Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.
Find out moreThe first Law Update of 2024 is here, and our first focus of the year spotlights Healthcare and Lifesciences, a sector that is undergoing significant growth and development across the MENA region.
Our focus provides an insight into some of the most important regulatory updates across the region, such as the UAE’s groundbreaking law on the use of human genome, Kuwait’s resolution on nuclear and radioactive materials, the new regulations for healthcare services in Qatar, Egypt’s healthcare regulatory framework, and the impact of the Saudi Civil Transactions Law on the healthcare and life sciences sector … and there is so much more!
Beyond the healthcare pages our lawyers share with you multi-sector insights where you will discover articles on Dubai’s DIFC regulatory framework for startups, Bahrain’s commercial agencies law, and we also shed light on Kuwaiti civil code and the advantages of setting up a joint stock company in Saudi Arabia.
Read the full editionInvestment in technology
According to a report from the Communications and Information Technology Commissions (CITC) as of 2014, information and communication technology (ICT) investments in the Kingdom of Saudi Arabia totalled SAR 17.83 billion ($4.75bn). A large proportion of this investment is being made in both third party software as well as systems developed in-house.
The Kingdom, similar to the rest of the GCC, has a well-established ICT market across a number of key industries. Given that organisations are spending so much on their business software, it is critical to consider how the Kingdom’s organisations can protect such investments to ensure a confident, consistent and robust approach to risk mitigation for technology use. Across different sectors, protecting these software investments is increasingly important to safeguard critical national infrastructure, support the growth of the FinTech economy, and meet financial regulatory requirements.
Infrastructure projects
Infrastructure projects within the Kingdom are at an all-time high with mega-projects becoming heavily reliant on technology. In line with the Kingdom’s Vision 2030, tech-initiatives are in place not only for the implementation process but also to realize on-going running of services like trains and metro systems. A system such as Riyadh Metro highlights how central software has become to these large scale infrastructure projects. The planned six-line, 85 station metro network, will require a whole host of complex systems to run metro services such as supervisory control and data acquisition (SCADA), communications and CCTV, with any loss of these services being catastrophic.
FinTech growth
FinTech currently sits within the financial services and technology sectors, where tech-focussed start-ups and innovative products and services are currently provided by the traditional financial services sector.
The prioritisation of technological development in Saudi’s Vision 2030 strategy has also raised the need to protect its online infrastructure and systems, including the need for software escrow agreements and business continuity measures. Therefore it is crucial that any implementation of third party application undergoes a formal risk assessment to determine what levels of protection and testing are necessary.
Only with a standardised selection methodology can an organisation ensure they have the appropriate continuity solution for all applications. By implementing a policy in agreement with software vendors, organisations can provide clear guidelines throughout the business on how to protect its applications and data effectively.
Financial Regulation and Compliance
The Saudi Arabian Monetary Agency (SAMA) is the central bank and supervisor for commercial banks in the Kingdom. SAMA has published rules and information for its regulated entities highlighting topics such as outsourcing requirements and business continuity.
Regulation guidelines that are currently in place such as E-Banking Rules identify the responsibilities that organisations have to ensure that companies are committed to managing risk, while also ensuring that both financial services and its customers are not exposed to any potential risk of vendor failure. The E-Banking Rules highlights requirements such as Principle 13, which says that: “Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.”
The requirements for Business Continuity Management include business continuity and risk assessment; developing and implementing continuity plans; and testing, maintaining and re-assessing business continuity plans.
For many financial institutions, escrow agreements, documentation and verification of build processes and disengagement services have become integral to ensuring business continuity.
Regulation Best Practise
NCC Group and Al Tamimi & Company lawyers recognise the importance of regulation compliance and the need to have a business continuity solution in place from the outset with vendors and service providers. Our extensive experience with numerous organisations across the region has provided valuable insight into the type of software escrow solutions our customers in the Kingdom need.
Our experience and research show that as best practice, escrow should be implemented to eliminate the risk of a scenario where access cannot be made to a software or ‘Software-as-a-Service’ (SaaS) arrangement which is fundamental to the operation of the bank; and verification exercises form an integral part of business continuity for the ongoing maintenance and support of a critical application or system.
Consider Your Risk Level
The level of risk that organisations are exposed to will depend on a number of factors.
To ascertain its level of exposure, an organisation must implement a robust risk assessment model taking into account many issues.
The output of a clearly defined risk assessment approach will determine the need for plans to be put in place and deal with the failure of a third party software vendor or service provider.
Organisations should consider whether build processes are well documented, they should ensure the source code has been validated and verified, and that organisation specific data can be extracted if things go wrong.
A collaborative piece by the NCC Group and Al Tamimi & Co, co-authored by:
Alex McCulloch, General Manager at NCC Group Middle East, and Haroun Khwaja, Senior Associate, Technology, Media & Telecommunications at Al Tamimi & Company.
References
* http://www.sama.gov.sa/en-US/Laws/BankingRules/E_banking_Rules.docx
Source: http://www.itp.net
To learn more about our services and get the latest legal insights from across the Middle East and North Africa region, click on the link below.