SAMA MVC refers to the Saudi Arabian Monetary Authority (SAMA) Cybersecurity Framework, previously known under the regulatory body SAMA, which is now called the Saudi Central Bank. It applies primarily to financial institutions in Saudi Arabia.
What is SAMA Cybersecurity Framework (SAMA MVC)?
SAMA MVC stands for:
-
SAMA – Saudi Arabian Monetary Authority
-
MVC – Minimum Cybersecurity Controls
It's a regulatory framework that sets minimum cybersecurity requirements for all financial institutions regulated by SAMA, including:
-
Banks
-
Insurance companies
-
Finance companies
-
Credit bureaus
Goals of the SAMA MVC Framework:
-
Establish a baseline for cybersecurity controls across all financial entities.
-
Improve the cyber resilience of Saudi Arabia's financial sector.
-
Align with international best practices (e.g., NIST, ISO 27001, etc.).
-
Ensure continuous risk assessment and improvement.
Core Domains of SAMA MVC:
The framework is divided into 6 main domains and over 100 controls, which cover:
-
Cybersecurity Governance
-
Risk Management
-
Cybersecurity Operations
-
Technology and Third-Party Security
-
Cybersecurity Resilience
-
Cybersecurity Compliance
Each control is marked as either:
-
Mandatory (M) – must be implemented.
-
Advisory (A) – recommended, but not strictly enforced.
Why It Matters:
-
Compliance is mandatory for all regulated financial entities.
-
Failure to comply can result in penalties, increased scrutiny, or even regulatory action.
-
It’s often used as a benchmark for gap assessments in the region.