Managing software risk in Saudi Arabia

Software underpins many of the Kingdom's strategic projects, so organisations need to understand how to protect their investment, says NCC Group and Al Tamimi & Company

Tags: Al Tamimi and Company - DubaiNCC Group (www.nccgroup.trust)Saudi Arabia
  • E-Mail
Managing software risk in Saudi Arabia Organisations in Saudi are making major investments in business software, creating the need for proper software risk measures.
By  Alex McCulloch , Haroun Khwaja Published  February 13, 2018

According to a report from the Communications and Information Technology Commissions (CITC) as of 2014, information and communication technology (ICT) investments in the Kingdom of Saudi Arabia totalled SAR 17.83 billion ($4.75bn). A large proportion of this investment is being made in both third party software as well as systems developed in-house.

The Kingdom, similar to the rest of the GCC, has a well-established ICT market across a number of key industries. Given that organisations are spending so much on their business software, it is critical to consider how the Kingdom's organisations can protect such investments to ensure a confident, consistent and robust approach to risk mitigation for technology use. Across different sectors, protecting these software investments is increasingly important to safeguard critical national infrastructure, support the growth of the FinTech economy, and meet financial regulatory requirements.

Infrastructure projects

Infrastructure projects within the Kingdom are at an all-time high with mega-projects becoming heavily reliant on technology. In line with the Kingdom's Vision 2030, tech-initiatives are in place not only for the implementation process but also to realize on-going running of services like trains and metro systems. A system such as Riyadh Metro highlights how central software has become to these large scale infrastructure projects. The planned six-line, 85 station metro network, will require a whole host of complex systems to run metro services such as supervisory control and data acquisition (SCADA), communications and CCTV, with any loss of these services being catastrophic.

FinTech growth

FinTech currently sits within the financial services and technology sectors, where tech-focussed start-ups and innovative products and services are currently provided by the traditional financial services sector.

The prioritisation of technological development in Saudi's Vision 2030 strategy has also raised the need to protect its online infrastructure and systems, including the need for software escrow agreements and business continuity measures. Therefore it is crucial that any implementation of third party application undergoes a formal risk assessment to determine what levels of protection and testing are necessary.

Only with a standardised selection methodology can an organisation ensure they have the appropriate continuity solution for all applications. By implementing a policy in agreement with software vendors, organisations can provide clear guidelines throughout the business on how to protect its applications and data effectively.

Financial Regulation and Compliance

The Saudi Arabian Monetary Agency (SAMA) is the central bank and supervisor for commercial banks in the Kingdom. SAMA has published rules and information for its regulated entities highlighting topics such as outsourcing requirements and business continuity.

Regulation guidelines that are currently in place such as E-Banking Rules identify the responsibilities that organisations have to ensure that companies are committed to managing risk, while also ensuring that both financial services and its customers are not exposed to any potential risk of vendor failure. The E-Banking Rules highlights requirements such as Principle 13, which says that: "Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services."

The requirements for Business Continuity Management include business continuity and risk assessment; developing and implementing continuity plans; and testing, maintaining and re-assessing business continuity plans.

For many financial institutions, escrow agreements, documentation and verification of build processes and disengagement services have become integral to ensuring business continuity.

Regulation Best Practice

NCC Group and Al Tamimi & Company lawyers recognise the importance of regulation compliance and the need to have a business continuity solution in place from the outset with vendors and service providers. Our extensive experience with numerous organisations across the region has provided valuable insight into the type of software escrow solutions our customers in the Kingdom need.

Our experience and research show that as best practice, escrow should be implemented to eliminate the risk of a scenario where access cannot be made to a software or ‘Software-as-a-Service' (SaaS) arrangement which is fundamental to the operation of the bank; and verification exercises form an integral part of business continuity for the ongoing maintenance and support of a critical application or system.

Consider Your Risk Level

The level of risk that organisations are exposed to will depend on a number of factors.

To ascertain its level of exposure, an organisation must implement a robust risk assessment model taking into account many issues. These issues may include:

•  Solvency of third party critical software vendors, with consideration given to regional regulations. This may involve your potential software vendors answering IT questionnaires to flush out key risks;

•  Financial or reputational loss associated with the discontinuation of critical solutions and systems, resulting in compromised services; Whether sufficient protection is provided over the intellectual property rights to access and use the source code for applications that are critical to business operations;


  • •  Whether alternatives for critical systems and applications exist or have been identified and if so, if application and system risk is mitigated for any transition period to such alternatives.


  • •  The degree of knowledge retention with regard to development of in-house applications and systems;


  • •  Whether application build and deployment processes are sufficiently documented to the required standard in order to safeguard against resource loss.

The output of a clearly defined risk assessment approach will determine the need for plans to be put in place and deal with the failure of a third party software vendor or service provider.

Organisations should consider whether build processes are well documented, they should ensure the source code has been validated and verified, and that organisation specific data can be extracted if things go wrong.

A collaborative piece by the NCC Group and Al Tamimi & Co, co-authored by:

Alex McCulloch, General Manager at NCC Group Middle East, and Haroun Khwaja, Senior Associate, Technology, Media & Telecommunications at Al Tamimi & Company.

About NCC Group
NCC Group is a global risk mitigation expert, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape.
We are one of the world's leading software escrow providers protecting business critical software, data and information through escrow and verification testing services.
As an AWS partner, we are able to provide both cloud application customers and providers with SaaS continuity services for the ever increasing number of systems on which they are dependent on.
Over 15,000 organisations worldwide benefit from our ability to offer our services under a variety of international laws and the assurance that comes from our global network of secure storage vaults across the Middle East, Asia-Pacific, Europe and North America.
We have in-house technical and legal teams, guaranteeing an independent and quality service. The principle behind our escrow offering is clear - to protect all parties involved in the development, supply and use of business critical software applications, information and technology.

Al Tamimi & Company
Al Tamimi & Company is the largest law firm in the Middle East, offering clients dedicated, on-the ground service in the Kingdom of Saudi Arabia with offices in Riyadh, Jeddah and Al Khobar.
Al Tamimi & Company's Technology, Media & Telecommunications team provides local and international clients with world-class, specialist legal support across the full spectrum of technology, media and telecommunications matters. Our advice is practical and informed by our familiarity with the sectors in which our clients operate the legal and regulatory environments of more sophisticated jurisdictions, and our deep knowledge of local law and practice.
Our client base includes technology vendors, and a diverse range of private and public sector technology purchasers. Many of our clients are in the financial services sector, including banks, insurance companies and payment solution providers.
Other clients can be broadly categorised as operating in the e-commerce space, ranging from modest on-line marketplace start-ups through to developers of significant ‘game changing' technologies looking to expand into the region. We also work with government sector entities on a broad variety of technology-related matters, including smart city technology, e-payment platforms, transport infrastructure solutions and data protection and information security related matters.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code