SAMA CRFR stands for the Saudi Central Bank (SAMA) Cyber Resilience Framework for Regulated Entities.
What is SAMA CRFR?
The Cyber Resilience Framework for Regulated Entities (CRFR) is a regulatory guideline introduced by SAMA (Saudi Central Bank) to strengthen the cyber resilience of financial institutions in Saudi Arabia.
While the SAMA Cybersecurity Framework (MVC) focuses on baseline cybersecurity controls, CRFR goes further—it emphasizes resilience, which means the ability to prepare for, respond to, and recover from cyber disruptions.
Key Objectives of SAMA CRFR:
-
Enhance operational resilience in the face of cyber threats.
-
Ensure that critical financial services can continue during and after cyberattacks.
-
Promote a sector-wide approach to cyber resilience.
-
Improve incident response, recovery, and continuity planning.
Core Components of the CRFR:
While the full framework includes detailed guidance, the main themes typically include:
-
Cyber Resilience Governance
-
Board and executive oversight
-
Cyber risk ownership and accountability
-
-
Resilience Strategy & Architecture
-
Business Continuity Planning (BCP)
-
IT and cyber architecture for redundancy and failover
-
-
Cyber Incident Response & Recovery
-
Incident response planning
-
Crisis management
-
Communication protocols
-
-
Testing & Assurance
-
Regular cyber drills and tabletop exercises
-
Scenario-based testing
-
-
Third-Party Resilience
-
Ensuring that vendors and partners meet resilience standards
-
-
Continuous Improvement
-
Lessons learned from incidents
-
Maturity assessments and risk re-evaluations
-
Who Must Comply?
All financial institutions regulated by SAMA, including:
-
Banks
-
Insurance companies
-
Financing companies
-
Money exchange houses
-
Credit bureaus
Key Difference:
Aspect SAMA MVC (Cybersecurity Framework) SAMA CRFR (Cyber Resilience Framework) Focus Security controls and hygiene Operational resilience and continuity Goal Protect systems and data Ensure continuity of services despite attacks Nature Prescriptive (what controls to implement) Strategic (how to prepare and recover)