areas for SAMA Compliance
The banks in Saudi Arabia should implement cybersecurity policies and technology to comply with SAMA and create digital trust with their customers, which is the key to future growth.
Here are four key aspects of the Framework:
1. Identity & Access Management: In section 3.3, Cyber Security Operations and Technology, SAMA offers guidelines on Identity and Access Management (IAM). For privileged and remote access management, the Framework defines multi-factor authentication (MFA).
MFA is required by banks for two reasons:
• To safeguard the customer’s login to online and mobile banking, use strong authentication to protect the customer’s data and financial assets.
• To defend against bad actors attempting to access and steal data by securing employees’ remote access to the business network and VPN.
In addition to logins, the Framework requires MFA for the following use cases:
- Including or removing beneficiaries
- Adding payment services for utilities and the government
- High-risk transactions (when activities exceed pre-defined limits)
- Password reset
On the market, there are several multi-factor authentication methods. Saudi banks should seek a provider that offers various authentication techniques across several channels, such as hardware tokens and mobile app authentication. Step-up authentication, also known as Intelligent Adaptive Authentication, is supported through mobile applications with native biometrics, FIDO U2F or UAF, behavioral biometrics, and more in the newest cloud-based multi-factor authentication systems.
2. Secure Channel:
Under section 3.3.13, Electronic Banking Services SAMA stipulates the “employment of communication methods to avoid man-in-the-middle attacks (applicable for online and mobile banking).” One of the most typical methods for this to occur is via a malicious Wi-Fi network or public hotspot (known as a rogue access point). Fraudsters will place themselves between the bank and the customer to intercept communication in this sort of assault. Consumers appreciate the convenience of public hotspots, unaware that their payment data may be sent across a network controlled by a criminal actor. Banks may use Cronto® secure visual cryptograms to safeguard their clients from man-in-the-middle attacks.
3. Mobile Application Shielding:
SAMA defines mobile app security standards in section 3.3.13, Electronic Banking Services. This includes criteria like as blocking and detecting attempts to modify mobile app code, sandboxing methods, and mitigating the different hazards associated with a hacked mobile app. One of the critical issues when it comes to mobile is that consumers are not always aware of the dangerous environment and do not always take the required security precautions – particularly on Android.
To complicate matters further, many banks still lack mobile applications, do not monitor the mobile channel or lack experience in mobile fraud. Mobile malware is on the rise, despite this fact. Bank Trojans infecting mobile devices have increased Client-side protections such as mobile app shielding have become essential because of this. As long as the proper security measures and MFA procedures are in place, banks and other financial institutions can protect the app from assaults and simplify the user experience.
Banks must provide the most convenient authentication methods, including mobile biometrics, and maintain advanced mobile app security operating in the background, unnoticed by the user.
4. Fraud Detection and Prevention:
The Framework outlines the application of fraud and risk management in section 3.3.16, Threat Management. The attack surface of a bank rises dramatically as more financial products are supplied through digital channels. To stay up, the worldwide industry is relying on machine learning, advanced data mining, and modelling to provide the most accurate risk and fraud forecasts. To provide the most accurate risk score, modern fraud detection and prevention technologies evaluate large amounts of data from numerous sources across all digital channels. These ratings drive intelligent processes that allow for rapid action based on pre-defined security policies and rules and/or bank-defined security policies and regulations.
Global spending on fraud management solutions is anticipated to double over the next five years, hitting $10 billion by 2023, according to Forrester’s Fraud Management Solutions Forecast, 2017 To 2023 (Global). Working with a provider will help achieve the twin goals of robust security and an excellent user experience, which is the key to getting the most out of your fraud management expenditure.
The SAMA Cyber Security Framework for the Saudi Financial Services Sector
Computers and equipment such as ATMs and data storage devices are defined as “information assets” in the Framework.
These three principles are at the heart of The Framework’s design: confidentiality, integrity, and accessibility.
According to the Framework, each regulated business must implement and meet basic cyber security principles and goals in order to comply
There are four important cyber security “domains” that need to be addressed: Leadership and Governance, Risk Management and Compliance, Operational and Technology Issues, and Third-Party Concerns.
How can databrackets help comply with the SAMA framework?
databrackets’s data-centric cyber security solutions complement Financial Institutions’ existing security policy, allowing the organization’s most sensitive data to be protected in a permanent manner, audited, and access revoked as necessary.
Cyber security awareness can be spread throughout a company. Security and implementation methodologies from databrackets’s protection and implementation approach will help organizations to attain maturity levels 3 (structured and formal implementation), 4 (monitoring and evaluation), and 5 (continuous and adaptive improvement).
