How SAMA CSF Integrates Minimum Verification Controls (MVC) and Cyber Resilience Fundamental Requirements (CRFR)?

The financial industry in Saudi Arabia is evolving rapidly, and the growing popularity of digitalization entails more advanced cyber-attacks. To overcome this, the Saudi Central Bank (SAMA) established Minimum Verification Controls (MVC) and Cyber Resilience Fundamental Requirements (CRFR) to enhance and back up the SAMA Cyber Security Framework (SAMA CSF). These are required standards that create a consistent minimum-security control and make sure that the institutions can survive, respond, and recover in case of cyber incidents. Failure to comply presents financial organizations with regulatory fines, increased cyber threats, and business disruption. In this blog, the authors discuss how SAMA CSF, MVC, and CRFR collaborate to improve the security level and develop resiliency within the financial sector.

Understanding MVC and CRFR

SAMA designed MVC and CRFR to address two complementary aspects of cybersecurity: prevention and resilience.

Minimum Verification Controls (MVC)

These ‍are regulations that specify in detail the necessary compulsory technical and procedural cybersecurity steps which must be implemented by all regulated institutions, irrespective of their size or business model. Major areas covered are Identity and Access Management, network and endpoint security, data protection, logging and monitoring, vulnerability management, and incident response.

Cyber Resilience Fundamental Requirement (CRFR)

Then there are the Cyber Resilience Fundamental Requirements (CRFR), which focus on ensuring operational continuity even during cyber disruptions. CRFR strengthens an institution’s ability to withstand, respond to, and recover from incidents that could otherwise interrupt critical services. While MVC secures systems, CRFR ensures that organisations can withstand and recover from cyber incidents effectively. Both MVC and CRFR are mandatory requirements under SAMA, ensuring that every regulated entity maintains strong protection as well as operational resilience.

Integration of MVC and CRFR within the SAMA CSF

SAMA CSF consists of four domains: Governance, Risk Management, Operations & Technology, and Third-Party Security. MVC and CRFR strengthen these domains rather than replace them.

MVC Improvements:

• Identity and access management: involves MFA, least privileged access, regular reviews, and the removal of inactive or shared administrator accounts.
• Network security: segmentation, firewall, IDS, IPS, and secure network configurations.
• Data security: encryption of data at rest and in transit, secure key management, data loss prevention controls, and backup integrity controls.
• Monitoring and detection: SIEM configuration, 24/7 monitoring, irregular alerts, and log retention policies. 

These Minimum Verification Controls (MVC) measures standardise minimum security across all financial institutions.

CRFR Enhancements:

CRFR expands the domain of Cyber Resilience to require institutions to prepare for cyber-specific crises such as ransomware attacks, insider threats, DDoS attacks, and cloud service disruptions. Requirements include:

• Recovery Strategies: Defined RTO/RPO, isolated backups, and testing restoration.
• Crisis Management and Communication: Coordination among IT, cybersecurity, operations, legal, compliance, senior management, and external stakeholders.
• Cyber simulations involve tabletop exercises, failover testing, ransomware remediation drills, and communication exercises.

By integrating MVC and CRFR, SAMA ensures all financial institutions maintain baseline security while developing robust operational resilience. This integration also promotes sector-wide standardisation and coordinated incident response.

Steps to Align with SAMA CSF, MVC, and CRFR

SAMA CSF combines Minimum Verification Controls (MVC) and Cyber Resilience Fundamental Requirements (CRFR) because it incorporates both technical security controls and sound operational resilience practices. MVC creates the necessary minimum controls which every financial institution should have in place and CRFR makes sure that organisations are able to keep on functioning and recover fast in case of cyber disruptions. They are all constitutive of a single framework that enhances protection as well as resilience within the financial sector of Saudi Arabia.

