SAMA Publishes Financial Entities Ethical Red Teaming Framework
SAMA published the Financial Entities Ethical Red Teaming Framework, in an effort to address the increasing cyber risks. The framework is intended as a guide to prepare and execute controlled cyber attacks against the production environment, without exposing sensitive information, with the help of certified and experienced Red Teaming Providers. The framework aims to share intelligence and information obtained during testing to further improve cyber resilience in the financial sector in Saudi Arabia. The framework applies to all member organizations in the financial sector regulated by SAMA.
The principal objective of the framework is to provide guidance on how to conduct the red teaming activities and how to test the detection and response capabilities of a member organization against real sophisticated and advanced attacks and enhance the knowledge of the involved stakeholders. The framework consists of four phases—preparation phase, scenario phase, execution phase, and lessons learned phase. Red Teaming should not be regarded as an audit but as a simulation test that seeks to provide insight into the level of resilience and effectiveness of the implemented cyber-security controls and relevant processes. Red Teaming is not a penetration test; rather, in contrast to a penetration test (in which one or more specific information assets are tested and assessed), it focuses on replicating a targeted and realistic attack against the entire member organization and is performed in a controlled manner.
SAMA has the authority to select any member organization to perform a red teaming exercise considering its criticality and the emerging threat landscape. In addition, a member organization can rightfully conduct red teaming exercise to ensure security resilience. However, as a minimum, domestic systemically important entities will be subject to testing once every three years, in line with this framework. SAMA will maintain the framework and conduct periodic reviews to determine its effectiveness, including the extent to which it addresses the emerging cyber-security threats and risks. If applicable, SAMA will update the framework based on the outcome of the review and lessons learned.
Related Links
Keywords: Middle East and Africa, Saudi Arabia, Banking, Red Teaming Framework, Cyber Risk, Cyber Testing, Operational Risk, Cyber Resilience, SAMA
Related Articles
BIS Report Notes Existing Gaps in Climate Risk Data at Central Banks
A Consultative Group on Risk Management (CGRM) at the Bank for International Settlements (BIS) published a report that examines incorporation of climate risks into the international reserve management framework.
EBA Publishes Multiple Regulatory Updates for Regulated Entities
The European Banking Authority (EBA) published the final guidelines on liquidity requirements exemption for investment firms, updated version of its 5.2 filing rules document for supervisory reporting, and Single Rulebook Question and Answer (Q&A) updates in July 2022.
APRA Consults on Prudential Standard for Operational Risk
The Australian Prudential Regulation Authority (APRA) is seeking comments, until October 21, 2022, on the introduction of CPS 230, which is the new cross-industry prudential standard on operational risk management.
EC Amends Rule on Securitizations; ESRB Updates Reciprocation Measures
The European Commission published a Delegated Regulation 2022/1301 on the information to be provided in accordance with the simple, transparent, and standardized (STS) notification requirements for on-balance-sheet synthetic securitizations.
APRA Announces Revisions to Capital Framework for Banks
The Australian Prudential Regulation Authority (APRA) is announced revisions to the capital framework for authorized deposit-taking institutions to implement the "unquestionably strong" capital ratios and the Basel III reforms.
EBA Examines Remuneration Data and Use of Large Exposure Exemptions
The European Banking Authority (EBA) published a report that examines the use of certain exemptions included in the large exposures regime under the Capital Requirements Regulation (CRR).
UK Authorities Publish Discussion Paper on Critical Third Parties
The Bank of England (BoE), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published a joint discussion paper that sets out potential measures to oversee and strengthen the resilience of services provided by critical third parties to the financial sector in UK.
BoE Issues Update on Ongoing Data Transformation Program
The Bank of England (BoE) issued a communication to firms to provide an update on the progress of the joint data transformation program—which is being led by BoE, the Financial Conduct Authority (FCA), and the industry—for the financial sector in UK.
EBA Issues Draft Methodology and Templates for 2023 Stress Tests
The European Banking Authority (EBA) published the draft methodology, templates, and template guidance for the European Union-wide stress test in 2023.
EBA Issues SREP Guidelines and Standards for Investment Firms
The European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) jointly published the final guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP) for investment firms.