The cyber security solution is linked to the SAMA Cybersecurity Framework‘s domains and subdomains.
Leadership and governance in Cyber Security (3.1)
Cyber Security Policy (3.1.3)
Consistently safeguard the organization’s most sensitive information assets. The organization can identify risks about the information (who is attempting to access without authorization) and indicate possible gaps in the information through powerful auditing and monitoring of accesses to protected information.
Cyber Security Roles and Responsibilities (3.1.4)
Data managers and IT personnel can be segregated in terms of who can examine the security status of the most sensitive data, altering the organization’s cybersecurity policy. They can assess the organization’s level of security and recommend upgrades and modifications to achieve a higher level of protection of data.
Cyber Security in Awareness (3.1.6) and Cyber Security in Training (3.1.7)
Promote a Cybersecurity Culture within the organization’s structure. Users should be aware of managing protected sensitive files and know that some information cannot leave the business unprotected after being involved and trained in securing sensitive information.
Compliance and Cyber Security risk management (3.2)
Cyber Security Risk Management (3.2.1)
In addition to infrastructure and applications, risk management can extend to data, which can be safeguarded in any place, as well as auditing its usage. furthermore, it is possible to find out whether certain data has been restricted from being accessed in the past.
Compliance with (inter)national standards (3.2.3)
By encrypting and protecting important documents as well as monitoring or revoking access to protected data, databrackets helps financial institutions comply with international regulations such as PCI-DSS (Payment Card Industry
Cyber Security Audit (3.2.5)
databrackets makes it easier to conduct data security audits. It leaves a record of all action on the data in its life cycle, from creation to protection, through access to unprotection or cancellation of access to the data, via its protection solution. This audit promotes the organization’s progression to maturity level 4.
Technology and Cyber Security operations (3.3)
Human Resources (3.3.1)
databrackets can assist in achieving Cybersecurity requirements in the Human Resources area. When an employee leaves the organization, the access rights to the data can be revoked, regardless of where it is located (on the company network, at the user’s home, etc.). Furthermore, the organization can determine whether the former employee is still attempting to access the data after they have left the organization.
Asset Management (3.3.3)
An individual can identify who owns a sensitive document, as well as its protection policy or level of sensitivity if it has been safeguarded. All file accesses are recorded. As soon as data is classified or categorized, it is protected by databrackets
Identity and Access Management (3.3.5)
databrackets integrates data encryption, identity management, and rights management. Data access can be changed in real-time by limiting information access (only view, edit, copy and paste, print, unprotect, etc.) and who can or cannot access the information.
Application Security (3.3.6) and Infrastructure Security (3.3.8)
In case a user visits a program and downloads or exports data, it can apply protection to the download, allowing the documents to be controlled wherever they are used.
At rest (in team directories and file servers), in transit (when sending email or downloading), and in usage databrackets encrypts data (when the user opens a document, permissions such as editing, checking out, etc.).
Bring Your Own Device (3.3.10)
Corporate infrastructure and devices protect sensitive data, but it is also retained under the firm’s control on the personal devices of company users and third parties.
Secure Disposal of Information Assets (3.3.11)
The ability to revoke a sensitive document allows it to be essentially destroyed regardless of where it is located. The document can be disabled so that no one else can view it. Furthermore, the business can continue to audit failed access attempts to this disabled document.
Cyber Security Event Management (3.3.14)
databrackets raises the visibility of critical and confidential assets within a company. Information such as access IPs, user identities, etc. can be supplied to SIEM systems to be monitored and managed by a SoC. In addition, it is possible to set up alerts for information (such as a large number of documents being checked out), access attempts from banned subdomains.
Threat Management (3.3.16)
databrackets enables the application of an additional protection layer against potential network security breaches.
Cyber Security applied to third parties (3.4)
In many circumstances, security on the network can be controlled, but not on the network of a third party. Contractual or vendor management methods may result in attempts to prohibit improper vendor security practices. However, by safeguarding data provided to a subcontractor or external partner, ensure that data is kept secure and under control at all times.
Cloud Computing (3.4.3)
Even though the organization’s sensitive data is stored in a public or private cloud with its own cybersecurity protections, further control can be maintained if the data is secure. If the Cloud provider is compromised, the data remains secure and can only be accessed by the individuals designated in the security policy, regardless of where the data is stored.
Let’s take this discussion forward
Saudi Arabia’s Banking, Insurance, and Financial Services organizations must adopt and apply the Cybersecurity Framework SAMA in order to manage and deal with cybersecurity threats.
Watch this space for more postings about SAMA Cybersecurity Framework.