Published: Mar 20, 2018

Managing software risk in the Kingdom of Saudi Arabia

Investment in technology

According to a report from the Communications and Information Technology Commissions (CITC) as of 2014, information and communication technology (ICT) investments in the Kingdom of Saudi Arabia totalled SAR 17.83 billion ($4.75bn). A large proportion of this investment is being made in both third party software as well as systems developed in-house.

The Kingdom, similar to the rest of the GCC, has a well-established ICT market across a number of key industries. Given that organisations are spending so much on their business software, it is critical to consider how the Kingdom’s organisations can protect such investments to ensure a confident, consistent and robust approach to risk mitigation for technology use. Across different sectors, protecting these software investments is increasingly important to safeguard critical national infrastructure, support the growth of the FinTech economy, and meet financial regulatory requirements.

Infrastructure projects

Infrastructure projects within the Kingdom are at an all-time high with mega-projects becoming heavily reliant on technology. In line with the Kingdom’s Vision 2030, tech-initiatives are in place not only for the implementation process but also to realize on-going running of services like trains and metro systems. A system such as Riyadh Metro highlights how central software has become to these large scale infrastructure projects. The planned six-line, 85 station metro network, will require a whole host of complex systems to run metro services such as supervisory control and data acquisition (SCADA), communications and CCTV, with any loss of these services being catastrophic.

FinTech growth

FinTech currently sits within the financial services and technology sectors, where tech-focussed start-ups and innovative products and services are currently provided by the traditional financial services sector.

The prioritisation of technological development in Saudi’s Vision 2030 strategy has also raised the need to protect its online infrastructure and systems, including the need for software escrow agreements and business continuity measures. Therefore it is crucial that any implementation of third party application undergoes a formal risk assessment to determine what levels of protection and testing are necessary.

Only with a standardised selection methodology can an organisation ensure they have the appropriate continuity solution for all applications. By implementing a policy in agreement with software vendors, organisations can provide clear guidelines throughout the business on how to protect its applications and data effectively.

Financial Regulation and Compliance

The Saudi Arabian Monetary Agency (SAMA) is the central bank and supervisor for commercial banks in the Kingdom. SAMA has published rules and information for its regulated entities highlighting topics such as outsourcing requirements and business continuity.

Regulation guidelines that are currently in place such as E-Banking Rules identify the responsibilities that organisations have to ensure that companies are committed to managing risk, while also ensuring that both financial services and its customers are not exposed to any potential risk of vendor failure. The E-Banking Rules highlights requirements such as Principle 13, which says that: “Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.”

The requirements for Business Continuity Management include business continuity and risk assessment; developing and implementing continuity plans; and testing, maintaining and re-assessing business continuity plans.

For many financial institutions, escrow agreements, documentation and verification of build processes and disengagement services have become integral to ensuring business continuity.

Regulation Best Practise

NCC Group and Al Tamimi & Company lawyers recognise the importance of regulation compliance and the need to have a business continuity solution in place from the outset with vendors and service providers. Our extensive experience with numerous organisations across the region has provided valuable insight into the type of software escrow solutions our customers in the Kingdom need.

Our experience and research show that as best practice, escrow should be implemented to eliminate the risk of a scenario where access cannot be made to a software or ‘Software-as-a-Service’ (SaaS) arrangement which is fundamental to the operation of the bank; and verification exercises form an integral part of business continuity for the ongoing maintenance and support of a critical application or system.

Consider Your Risk Level

The level of risk that organisations are exposed to will depend on a number of factors.

To ascertain its level of exposure, an organisation must implement a robust risk assessment model taking into account many issues.

  • These issues may include Solvency of third party critical software vendors, with consideration given to regional regulations. This may involve [your potential software vendors?] answering IT questionnaires to flush out key risks;
  • Financial or reputational loss associated with the discontinuation of critical solutions and systems, resulting in compromised services;
  • Whether sufficient protection is provided over the intellectual property rights to access and use the source code for applications that are critical to business operations;
  • Whether alternatives for critical systems and applications exist or have been identified and if so, if application and system risk is mitigated for any transition period to such alternatives.
  • The degree of knowledge retention with regard to development of in-house applications and systems;
  • Whether application build and deployment processes are sufficiently documented to the required standard in order to safeguard against resource loss.

The output of a clearly defined risk assessment approach will determine the need for plans to be put in place and deal with the failure of a third party software vendor or service provider.

Organisations should consider whether build processes are well documented, they should ensure the source code has been validated and verified, and that organisation specific data can be extracted if things go wrong.

A collaborative piece by the NCC Group and Al Tamimi & Co, co-authored by:

Alex McCulloch, General Manager at NCC Group Middle East, and Haroun Khwaja, Senior Associate, Technology, Media & Telecommunications at Al Tamimi & Company.

References

* http://www.sama.gov.sa/en-US/Laws/BankingRules/E_banking_Rules.docx

Source: http://www.itp.net