What It Is

SAMA Cyber Security Framework (CSF) Version 1.0 (May 2017) is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It provides a principle-based, outcome-oriented approach to cybersecurity governance, controls, and maturity, ensuring detection, resistance, response, and recovery from threats. Scope covers all information assets in banks, insurers, finance firms, credit bureaus, and market infrastructures.

Key Components

• Four domains: Cyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Cyber Security.
• Subdomains with principles, objectives, control considerations (114+ subcontrols).
• Six-level maturity model (Level 0-5; minimum Level 3: structured policies/standards/procedures, KPIs).
• Aligns with NIST CSF, ISO 27001, PCI-DSS; self-assessment and SAMA audits.

Why Organizations Use It

• Mandatory compliance avoids penalties, audits, operational disruptions.
• Enhances resilience, reduces incidents, improves efficiency/uptime.
• Builds trust, enables partnerships, competitive edge in Vision 2030 digital economy.
• Integrates risk intelligence for better decisions, insurance, ERM.

Implementation Overview

• Phased: initiation/gap analysis, risk assessment, design, deployment, operate, audit/improve.
• Cross-functional: Board sponsorship, CISO-led, tools (SIEM, IAM, GRC).
• Applies to all SAMA entities; scalable by size; periodic self-assessments, no external certification.

What It Is

Basel III is the international regulatory framework developed by the Basel Committee on Banking Supervision (BCBS) post-global financial crisis. It sets prudential standards for banks to enhance resilience through improved capital quality, leverage constraints, and liquidity requirements. Its risk-based approach combines minimum ratios with buffers and non-risk metrics.

Key Components

• **Three PillarsPillar 1 (capital, leverage, liquidity ratios like CET1 4.5%, leverage 3%, LCR/NSFR); Pillar 2 (supervisory review, ICAAP); Pillar 3 (disclosures for comparability).
• Buffers (conservation 2.5%, countercyclical, G-SIB/D-SIB).
• Output floor limiting internal model benefits.
• No formal certification; compliance via national implementation and supervisory oversight.

Why Organizations Use It

Banks adopt it for regulatory compliance, as jurisdictions enforce via domestic law. It mitigates systemic risk, improves funding costs, enhances market confidence, and supports strategic balance-sheet optimization amid model constraints.

Implementation Overview

Phased enterprise transformation: gap analysis, data/system upgrades, model validation, governance. Applies to internationally active banks globally; involves QIS, parallel runs, Pillar 3 reporting. No external certification but RCAP assessments ensure consistency. (178 words)