SUMMARY: The SAMA Cyber Security Framework sets clear expectations for how Saudi Arabia’s financial institutions must use encryption to protect sensitive data. This guide explains how SAMA defines cryptographic controls, why strong key management matters and how tools such as BestCrypt support compliant endpoint protection. You will also find three practical steps to help your organization understand its data, stay organized and select the right encryption methods to meet SAMA requirements.
Do you know about the new regulations introduced by the Saudi Arabian Monetary Authority (SAMA)? If your company or organization is based in Saudi Arabia, then you should! Here you will learn what are the SAMA regulations and what they have to say about ‘Cryptography’. We will then share 3 steps on how you can build a successful strategy to comply with SAMA encryption requirements.
SAMA in a Nutshell
- When?
The SAMA regulations were passed in May 2017. - What?
The regulations are laid out in the Cyber Security Framework that was released by the Saudi Arabian Monetary Authority (SAMA). Objectives of the framework:
1. Create a common approach for addressing cyber security.
2. Achieve an appropriate maturity level of cyber security controls.
3. Ensure cyber security risks are effectively managed. - Who?
The SAMA regulations are mandatory to follow for all financial institutions that operate in Saudi Arabia, including:
– Banks
– Insurance and reinsurance companies
– Financing companies
– Credit bureaus
– The Financial Market Infrastructure
What Does SAMA Say about Encryption Requirements?
In short, the SAMA regulations state that cryptographic solutions must be defined, approved, and implemented by member organizations. Companies must also take responsibility for the management of encryption keys, as well as lifecycle management, archiving, and recovery. The image below provides a closer look at what the regulations say about encryption.
Section 3.3.9, “Cryptography”
- Organizations must define, approve, and implement the use of a cryptographic solution.
- Cryptography is necessary for ensuring that the “integrity of sensitive information is protected, and the originator of communications or transactions can be confirmed”.
- “The effectiveness of the cryptographic security controls should be measured and periodically evaluated”.
- Cryptographic solutions should involve the “management of encryption keys, including lifecycle management, archiving, and recovery”.
How to Prepare for SAMA Compliance
Complying with SAMA encryption requirements doesn’t have to be difficult. Just follow these 3 steps and make sure that your organization is compliant both now and in the future.
- Understand where your data resides
First, make sure you know where your data is saved. Monitor your data flow and keep track of where your information is stored, as well as how it’s being accessed and shared. Awareness of where your data is located will make it simpler to set up an encryption plan that takes all of your data into consideration. - Classify and get organized
Build a data inventory by arranging your information in order of importance and risk. You should also consider putting someone in charge of data protection. Having a member of the team that’s formally dedicated to data protection will let your customers (and compliance officers) know that you are committed to protecting their sensitive information. - Use the right tools
What kind of data do you need to encrypt? Answering this question will help you decide what type of encryption software your company should use. For example, if you want to make sure your data is secure if one of your devices is stolen or lost, you should use whole disk encryption to protect complete hard drives. Then again, if you want to protect a device that’s in use, you should invest in software that encrypts selected files. Finally, if you are concerned about data in transit, you should use an application that provides end-to-end encryption.
How Encryption Works
The best encryption solution for your organization is a complete data protection program. Data encryption makes use of advanced algorithms to scramble your sensitive information into random characters. Only by using a personalized key, also known as password, are you able to convert your data back into the original text.
Want to learn more about encrypting data and how encryption works? Check out our ultimate guide.
Frequently Asked Questions (FAQs)
All financial institutions operating in Saudi Arabia must follow SAMA regulations. This includes banks, insurance and reinsurance companies, financing companies, credit bureaus and financial market infrastructure entities. Organizations that outsource IT services must also ensure their providers meet SAMA requirements.
SAMA requires organizations to define, approve and implement cryptographic solutions that protect sensitive data. This includes full lifecycle management of encryption keys from creation and distribution to archiving and recovery. Companies are responsible for ensuring their encryption practices align with SAMA’s security controls and risk management objectives.
Begin by mapping where data resides and classifying it by sensitivity. Jetico’s discovery features help you locate and categorize data across all systems, making it easier to apply the right encryption controls and avoid gaps.
BestCrypt Volume Encryption protects stored data on laptops and desktops if a device is lost or stolen. For encrypting selected files or applying more granular controls BestCrypt Container Encryption is suitable. These tools support SAMA’s focus on strong cryptography, proper key management and secure handling of sensitive information.
No. Encryption prevents unauthorized access to active data but it doesn’t remove information that no longer needs to be kept. For retired devices or outdated files secure wiping tools such as BCWipe permanently erase data so it can’t be recovered. Wiping complements encryption and supports strong long term compliance.