Software escrow is increasingly being drafted into service as one of the ‘first line defences’ when it comes to protecting banks and their customers from cybercrime.
This is the conclusion reached by Andrew Stekhoven, MD of Escrow Europe, who cites two recent announcements – one by the Bank of England and the other by the Singapore Monetary Authority – where the financial industry’s reliance on information technology, in particular for cloud services, is enhancing the risk landscape and requires a clear regulatory response.
“The Monetary Authority of Singapore (MAS) is the financial regulator in Singapore and also the country’s central bank,” he says. “Nearly a decade ago, it issued guidelines to help financial institutions build sound technology risk management frameworks, strengthen IT system security, and safeguard sensitive data and transactions of all the clients.
“The TRMG are regarded as one of the most comprehensive, elaborate and robust guidelines in the world. But they were recently revised to include instructions for escrow protection, and to specifically extend the TRMG to all third parties including outsourced service providers.
“Importantly, they also addressed documenting and implementing standards and procedures for vendor evaluation, selection and controls, and implementing safeguards and putting in place source code escrow agreement if the vendor is unable to support the financial institution,” he says.
Stekhoven explains that The Bank of England had acted similarly in April this year when it shared a series of proposals focused on outsourcing and third-party risk management within financial market infrastructure firms.
“Last year, it had also published operational resilience policy, this noting that a major priority for the Bank, the Prudential Regulation Authority and the Financial Conduct Authority was to create a robust regulatory framework to ‘promote operational resilience’ amongst financial market infrastructure firms.”
He points out that, taken together, these demonstrated the Bank’s continued drive towards operational resilience amongst financial services providers, given increased reliance on third-party technology and software.
“Of particular note is how the Bank highlights the importance of contractual and escrow arrangements between customer and third-party providers,” he says. “It specifically states that software escrow agreements are one of the most effective, proportionate and cost-efficient measures to managing third-party technology risks with cloud, software and technology providers.”
For nearly two decades, during which time Escrow Europe received an Institute of Risk Management of South Africa (IRMSA) award for its role in assisting South African businesses manage their mission critical business risks, Stekhoven has pointed out that most commercial and governmental institutions are often entirely dependent on software over which they have limited or no control.
“One of the biggest mistakes all companies make when evaluating risks to their business continuity is to neglect to consider and acknowledge how dependent their annual revenues are on technology platforms over which they have no control,” he says. “For corporate entities, this is often measured in millions of rands, and yet this clear and present danger is often ignored or grossly underestimated.
“A sound, common sense approach to mitigating disaster, active software escrow provides cost effective relief and security for a business. In today’s technology dependent business world, active escrow agreements between an end-user organisation and the supplier of the technology it utilises are a necessity, not a nice to have.”