Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Hello all,

How is everyone managing Software Escrow?

-what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)
-do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?
-which group manages the process? (Business Continuity, LOB, Technology)



Thank you.

Hi there -

Below are responses and some helpful best practices to utilize in your program as it relates to managing and monitoring the risk associated with vendors with software escrow:

1) what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)

- Like other existing technology vendors, performing a review / assessment depends on the criticality of the vendor and how important / essential the feature may be to your technology stack and operations. For every new vendor that works with your organization with software escrow accounts, at a minimum a financial health review and diligence (typically, can start with requesting 2-3 years of financial information) should be conducted to determine the health of the vendor and ensure that they are not at-risk of bankruptcy in the near-term.

2) do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?

- Yes, financial health and stability should be considered given that the software escrow agreement with the vendor will include clauses around the entity's insolvency / bankruptcy. Criticality should be considered as well, given that the code may or may not be essential to your overall business and daily operations. The hosting environment (on-premise vs. SaaS) also should be considered, as it can provide insight into whether the vendor has sufficient system and operating controls in place with respect to its datacenter or cloud hosting. Depending on the criticality of the vendor in the software escrow account, it may be worth requesting and reviewing a SOC audit that it had completed to understand the controls it has or may have through its relationship with its own cloud-hosting / data-hosting provider.

3) which group manages the process? (Business Continuity, LOB, Technology)

- Technology should manage the details of the software escrow agreement and get comfortable around the details within the agreement. The review process should include the Technology team to ensure they have sufficient input into the documentation and details required, but other parts of the organization (Information Security, Financial Subject Matter Experts, Vendor Management, Compliance) should lead the diligence / questionnaire / review process, as is consistent with other activities within your third-party risk management program.

We welcome other members of the Third Party Think Tank to weigh in and provide any insights!

Ramin

Original Message:
Sent: 07-07-2021 08:19 AM
From: Anonymous Member
Subject: Software Escrow Accounts (Source Code)

This message was posted by a user wishing to remain anonymous

Hello all,

How is everyone managing Software Escrow?

-what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)
-do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?
-which group manages the process? (Business Continuity, LOB, Technology)



Thank you.

This message was posted by a user wishing to remain anonymous

Ramin,

Thank you for replying. Pretty much how we manage our process. Our BC team coordinates the activity with the LOB, LOB BC contact and Technology. I would like to see others share their process.
Original Message:
Sent: 07-27-2021 10:32 AM
From: Ramin Zacharia
Subject: Software Escrow Accounts (Source Code)

Hi there -

Below are responses and some helpful best practices to utilize in your program as it relates to managing and monitoring the risk associated with vendors with software escrow:

1) what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)

- Like other existing technology vendors, performing a review / assessment depends on the criticality of the vendor and how important / essential the feature may be to your technology stack and operations. For every new vendor that works with your organization with software escrow accounts, at a minimum a financial health review and diligence (typically, can start with requesting 2-3 years of financial information) should be conducted to determine the health of the vendor and ensure that they are not at-risk of bankruptcy in the near-term.

2) do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?

- Yes, financial health and stability should be considered given that the software escrow agreement with the vendor will include clauses around the entity's insolvency / bankruptcy. Criticality should be considered as well, given that the code may or may not be essential to your overall business and daily operations. The hosting environment (on-premise vs. SaaS) also should be considered, as it can provide insight into whether the vendor has sufficient system and operating controls in place with respect to its datacenter or cloud hosting. Depending on the criticality of the vendor in the software escrow account, it may be worth requesting and reviewing a SOC audit that it had completed to understand the controls it has or may have through its relationship with its own cloud-hosting / data-hosting provider.

3) which group manages the process? (Business Continuity, LOB, Technology)

- Technology should manage the details of the software escrow agreement and get comfortable around the details within the agreement. The review process should include the Technology team to ensure they have sufficient input into the documentation and details required, but other parts of the organization (Information Security, Financial Subject Matter Experts, Vendor Management, Compliance) should lead the diligence / questionnaire / review process, as is consistent with other activities within your third-party risk management program.

We welcome other members of the Third Party Think Tank to weigh in and provide any insights!

Ramin

Original Message:
Sent: 07-07-2021 08:19 AM
From: Anonymous Member
Subject: Software Escrow Accounts (Source Code)

This message was posted by a user wishing to remain anonymous

Hello all,

How is everyone managing Software Escrow?

-what triggers a review? (new software, RTO, Direct Impact (major component failure), whether service is essential, etc.)
-do you factor in third party financial stability, critical third party status, on-prem or TP hosted, etc.) if source code and testing are required?
-which group manages the process? (Business Continuity, LOB, Technology)



Thank you.