Key Takeaways
- In 2025, SAMA levied over SAR 20 million in penalties across more than 50 violations
- The SAMA cybersecurity framework has been mandatory for all Saudi financial institutions since 2017, yet audit failures remain widespread in 2025
- Only 42% of Saudi banks have established the board-endorsed governance structure that SAMA requires
- 65% of banks run legacy systems that block proper Identity and Access Management (IAM) implementation
- The average cost of a financial sector data breach crossed USD 4.88 million in 2024, according to IBM
- Banking and financial services incidents in Saudi Arabia grew by 433% between 2020 and 2024
- SAMA rejects 60% of self-assessments for being incomplete
Introduction
Saudi Arabia’s banking sector saw a 433% rise in cybersecurity incidents between 2020 and 2024. That number is not a warning about what could happen. It is already happening.
SAMA introduced its Cybersecurity Framework in 2017 to give financial institutions a clear set of controls to follow. Eight years later, some of the most critical controls are still being failed at audit. The fines are getting bigger and the attacks more targeted.
Here are the five controls most commonly cited in SAMA compliance failures and why they keep being missed.
SAR 20M+
Fines issued in 2025
433%
Incident growth
42%
Board governance
65%
Legacy systems
The Stakes Have Changed And Fines Are Proof
The SAMA Cybersecurity Framework applies to every bank, insurance firm, financing company, and fintech operating under Saudi Central Bank supervision. It covers four domains: Leadership and Governance, Risk Management and Compliance, Cybersecurity Operations and Technology, and Third-Party Cybersecurity.
Institutions must meet defined maturity levels across all domains, verified through annual self-assessments and periodic SAMA inspection visits.
The penalties for missing those levels are no longer symbolic.
In 2025, SAMA levied over SAR 20 million in fines across more than 50 violations. Non-compliance penalties can reach SAR 5 million per breach. Serious cases lead to operational restrictions, public disclosures, and personal liability for executives under Saudi cyber laws.
What the threat environment looks like right now:
- Saudi Arabia recorded 88 ransomware incidents in 2024, with financial services among the top targeted sectors
- About two-thirds of all ransomware attacks in the Middle East target Saudi Arabia and the UAE
- Cybercrime operations in the Kingdom are projected to grow by 15% annually
- The Saudi cybersecurity market was valued at USD 6.94 billion in 2024 and is growing at 17% annually to meet the rising demand for protection
The threat is not hypothetical. And the controls Saudi banks are failing are not edge cases.
The 5 SAMA Controls Where Most Banks Fall Short
Control 1: Board-Level Governance (Control 1.1.1)
SAMA requires a board-endorsed cybersecurity governance structure as the foundation of everything else. That means a formally approved strategy, a Cybersecurity Committee with representatives from all departments, and a CISO who is both a Saudi national and qualified for the role.
Only 42% of Saudi banks currently have this structure in place.
Without board sign-off on Control 1.1.1, SAMA rejects the entire self-assessment. Banks that fail this control cannot progress to any other domain audit. Governance is not a formality here — it is the gate.
What typically goes wrong: Cybersecurity is treated as an IT department issue. Budgets sit inside technology teams with no board visibility. CISOs report into IT leads rather than directly to the board. SAMA’s framework is explicit — cybersecurity must be an enterprise risk, owned at the top.
Control 2: Identity and Access Management (Control 1.3.5)
This is the most technically cited control in SAMA penalty cases. Financial fines for IAM gaps start at SAR 100,000 and escalate from there.
SAMA requires institutions to restrict access to information assets based on a need-to-have or need-to-know basis. That means least privilege access for all users, multi-factor authentication across systems, regular access reviews, and Privileged Access Management (PAM) for sensitive accounts.
65% of Saudi banks run unsupported legacy systems — mainframes and custom payment gateways — that cannot support modern IAM tools. Mixed operating system environments further complicate efforts to meet the hardening standards required.
Remediation for legacy-blocked IAM takes 6 to 18 months on average. In the meantime, banks remain exposed and inspectable.
Manual access reviews are another recurring problem. Banks on spreadsheet-based processes spend 4 weeks every quarter just completing reviews — and those reviews are still incomplete, outdated, and error-prone by the time they are submitted. Secure.com’s IAM module automates access reviews and integrates with HRMS systems to maintain real-time accuracy, reducing review cycles from weeks to hours while ensuring SAMA audit-readiness.
Control 3: Third-Party Cybersecurity (Domain 4)
Banks in Saudi Arabia rely on cloud providers, fintech partners, payment processors, and outsourced service vendors. SAMA’s framework extends cybersecurity obligations to all of them.
Every vendor with access to bank data must meet SAMA-aligned security standards. Contracts must include cybersecurity clauses. Banks must retain the right to audit their vendors. If a vendor suffers a breach that affects customer data, the bank is responsible.
This is where many institutions are caught off guard during inspections. A bank can have strong internal controls and still fail Domain 4 because vendor contracts were signed without security clauses, or because third-party risk reviews were never conducted.
Saudi Arabia’s 2025 cyber report noted that ransomware groups specifically targeted third-party portals and remote access gateways to move laterally into bank networks. A weak vendor link negates years of internal security work.
Control 4: Cyber Incident Response (Controls 1.3.14 and 1.3.15)
SAMA requires institutions to have a tested, documented incident response plan. That means the plan must exist, be regularly reviewed, and have been practically exercised — not just written and filed.
