Hi there -Below are responses and some helpful best practices to utilize in your program as it relates to managing and monitoring the risk associated with vendors with software escrow:
1) what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)
- Like other existing technology vendors, performing a review / assessment depends on the criticality of the vendor and how important / essential the feature may be to your technology stack and operations. For every new vendor that works with your organization with software escrow accounts, at a minimum a financial health review and diligence (typically, can start with requesting 2-3 years of financial information) should be conducted to determine the health of the vendor and ensure that they are not at-risk of bankruptcy in the near-term.
2) do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?
- Yes, financial health and stability should be considered given that the software escrow agreement with the vendor will include clauses around the entity's insolvency / bankruptcy. Criticality should be considered as well, given that the code may or may not be essential to your overall business and daily operations. The hosting environment (on-premise vs. SaaS) also should be considered, as it can provide insight into whether the vendor has sufficient system and operating controls in place with respect to its datacenter or cloud hosting. Depending on the criticality of the vendor in the software escrow account, it may be worth requesting and reviewing a SOC audit that it had completed to understand the controls it has or may have through its relationship with its own cloud-hosting / data-hosting provider.
3) which group manages the process? (Business Continuity, LOB, Technology)
- Technology should manage the details of the software escrow agreement and get comfortable around the details within the agreement. The review process should include the Technology team to ensure they have sufficient input into the documentation and details required, but other parts of the organization (Information Security, Financial Subject Matter Experts, Vendor Management, Compliance) should lead the diligence / questionnaire / review process, as is consistent with other activities within your third-party risk management program.
We welcome other members of the Third Party Think Tank to weigh in and provide any insights!