Advisory: The Importance of Cybersecurity in Capital Market Institutions: A Review of Saudi Arabia CMA Cybersecurity Guidelines

According to the cybersecurity index in the World Competitiveness Yearbook (WCY) for 2022, published by the Swiss-based International Institute for Management Development (IMD), Saudi Arabia ranked second in cybersecurity. This legacy of impressive adoption of cybersecurity practices in national technological entities is made possible by national and commercial governing bodies that provide cybersecurity frameworks and guidelines to help their member institutions combat growing cyber threats. The Capital Market Authority (CMA) is one such regulatory body.

The Capital Market Authority (CMA) is the principal investment body of Saudi Arabia. The CMA, which has its main office in Riyadh, regulates the Saudi Capital Markets and supervises the Saudi stock market. The body also enforces laws to protect investors and maintain stability in the Saudi capital markets.

By promoting stringent cybersecurity measures for all institutions that participate in the market through standards such as the Cybersecurity Guidelines for Capital Market Institutions, the CMA helps to maintain market stability.

The CMA cybersecurity guidelines consist of the following four security domains:

  • Cybersecurity governance
  • Cybersecurity risk management, review, and audit
  • Operational cybersecurity controls
  • Third-party cybersecurity.

Each domain is divided into a number of subdomains, each with its own set of security goals and controls. All capital market institutions can develop a comprehensive cybersecurity program within their organization by using the security guidelines provided by these four primary domains.

According to the cybersecurity index in the World Competitiveness Yearbook (WCY) for 2022, published by the Swiss-based International Institute for Management Development (IMD), Saudi Arabia ranked second in cybersecurity. This legacy of impressive adoption of cybersecurity practices in national technological entities is made possible by national and commercial governing bodies that provide cybersecurity frameworks and guidelines to help their member institutions combat growing cyber threats. The Capital Market Authority (CMA) is one such regulatory body.

The Capital Market Authority (CMA) is the principal investment body of Saudi Arabia. The CMA, which has its main office in Riyadh, regulates the Saudi Capital Markets and supervises the Saudi stock market. The body also enforces laws to protect investors and maintain stability in the Saudi capital markets. By promoting stringent cybersecurity measures for all institutions that participate in the market through standards such as the Cybersecurity Guidelines for Capital Market Institutions, the CMA helps to maintain market stability.

The CMA cybersecurity guidelines consist of the following four security domains:

  • Cybersecurity governance
  • Cybersecurity risk management, review, and audit
  • Operational cybersecurity controls
  • Third-party cybersecurity.

Each domain is divided into a number of subdomains, each with its own set of security goals and controls. All capital market institutions can develop a comprehensive cybersecurity program within their organization by using the security guidelines provided by these four primary domains.

Why do Capital Market Institutions Need This Cybersecurity Framework?

While many capital market participants are aware of the need for such complex cybersecurity regulations in the sector, many are skeptical about the necessity of their implementation.

The financial sector has grown increasingly digitalized, making cybercriminals more likely to attack it. Therefore, resilient and foolproof cybersecurity is required to protect both the assets and data of financial institutions as well as the money and information of their clients. The following examples demonstrate the requirement for cybersecurity policies and guidelines for capital market institutions.

Why do Capital Market Institutions Need This Cybersecurity Framework?

While many capital market participants are aware of the need for such complex cybersecurity regulations in the sector, many are skeptical about the necessity of their implementation.

The financial sector has grown increasingly digitalized, making cybercriminals more likely to attack it. Therefore, resilient and foolproof cybersecurity is required to protect both the assets and data of financial institutions as well as the money and information of their clients. The following examples demonstrate the requirement for cybersecurity policies and guidelines for capital market institutions.

Remote Work

In the current digital era, and particularly since the Covid-19 pandemic, businesses from all sectors have accepted remote work as the norm for their employees. While this gives the company more flexibility and a better work environment, it also raises the risk of a cyberattack. Employees may connect to the company’s internal system through a compromised endpoint or public Wi-Fi, giving attackers access to the network and causing havoc for the institution. To safeguard the valuable data and assets of capital market institutions against such attacks, the organization must implement cybersecurity practices, including the sensitization of employees, encouraging them to be security-conscious regardless of where they are working from or how they’re connecting to their work environment.

Fraud and Identity Theft

Fraud is not an uncommon vice in the financial industry. With the large volume of monetary value transacted in the capital market, the risk of fraud is high and more enabled by technology. Capital market institutions must implement cybersecurity measures like 2-factor authentication to reduce impersonation and educate their customers on the techniques used by threat actors to steal their identity and login credentials and how they can avoid becoming a victim in order to protect their customers from fraudulent cybercriminals.

Adoption of Cloud Computing

Everyone is moving to the cloud. The cloud offers the flexibility and scalability capital market institutions need to offer seamless solutions to their clients, but it also exposes them to higher risks of cyberattack. Using cloud computing platforms burdens the institution with the security of its applications and the underlying infrastructure. This responsibility necessitates extra efforts by the organization to ensure the security of these critical business entities through the use of role-based access control, the least-privilege principle, and other cybersecurity practices.