Banks without centralized logging infrastructure cannot meet Control 1.3.14, which requires Event Management capability. Secure.com’s Case Management module provides centralized event correlation and SIEM integration, enabling real-time incident detection and automated response workflows that meet SAMA’s Event Management requirements. Organizations running fragmented or siloed security tools often lack the visibility to detect an incident at all, let alone respond to one within SAMA’s required timeframes.
The cost of getting this wrong is concrete. The average cost of a data breach in the financial services sector crossed USD 4.88 million in 2024. Delays in detection and response drive that number higher.
Most small-to-mid-size Saudi banks manage SAMA compliance with 2 to 3 full-time staff covering 47 controls simultaneously. Incident response planning falls behind higher-visibility controls and often exists only on paper.
Control 5: Vulnerability Management (Control 1.3.8 Area)
SAMA requires financial institutions to identify, assess, and remediate vulnerabilities across all infrastructure components — workstations, servers, mobile devices, databases, firewalls, wireless networks, and payment systems.
This includes documented security standards for every infrastructure component, regular vulnerability assessments, and penetration testing. Non-compliance with infrastructure hardening standards is one of the most consistent findings in SAMA audit reports.
The specific problem: Mixed operating system environments make it nearly impossible to apply uniform hardening configurations. Banks running a combination of Windows, Linux, and legacy banking OS environments often cannot achieve the consistent baseline SAMA mandates.
60% of SAMA self-assessments are rejected for being incomplete. A significant number of those rejections are tied to vulnerability management gaps — either missing documentation, incomplete asset inventories, or assessments that were never conducted on all infrastructure types. Secure.com’s Asset Intelligence Program provides agentless asset discovery across cloud, on-premises, and hybrid environments, maintaining a real-time knowledge graph that ensures complete, audit-ready asset inventories for SAMA compliance.
Maturity stays capped at Level 2 for organizations relying on manual processes, while SAMA demands continuous measurement and progressive improvement toward Level 4.
Why These Gaps Stay Open
The five controls above are not secret. They are published, discussed, and audited regularly. So why do so many institutions keep failing them?
Three root causes come up repeatedly:
Legacy infrastructure blocks technical controls. IAM, vulnerability management, and incident logging all require modern systems to work. Banks running decades-old mainframes or custom payment gateways face 6 to 18 months of remediation before they can even install the right tools. Compliance deadlines do not wait for infrastructure overhauls.
Saudi Arabia has a 47% cybersecurity skills gap. The Kingdom does not have enough qualified cybersecurity professionals to staff every financial institution at SAMA’s required levels. Competition from large organizations like Aramco and NEOM means banks often lose skilled hires before they can build team depth. Hiring also takes 6 to 9 months on average in this environment.
Manual processes create a compliance ceiling. Excel-based asset inventories. Spreadsheet access reviews. Paper incident logs. These approaches are not just slow — they physically prevent organizations from reaching the maturity levels SAMA requires. SAMA demands continuous, measurable compliance. Manual systems produce point-in-time snapshots that are outdated the moment they are submitted. Secure.com’s Digital Security Teammates automate evidence collection, maintain continuous compliance monitoring, and provide audit-ready reporting on demand, moving organizations from point-in-time assessments to real-time compliance posture tracking.
What Fixing These Controls Actually Looks Like
Knowing the controls is step one. Fixing them requires a realistic plan.
For governance failures:
Start with a gap assessment that goes up to the board. If the board has not formally approved a cybersecurity strategy, that approval needs to happen before any other domain work begins. SAMA will not process assessments where Control 1.1.1 is incomplete.
For IAM gaps:
Prioritize Privileged Access Management first. Restricting and monitoring high-privilege accounts addresses the highest-risk exposure and demonstrates visible progress to auditors. Automate access provisioning and deprovisioning — manual reviews are too slow and too error-prone to sustain at scale.
For third-party exposure:
Audit existing vendor contracts for security clauses. Any vendor with access to customer data or core banking systems should have a documented security assessment and a right-to-audit clause in their agreement. Run your highest-risk vendors first.
For incident response:
Move to centralized logging before anything else. Without consolidated event visibility, response plans are theoretical. SAMA inspectors look for evidence of actual use — test your response plan at least annually and document the exercise.
For vulnerability management:
Build a complete, current asset inventory. This is the prerequisite for everything else. Banks that cannot list all their infrastructure components cannot assess or remediate vulnerabilities across them. Many organizations use automation to keep inventories accurate in real time rather than updating spreadsheets quarterly. Secure.com’s Asset Intelligence Program, for example, provides agentless discovery and continuous asset classification, reducing manual inventory management time by up to 90% while ensuring 100% asset visibility for SAMA compliance.
FAQs
What is the SAMA Cybersecurity Framework?
What happens if a Saudi bank fails a SAMA cybersecurity audit?
How often do Saudi banks need to submit SAMA compliance assessments?
What is the minimum maturity level SAMA requires for Saudi banks?
Conclusion
The SAMA Cybersecurity Framework is not difficult to understand. The five controls outlined here are clearly documented, consistently audited, and repeatedly cited in penalty actions. The challenge is not knowing what SAMA wants — it is building the systems, teams, and processes to deliver it consistently.
Saudi Arabia’s banking sector is growing fast. Digital banking adoption is expected to rise 16.7% between 2024 and 2028. The attack surface grows with it, and SAMA’s enforcement is tracking that growth closely.
Banks that have been treating compliance as an annual paperwork exercise are running out of runway. The institutions pulling ahead are the ones treating SAMA’s framework as an operational standard, not a checklist.
