Should information technology companies seeking to do business with South Africa’s governments and municipalities be compelled by law to place their source code in escrow?

According to the managing director of a leading software escrow provider locally and the author of a recently released green paper exploring why certifications and compliances are essential to ensure operational resilience and protect interests, Andrew Stekhoven, the answer is yes.

“Many well-run governments, both national and regional, the world over already do so. Oklahoma in the United States being the more recent to make willingness to enter an escrow agreement mandatory for any company seeking to do business with Oklahoma’s Office of Management & Enterprise Services,” he said.

“South Africa’s governments and municipalities – already struggling with service delivery – do not need the added complication of contending with business continuity and disaster management should their IT systems be taken offline due to unforeseen circumstances, not when a simple and elegant solution to ensuring operational resilience exists.”

Oklahoma’s IT Related Procurement Statutes states: “No state agency, as defined by Section 250.3 of Title 75 of the Oklahoma Statutes, the Purchasing Division of the Office of Management and Enterprise Services nor the Information Services Division of the Office of Management and Enterprise Services, unless otherwise provided by federal law, shall enter into a contract for the acquisition of customized computer software developed or modified exclusively for the agency or the state, unless the vendor agrees to place into escrow with an independent third party the source code for the software and/or modifications.”

According to Stekhoven, this decision enhances that organisation’s operational resilience, reduces risks, protects customer interests, and ensures compliance with regulatory standards by providing access, availability and integrity when the unplanned for happens.

Aside from service delivery, surely this is what all South Africans want from their governments and municipalities, he asked.

Stekhoven’s green paper particularly addresses the risks associated with Software-as-a-Service (SaaS) solutions and suggests what corporates should look for in software and SaaS escrow providers to ensure their (the corporates) compliance with the EU DORA Digital Operational Resilience Act, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) regulations.

He notes that software and SaaS solutions have become essential for businesses and other organisations, enabling them to streamline operations and enhance productivity. However, the reliance on these solutions exposes these entities to potential risks such as service interruptions, data breaches, or loss of critical functionalities. These risks can have severe consequences, including financial loss, damage to reputation, and non-compliance with regulatory requirements.

Stekhoven suggests that full certification for ISO/IEC 27001:2013, Annex A.17, and Annex A.18 is a compliance and regulatory imperative delivering the following benefits:

  • Enhanced Security and Confidentiality: ISO 27001:2013 certification ensures that software and SaaS escrow providers implement robust security controls to protect corporate data and intellectual property. It guarantees the confidentiality, integrity, and availability of information assets, reducing the risk of data breaches and unauthorized access.
  • Mitigation of Business Interruptions: By complying with Annex A.17 and EU DORA, software and SaaS escrow providers can establish business continuity plans and preventive measures to mitigate the impact of service interruptions. This allows corporates to ensure uninterrupted operations and minimize potential financial losses.
  • Reduced Legal and Financial Risks: ISO 27001:2013 and Annex A.18 compliance help corporates mitigate legal and financial risks associated with non-compliance with regulatory requirements. Choosing certified providers ensures adherence to regulatory standards, thereby reducing the likelihood of penalties, fines, and legal disputes.
  • Improved Customer Trust and Reputation: Working with ISO 27001:2013 certified providers demonstrates a commitment to information security and operational resilience. This enhances customer trust, strengthens corporate reputation, and distinguishes corporates as responsible and reliable partners.
  • Ease of Compliance with Regulatory Standards: ISO 27001:2013 certification provides a solid foundation for meeting regulatory requirements such as EU DORA, PRA, and FCA refers. Corporates can leverage the certified providers’ compliance frameworks and controls to streamline their own compliance efforts, saving time and resources.