A SAMA Compliance Roadmap for Fintechs
In today’s age of global interconnectivity and enhanced reliance on communication systems, security compliance with recognized standards is essential in order to remain competitive for any fintech service undergoing operations in the Saudi Financial Sector.
Among the key strengths of any fintech today is a quick, integrated, and seamless data sharing solution that can sort through and store a copious amount of data in the shortest time. All of these processes must be run in a completely secure data environment as the information is of critical value and the loss of which may result in complete business failure in such a sector. When it comes to Cyber Security, data security among fintechs is the major concern for 70% of banks consulted during the Sixth Annual Bank Survey. Similarly, according to the Ponemon Institute 2019 Study, capital market firms and banks spend approximately $18.5 million every year to combat cybercrime. Therefore, highlighting the need for heightened security and compliance in any given financial sector.
These fintech services are recognized as Member Organizations regulated by SAMA and for most, the road to attaining compliance can often be quite daunting a task. However, with SAMA’s Cyber Security Framework, a selective approach for fintechs can be carved out which shall be discussed in the ensuing paragraphs. Technically, the quantum of effort and, therefore, the work required by any fintech in ensuring SAMA compliance would indubitably depend on what Cyber Security Maturity Level it is seeking to achieve. The maturity levels as defined by SAMA are as under:-
However, for ease of comprehension and understanding, we will focus on Maturity Levels 3 and above as according to SAMA’s Cyber Security Framework, Member Organizations should operate at least at Maturity Level 3.
In addition to the holistic structure of SAMA’s Cyber Security Framework, specific measures which fintechs can take in order to obtain SAMA Compliance in the specific control domains are highlighted as follows:-
- Cyber Security Leadership and Governance
Major controls include measures such as:-
- A Cyber Security Committee be set up which must include senior managers of all relevant departments, CISO (Chief Information Security Officer) and internal auditors.
- Setting up a Cyber Security function in the company which is independent from others including IT.
- CISO must have a Saudi nationality.
- Development of strategy which incorporates the anticipated future state of cyber security for the Member Organization to become and remain resilient to (emerging) cyber security threats.
- Cyber security should be integrated into the Member Organization’s project management methodology to ensure that cyber security risks are identified and addressed as part of a project.
- Cyber security awareness should be conducted to enhance awareness and create a solid working culture based with integrated cyber security at every tier.
- Conduct of cyclical training focused at achieving cyber security responsibilities and protection of the Member Organization’s information assets.
- Cyber Security Risk Management and Compliance
- The cyber security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets.
- The risk management process should cover the Member Organization’s information assets including processes, applications and components.
- A cyber security risk analysis should be performed to address the level of potential business impact and likelihood of cyber security threat events materializing.
- Accepting cyber security risks should include:
- The consideration of predefined limits for levels of cyber security risk.
- The approval and sign-off by the business owner, ensuring that:-
- The accepted cyber security risk is within the risk appetite and is reported to the cyber security committee.
- The accepted cyber security risk does not contradict SAMA regulations.
- The Member Organization should comply with the following standards:-
- Payment Card Industry Data Security Standard (PCI-DSS).
- EMV (Europay, MasterCard and Visa) technical standard.
- SWIFT Customer Security Controls Framework – March 2017.
- Internet facing facilities should be subject to annual reviews and penetration testing.
- Cyber Security Operations and Technology
- Important post-employment cyber security safeguards such as revoking access rights and returning information assets assigned such as smart cards, mobile devices, electronic information etc.
- The physical security process should include (but not limited to):
- Physical entry controls (including visitor security and surveillance).
- Monitoring and surveillance (e.g., CCTV, ATMs GPS tracking, sensitivity sensors).
- Protection of data centers and communication rooms.
- Protection of information assets during lifecycle (including transport and secure disposal) avoiding unauthorized access and (un)intended data leakage.
- Robust asset management system which should include detailed information asset classification, labelling and handling.
- Robust and comprehensive identity and access management system encompassing the responsibilities and accountabilities of all should be formulated.
- In case of an application-based service, the development should follow the approved secure system development life cycle methodology (SDLC).
- Cyber secure change management process which ensures integrity of information assets in case of changes.
- Comprehensive infrastructure security standard which includes all forms of infrastructure from servers, operating systems, data-centers to workstations and everything in between.
- Vulnerability and patch management, DDOS protection, malicious code/ software and virus protection.
