SAMA Publishes Financial Entities Ethical Red Teaming Framework
SAMA published the Financial Entities Ethical Red Teaming Framework, in an effort to address the increasing cyber risks. The framework is intended as a guide to prepare and execute controlled cyber attacks against the production environment, without exposing sensitive information, with the help of certified and experienced Red Teaming Providers. The framework aims to share intelligence and information obtained during testing to further improve cyber resilience in the financial sector in Saudi Arabia. The framework applies to all member organizations in the financial sector regulated by SAMA.
The principal objective of the framework is to provide guidance on how to conduct the red teaming activities and how to test the detection and response capabilities of a member organization against real sophisticated and advanced attacks and enhance the knowledge of the involved stakeholders. The framework consists of four phases—preparation phase, scenario phase, execution phase, and lessons learned phase. Red Teaming should not be regarded as an audit but as a simulation test that seeks to provide insight into the level of resilience and effectiveness of the implemented cyber-security controls and relevant processes. Red Teaming is not a penetration test; rather, in contrast to a penetration test (in which one or more specific information assets are tested and assessed), it focuses on replicating a targeted and realistic attack against the entire member organization and is performed in a controlled manner.
SAMA has the authority to select any member organization to perform a red teaming exercise considering its criticality and the emerging threat landscape. In addition, a member organization can rightfully conduct red teaming exercise to ensure security resilience. However, as a minimum, domestic systemically important entities will be subject to testing once every three years, in line with this framework. SAMA will maintain the framework and conduct periodic reviews to determine its effectiveness, including the extent to which it addresses the emerging cyber-security threats and risks. If applicable, SAMA will update the framework based on the outcome of the review and lessons learned.
Related Links
Keywords: Middle East and Africa, Saudi Arabia, Banking, Red Teaming Framework, Cyber Risk, Cyber Testing, Operational Risk, Cyber Resilience, SAMA
Previous Article
ISDA Publishes Master Regulatory Disclosure Letter and Guidance NoteRelated Articles
ECB Releases Results of Bank Lending Survey for Fourth Quarter of 2020
ECB published results of the quarterly lending survey conducted on 143 banks in the euro area.
ESAs Publish Reporting Templates for Financial Conglomerates
ESAs published the final draft implementing technical standards on reporting of intra-group transactions and risk concentration of financial conglomerates subject to the supplementary supervision in EU.
EBA Publishes Report on Asset Encumbrance of Banks in EU
EBA published the annual report on asset encumbrance of banks in EU.
US Agencies Publish Updates for Call Reports, FFIEC 101, and FR Y-9C
FED updated the reporting form and instructions for the FR Y-9C report on consolidated financial statements for holding companies.
EBA Proposes Guidelines for Establishing Intermediate Parent Entities
EBA issued a consultation paper on the guidelines on monitoring of the threshold and other procedural aspects of the establishment of intermediate EU parent undertakings, or IPUs, as laid down in the Capital Requirements Directive.
EC Adopts Financial Reporting Changes Arising from Benchmark Reforms
EC published Regulation 2021/25 that addresses amendments related to the financial reporting consequences of replacement of the existing interest rate benchmarks with alternative reference rates.
BIS Bulletin Examines Key Elements of Policy Response to Cyber Risk
BIS published a bulletin, or a note, that examines the cyber threat landscape in the context of the pandemic and discusses policies to reduce risks to financial stability.
HMT Updates List of Post-Brexit Equivalence Decisions in UK
HM Treasury, also known as HMT, has updated the table containing the list of the equivalence decisions that came into effect in UK at the end of the transition period of its withdrawal from EU.
EBA Issues Erratum for Technical Package on Reporting Framework 3.0
EBA published an erratum for technical package on phase 1 of the reporting framework 3.0.
APRA Publishes FAQ on Measurement of Credit Risk Weighted Assets
APRA updated a frequently asked question (FAQ), for authorized deposit-taking institutions, on the measurement of credit risk weighted assets.