1. Conduct a Gap Assessment: Calibrate your present level of maturity to the SAMA CSF, Minimum Verification Controls (MVC) and Cyber Resilience Fundamental Requirements (CRFR). Determine the absent components in technical controls, recovery plans and governance procedures.
2. Establish Clear Policies: Establish requirements of technical controls, recovery roles, governance design, vendor management, cloud operations, monitoring, and reporting.
3. Include CRFR in the Resilience Planning: Add CRFR requirements to the business continuity (BCP) and disaster recovery (DR) programs. Be ready to deal with ransomware attacks, develop isolation policies, develop incident communication, and test backup restoration to make it reliable.
4. Enhance Security Controls to achieve MVC Standards: Install and keep powerful cybersecurity measures, including patch management, endpoint hardening, Privileged Access Management (PAM), vulnerability scanning, SIEM tuning, MFA, and secure workstations for administrators. These should be able to meet MVC criteria.
5. Impose a Policy of Compliance on Vendors and Cloud Providers: Secure compliance of third-party vendors and cloud partners with MVC and CRFR. Look through their data portability promises and their recovery plans and SLAs.
6. Test and monitor continuously: Test CSF, disaster recovery, red-team, and threat-hunting exercises periodically. Have dashboards to provide real-time visibility and have regular updates to the risk committee.

Common Pitfalls

Many organizations find it hard to put a successful case on implementing SAMA CSF, MVC and CRFR- not due to lack of policies, but due to poor execution and treating. The pitfalls most frequently used are:

• Treating MVC as Optional or Flexible

The most widespread myth is that MVC is only applicable to more significant organizations or can be implemented in steps. Facts on the ground, however, MVC are mandatory minimum controls and making them optional results in inconsistent enforcement as well as increasing security vulnerabilities between systems.

• Emphasizing paperwork over practical security execution

Certain institutions may generate detailed documents, such as the policies, procedures and compliance reports, but do not convert them into technical implementation. This gives a false illusion of compliance whereby obedience is present on paper but not practiced.

• Excluding cyber resilience in the BCP and DR plans

Natural disasters or infrastructure malfunctions are a common focus point of BCP/DR frameworks, whereas the cyber-specific interruptions such as ransomware DDos attacks, or data corruption are not considered. An organization that is not prepared to deal with the current cyber threats would not be prepared without CRFR driven scenarios.

• Depending too heavily on vendor guarantees

Organizations occasionally rely on certifications of vendors, or other external attestation, without verifying these attests by an assessment, technical test, or review of SLA. This causes blind spots- particularly cloud, payment and outsourced service environments.

• Maintaining backups that are never tested for recovery

There are backups, but not many or full restoration tests. This is a severe vulnerability in case of ransomware or system outage, when untested backups can be corrupt, old-fashioned, or useless.

• Treating resilience as solely an IT responsibility

Cyber resiliency demands cross functional co-ordination among operations, legal, compliance, business unit, and executive leadership. Placing it alone with IT makes organizations lack important communication, decision-making, and governance layers in case of an incident.

• Missing cyber-specific training or even diminishing oversight

Most of the institutions perform only generic DR drills or they do not perform red-team exercises because they find it complex. On the same note, monitoring systems such as SIEM can be improperly configured and can produce noises instead of taking any actions. The institutions cannot test the effectiveness of their controls in the real world. These things can lead to problems. Staying up to date with these matters helps you meet requirements, boosts your strength, and lowers the chances of making cyber errors.

Final Thoughts

Bringing together SAMA CSF, MVC, and CRFR is more than a compliance requirement it is a practical strategy for resilience. for cybersecurity and resilience. MVC covers your technical defenses, and CRFR supports you in continuity and recovery. Combine them, and you create a strong framework that helps your organization manage disruptions, build customer trust, and maintain smooth operations. When you bring your approach together, monitor your systems, and test your defenses, compliance becomes less of a burden and begins to benefit you.

Achieving compliance with SAMA CSF, MVC, and CRFR requires more than policies it demands proper implementation, continuous monitoring, and resilience testing. Partner with ValueMentor to get support with assessments, implementation support, red team exercises, cyber resilience planning and ongoing advisory services.

FAQS