Disruption of Business Activities

In the event of a cyberattack, no one knows how long it will take to restore normalcy to the system. Threats are constantly present and evolving in sophistication, making it difficult to detect cyberattacks that have the potential to disrupt business operations for an extended period. Financial institutions cannot afford to be complacent. To ensure prompt and effective response and recovery, capital market institutions must remain vigilant and implement effective technology risk management practices as well as robust business continuity plans. Adopting a well-established cybersecurity policy, such as the CMA Cybersecurity Guidelines, will help to alleviate the pain of root cause analysis and get the company’s system back up and running as soon as possible.

Protection of the Institution's Assets

Capital market institutions are typically warehouses for billions of dollars in monetary and tangible assets. To provide its services, a typical capital market institution uses a variety of tools and technology, including laptops, desktop computers, local and remote servers, etc. A single lethal cyberattack can bring all of these systems to a halt and disrupt business operations indefinitely. To protect the organization’s assets from crippling attacks, cybersecurity measures such as firewalls must be integrated into its systems.

Gaining and Sustaining Public Trust

Past records of cyberattacks taint an organization’s public image. Customers begin to consider taking their business elsewhere when they believe their personal information and financial assets are not secure. To maintain and strengthen public trust in the capital markets, market participants must incorporate cybersecurity practices into their workflows.

Although putting cybersecurity practices into place does not guarantee that the system is 100% safe from cyberattacks, it does give customers confidence that the company’s system is resilient and that they have taken all necessary precautions to protect their data even in the event of an attack.

Remote Work
In the current digital era, and particularly since the Covid-19 pandemic, businesses from all sectors have accepted remote work as the norm for their employees. While this gives the company more flexibility and a better work environment, it also raises the risk of a cyberattack. Employees may connect to the company’s internal system through a compromised endpoint or public Wi-Fi, giving attackers access to the network and causing havoc for the institution. To safeguard the valuable data and assets of capital market institutions against such attacks, the organization must implement cybersecurity practices, including the sensitization of employees, encouraging them to be security-conscious regardless of where they are working from or how they’re connecting to their work environment.
Fraud and Identity Theft
Fraud is not an uncommon vice in the financial industry. With the large volume of monetary value transacted in the capital market, the risk of fraud is high and more enabled by technology. Capital market institutions must implement cybersecurity measures like 2-factor authentication to reduce impersonation and educate their customers on the techniques used by threat actors to steal their identity and login credentials and how they can avoid becoming a victim in order to protect their customers from fraudulent cybercriminals.
Adoption of Cloud Computing
Everyone is moving to the cloud. The cloud offers the flexibility and scalability capital market institutions need to offer seamless solutions to their clients, but it also exposes them to higher risks of cyberattack. Using cloud computing platforms burdens the institution with the security of its applications and the underlying infrastructure. This responsibility necessitates extra efforts by the organization to ensure the security of these critical business entities through the use of role-based access control, the least-privilege principle, and other cybersecurity practices.
Disruption of Business Activities

In the event of a cyberattack, no one knows how long it will take to restore normalcy to the system. Threats are constantly present and evolving in sophistication, making it difficult to detect cyberattacks that have the potential to disrupt business operations for an extended period. Financial institutions cannot afford to be complacent. To ensure prompt and effective response and recovery, capital market institutions must remain vigilant and implement effective technology risk management practices as well as robust business continuity plans. Adopting a well-established cybersecurity policy, such as the CMA Cybersecurity Guidelines, will help to alleviate the pain of root cause analysis and get the company’s system back up and running as soon as possible.

Protection of the Institution's Assets
Capital market institutions are typically warehouses for billions of dollars in monetary and tangible assets. To provide its services, a typical capital market institution uses a variety of tools and technology, including laptops, desktop computers, local and remote servers, etc. A single lethal cyberattack can bring all of these systems to a halt and disrupt business operations indefinitely. To protect the organization’s assets from crippling attacks, cybersecurity measures such as firewalls must be integrated into its systems.
Gaining and Sustaining Public Trust

Past records of cyberattacks taint an organization’s public image. Customers begin to consider taking their business elsewhere when they believe their personal information and financial assets are not secure. To maintain and strengthen public trust in the capital markets, market participants must incorporate cybersecurity practices into their workflows.

Although putting cybersecurity practices into place does not guarantee that the system is 100% safe from cyberattacks, it does give customers confidence that the company’s system is resilient and that they have taken all necessary precautions to protect their data even in the event of an attack.

Conclusion

Cybersecurity is not only restricted to IT organizations; it is vital for every digital business. But for capital market institutions and the financial industry, it holds a more critical value. Hence, it is imperative for capital market institutions to adopt protective security procedures to safeguard their data against cyberattacks. In the current wake of cyber activities, capital market institutions should no longer be questioning the necessity of cybersecurity but how they can ensure that their practices and organizational workflows are in compliance with established cybersecurity guidelines like the CMA Cybersecurity Guidelines.
Conclusion
Cybersecurity is not only restricted to IT organizations; it is vital for every digital business. But for capital market institutions and the financial industry, it holds a more critical value. Hence, it is imperative for capital market institutions to adopt protective security procedures to safeguard their data against cyberattacks. In the current wake of cyber activities, capital market institutions should no longer be questioning the necessity of cybersecurity but how they can ensure that their practices and organizational workflows are in compliance with established cybersecurity guidelines like the CMA Cybersecurity Guidelines.