Indeed, the Kingdom of Saudi Arabia (KSA) continues to lead the way within the digital transformation arena. Implementation of the ambitious “Visions 2030” and the National Transformation Plan is making that a possibility. The result is the development of a wealth of digital products, services, and data, which attracts careful attention to cybersecurity. That explains why cybersecurity is not only a concern for players in the private sector in KSA but a matter of national security as well. The recent announcement by Saudi Arabia’s Communications and Information Technology Commission (CITC) regarding the implementation of a regulatory framework to improve cybersecurity in the Kingdom confirms that fact. The idea behind the “cybersecurity regulatory framework” for service providers in the postal services, communications, and IT sectors is raising service vendors’ security levels. The framework allows financial institutions with an affiliation with SAMA to identify and address risks relating to cybersecurity. As such, member organizations must adopt the cybersecurity framework to foster online services and information assets protection. Note that the framework aims to periodically evaluate the effectiveness of cybersecurity controls and assess the maturity level at member organizations while comparing the data with other member entities.
Scope
The framework has objectives and principles for improving, initiating, monitoring, implementing, and maintaining cybersecurity controls in member organizations. It also provides cybersecurity controls applicable to the data assets of member organizations. These controls affect;
- Communication networks (technical infrastructure), establishments, and equipment.
•Electronic data.
•Such information storage devices like USB sticks, hard disks, among others.
•Physical documents or hard copies.
•Such electronic machines like ATMs and computers.
•Databases, applications, electronic services, and software.
Applicability
The cybersecurity framework applies to all member organizations that are SAMA affiliates. These include;
- The financial market infrastructure.
•All banks operating within Saudi Arabia.
You also need to understand that the structure of Saudi Arabia’s cybersecurity framework is within four major domains. These are;
- Third-party cybersecurity.
•Cybersecurity governance and leadership.
•Cybersecurity technology and operations.
•Cybersecurity compliance and risk management.
How Does The Cybersecurity Maturity Model Work in KSA?
The measure of the cybersecurity maturity level in KSA is according to a predefined cybersecurity maturity model. The maturity model distinguishes six maturity levels (0 to 5), and any member organization focusing on achieving levels 3, 4, or 5 must meet all the criteria of the preceding maturity levels. Below are details about each of these levels.
a) Level 0 – Non-Existent
- There are no cybersecurity controls in place, and there may be no current plans for implementing cybersecurity controls since the risk area is unknown at this stage.
•Documentation is unavailable.
•Attention or awareness for specific cybersecurity control is lacking.
b) Level 1 – Ad-Hoc
- A full definition of cybersecurity controls is lacking.
•There is partial or no definition of cybersecurity controls.
•The performance of cybersecurity controls is inconsistent.
c) Level 2 – Repeatable But Informal
- Although the execution of the cybersecurity control is standard practice, the basis is unwritten and informal.
d) Level 3 – Structured and Formalized
- Demonstration of the implementation of cybersecurity controls is possible.
•The definition, approval, and implementation of cybersecurity controls is in a formal and structured manner.
e) Level 4 – Managed and Measurable
- Documentation for periodic opportunities, measurement, and evaluations is available.
•There is a periodic assessment of the effectiveness of cybersecurity controls and improvement of the same where necessary.
f) Level 5 – Adaptive
- Cybersecurity controls remain subject to continuous improvement.
Practical Impact of The Cybersecurity Framework
First, understand that the impact of the wide array of Saudi Arabia’s cybersecurity regulations is compliance. That is achievable by considering various practical aspects, including;
Cyber Insurance
Whether cyber insurance or the cybersecurity solution should come first is still a matter of discussion. The reason is that there is less awareness regarding the importance of cyber insurance in the KSA, which is not the case when it comes to the need for having a reliable cybersecurity solution. Also, the market is awaiting an explanation concerning coverage and the role of cybersecurity services vendors in response and vulnerability.
The expectation is that cyber insurance will only develop in the Kingdom according to regulation due to compliance.
Cybersecurity Policies
The development of cybersecurity policies in Saudi Arabia continues in various institutions. The objective is to ensure that establishments have clarity regarding the cybersecurity measures in place. Additionally, the policies differ between stakeholders, industries, and organization structures. As such, the need to retain cybersecurity consultants who shed light on best international practices is becoming paramount.
As much as that is the case, the solution here is adapting international practices to local requirements. Remember that adequate implementation is a necessity when setting a cybersecurity policy. The reason is that officers and directors of particular institutions assume new responsibilities following the implementation of such a policy. So, investment in solutions and talent is inevitable in this case.
Solutions and Talent
The Saudi Federation for Cybersecurity, Programming, and Drones is committing to develop talent. That is due to the surging need for solutions relating to cybersecurity technology, including hardware and vulnerability-related services. Also, international providers of hardware, cybersecurity solutions, and software are now taking on projects in the Saudi market.
That is the case due to the successful attraction of foreign investors by the Saudi Arabian General Investment Authority, access to government tenders, and the existence of procurement law. Although any cybersecurity solution has particular exposures, the emergence of new risks continues to drive increased awareness of the need for cyber insurance.
Conclusion
There appears to be overlapping responsibilities and roles of various regulators when assessing the different initiatives focusing on cybersecurity in the KSA. As such, tolerance in enforcement may accompany over-regulation, and firms with a proven track record in the Saudi market will hardly experience challenges adapting to such changes.
However, there is probably an increasing regulatory risk for multinational players in the KSA regarding cybersecurity. So, taking a slower approach while allowing the cybersecurity framework to develop fully if full compliance is commercially unachievable is a wise idea. Also, regulation support can foster the rapid development of cyber insurance in the Kingdom since compliance appears to be a major driver in this case. if you need more information on the KSA’s cybersecurity framework, contact us today!