- Implementation of a defined and monitored cryptographic security standard.
- In case Member Organizations permit the use of personal devices (Bring Your Own Devices BYOD), a cyber security standard should be defined for use for these devices specifically. The BYOD standard should cover all aspects of the device’s usage, access, network and regulation etc.
- Implementation and monitoring of a secure disposal standard and procedure which ensures information assets are disposed in accordance with legal and regulatory requirements. With focus on sensitive information being destroyed by techniques that make the information non-retrievable.
- In case of payment systems for Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE Information Security Policy, Version Issue 1.0 – June 2016.
- In case of Electronic Banking Services, the following controls merit attention:-
- Comprehensive cyber security standards for electronic banking services should be defined which includes use of brand protection measures to protect online services including social media .
- In case of online, mobile and phone banking:-
- Use of official application stores and websites.
- Use of sandboxing.
- Use of non-caching techniques.
- Use of communication techniques to avoid ‘man-in-the-middle’-attacks.
- Use of multi-factor authentication mechanisms
- High availability of the electronic banking services should be ensured.
- Scheduled downtime of the electronic banking services should be timely communicated to SAMA and customers.
- Obtaining approval of SAMA before launching a new electronic banking service.
- In case of ATMs and POSs:-
- Prevention and detection of exploiting the ATM/POS application and infrastructure vulnerabilities (e.g., cables, (USB)-ports, rebooting).
- Cyber security measures, such as hardening of OS, malware protection, privacy screens, masking of passwords or account numbers (e.g., screen and receipt), geo-blocking (e.g., disable cards per default for outside GCC countries, disable magnetic strip transactions), video monitoring (CCTV), revoking cards after 3 successive invalid PINs, anti-skimming solutions (hardware/software), and PIN-pad protection.
- Remote stopping of ATMs in case of malicious activities.
- In case of SMS/ notifications systems:-
- Any sensitive data should not be contained on any notification.
- SMS/ email notification should be sent for all transactions/ alerts.
- SMS/ email notification should be sent when beneficiaries are added or modified.
- SMS/ email notification should be sent when requesting a new multi-factor authentication mechanism.
- Establishment of a designated Security Operations Centre (SOC) with trained and designated staff and restricted workspaces and requisite facilities. This should also include automated and centralized analysis of security logs and correlation of event or patterns (i.e., Security Information and Event Management (SIEM)).
- A holistic and effective Cyber Security Incident Management process based on a designated team for incident management with requisite training (certified forensic experts), facilities and workspaces. The process should be able to classify incidents, log and protect all relevant evidence and carry out post-incident activities (forensics, root-cause analysis etc.) and be able to formulate a report covering suggested improvements of all loopholes observed.
- Threat Intelligence and Vulnerability Management which further help in classification and prioritization of information assets from a cyber security purview.
- Third Party Cyber Security
- Ensuring that third party contractors and vendors adhere to the Member Organization’s approved cyber security requirements before signing the contract. This can be done by defining cyber security requirements as part of the tender process.
- In case of outsourcing, the process should include:-
- The approval from SAMA prior to material outsourcing.
- The involvement of the cyber security function.
- Compliance with the SAMA circular on outsourcing.
- In case cloud computing solutions are being made use of:-
- The Member Organization should obtain SAMA approval prior to using cloud services or signing the contract with the cloud provider.
- In principle only cloud services should be used that are located in Saudi Arabia, or when cloud services are to be used outside Saudi Arabia that the Member Organization should obtain explicit approval from SAMA.
- The cloud service provider should implement and monitor the cyber security controls as determined in the risk assessment for protecting the confidentiality, integrity and availability of the Member Organization’s data.
- The Member Organization’s data is logically segregated from other data held by the cloud service provider, including that the cloud service provider should be able to identify the Member Organization’s data and at all times should be able to distinguish it from other data.
- The Member Organization has the right to perform a cyber security review and security audit of the cloud service provider.
Best Practices
Apart from SAMA’s framework, a few general best practices for inclusive and operational fintech solutions include the following:-
- Data encryption such as RSA, 3DES, or twofish.
- Testing including penetration tests, audits, or security testing teams etc.
- Secure application/ platforms by using password protection, OTPs multifactor authentication, timed log-in sessions, monitoring, password expiry etc.
- Access controls based on roles such as administrator, manager, customer, support staff etc.
In conclusion, it is worth noting that the path to a completely