Cyber Security Challenges Facing KSA's Financial Services

Ahmad Al Zoubi
insight featured image
As Saudi Arabia moves towards an age of increased digital participation, local financial institutions have begun to digitise their services to keep up with the global trend. While this shift towards modernisation offers vast potential benefits for businesses and consumers alike, it also introduces new cyber security risks, which must be addressed.

For the financial industry, the stakes are high. They are a prime target for cybercriminals due to the wealth of personal and financial information they hold. Additionally, the financial sector is intricately linked with other parts of the economy, making a successful cyberattack highly disruptive.

The Importance Of Cyber Security In The Financial Industry

In a recent report by Ponemon Institute, it was revealed that the global rate of cyberattacks in the financial services industry is higher than any other industry — with costs reaching $18.3 million annually per company. To compound the issue, Saudi Arabia has been a prominent target of cybercriminal activity over the past decade.  Recent research conducted by IBM, revealed that the cost of data breaches in Dubai and Saudi Arabia rose by 6% during the pandemic, costing businesses an average of $6.93 million per individual breach.

This rise in cost can be attributed to several factors, most notably the switch to remote work. However, the pandemic also saw an enormous rise in e-commerce activity and increased adoption of financial technology. As many financial institutions seek to offer their customers the convenience of online and mobile banking, a lack of operational planning has made Saudi Arabia's financial sector particularly vulnerable to cybercrime.

How Financial Institutions Can Protect Themselves From Cyber Threats

Financial institutions must take several steps to protect themselves from cyber threats. The first entails conducting a risk assessment to identify the business areas that are most vulnerable to attack. Once these areas have been identified, mitigating measures can be put in place. This assessment should be carried out by a team of experts with experience in both cyber security and the financial industry.

To protect data, financial institutions should implement robust identity and access management controls. These controls should include multi-factor authentication, password management, and activity monitoring. In addition to this, sensitive data should be encrypted both at rest and in transit.

Financial institutions should also have a dedicated cyber security resource in place to monitor and respond to threats in a timely manner. The individuals should be equipped with the latest security tools and be familiar with the latest tactics of cyber criminality. Finally, financial institutions need to have a disaster recovery plan in place in case of a cyberattack. The plan should include procedures for restoring data and systems, should they be compromised.

Key Cyber Security Regulations & Legislation In KSA

The regulatory environment for cyber security in Saudi Arabia is still developing. In April 2017, the Saudi Arabian Monetary Authority (SAMA) — now known as the Saudi Central Bank — announced the introduction of a new version 10 of their Cyber Security Framework to address the vulnerabilities of the financial sector.

To comply with the suggestions of this framework, financial institutions must deploy a board-endorsed, defined cyber security governance structure to lead the management of all cyber security risks. The framework also requires financial institutions to develop a clear cybersecurity policy — in line with best practices — to ensure compliance with regulatory and contractual obligations.

Financial institutions should also be aware of Saudi's new Personal Data Protection Law, which contains provisions relating to the processing of personal data and the protection of privacy. The law came into effect in March 2022, and applies to any company or organisation that collects, processes, or uses the personal data of Saudi residents. Under this new law, data controllers must register with SDAIA and pay an annual fee. Additionally, any foreign company that collects or handles the data of Saudi residents, even if they don’t have a legal presence in the Kingdom, must now appoint a local representative who is licensed and registered with the SDAIA. Those who fail to comply with these regulations and don’t take the correct precautions to protect personal data from a potential breach may face up to two years imprisonment and fines of up to SAR 5 million.

In light of these new regulations, financial institutions should ensure that they have adequate policies and procedures in place to protect the data of their customers and the security of their digital systems. The digital landscape is constantly evolving, and financial institutions must now take a more proactive approach to cyber security.

To discuss your cyber security requirements, contact Ahmad Al Zoubi.