One important issue to consider when choosing a cloud, or indeed any, software provider is the certainty of their ongoing business operations. A bankruptcy, an acquisition, or other circumstances can affect your vendor and render them unable or unwilling to continue providing the software services under your subscription/license. To mitigate this risk, 3rd-party professional technology escrow firms provide escrow services which are typically paid for by the software vendor and which “name” each customer as a party to the escrow agreement. This is similar to a “named insured” on a homeowner’s insurance policy which protects the lender providing a mortgage on the property.
Andrew Stekhoven provides an excellent definition, “Active software escrow is a legally binding agreement signed between the user of the IT system, the supplier of the IT system and an independent escrow service provider to ensure that the software source code and technical documentation related to the services provided are not only kept safe, but are also professionally verified and updated on a routine basis. If certain conditions mentioned in the agreement come to pass, the escrow agent releases the source code and any other technology or documentation mentioned in the agreement to the user company.” COBIT Focus Vol. 3 July 2012.
Active software escrow includes, at a minimum, annual verification that the source code and technical documentation corresponds to the current version of the software. A statement from the 3rd-party custodian communicates that such verification was performed. Passive software escrow is storage of the software by a bank, law firm, etc. with no such assurance warranting that the escrow version is current and verified. A passive escrow agreement is not adequate for mission critical systems.
The Federal Financial Institutions Examination Council (FFIEC) which develops standards for financial institutions to meet requirements of the Federal Reserve Board, FDIC and others strongly recommends software escrow as a critical part of a continuity plan. The FFEIC Examination Handbook includes a section on “escrowed documentation” which states some minimum recommendations to include in all software agreements. The FFIEC recommendations are an excellent reminder that an escrow agreement tailored to the specifics of each business-critical software vendor relationship provides financial institutions with a business continuance plan for their licensed technology. The effectiveness of any escrow agreement for any industry lies in the customizations of the agreement to address specific needs as well as the software vendors’ performance under the escrow agreement. Some top tier technology escrow agents provide a comprehensive suite of services to address these concerns.
All agreements should include these key aspects for software escrow:
- Verification – the 3rd-party and the vendor periodically, at least annually, verify to ensure that not only the most current version of the source code is in escrow but also critical system documentation as well.
- Access – the 3rd-party escrow company verifies that they have all passwords required to access the files and execute the software.
- Insurance – the 3rd-party escrow company must demonstrate ongoing Errors & Omissions (E&O) insurance coverage that includes adequate monetary protection value and is a policy specific to the software escrow industry.
- Recovery – a requirement for an “immediate release” provision with the escrow company on your behalf that will allow release and use of the software during any disputes that take place between you and the software company. The key is that a critical system cannot be down long. The difference between cloud/hosted software and on premise/licensed is you do not have the software on site and therefore you bear a greater risk of disruption.
- Audit – many escrow companies offer audit and verification services which can include a simulated escrow release as a test scenario to ensure that the current version of the software is quickly available for recovery.
- Compliant – the 3rd-party escrow company must meet all regulatory requirements of your industry.
A second concern with cloud/hosted software is your data. Software escrow typically applies to the source code and documentation but not your data. In the event of an issue w/ your software provider, you need the source code, machines configured with operating systems and security to run the application and your data. You should have your data “mirrored” to a second storage either in your enterprise or to cloud storage you control. You also need a plan to get an environment to run the software up quickly. Consider a clause in the software agreement requiring the vendor to pre-pay three months of hosting fees and specifying rights for you to operate the software in this environment in the event of a dispute. Finally, require a solid active software escrow with a reputable 3rd-party.
Now is a good time to specify your active escrow requirements. Make these requirements a non-negotiable condition of all new software licenses or cloud software subscription. Inventory all existing business critical software licenses/subscriptions and ensure that active escrow is a part of these agreements. Over time, bring these existing agreements into compliance with your new escrow requirements. In all cases, ask the vendors to present verification from their 3rd-party escrow providers stating that the on-hand source code and documentation were verified as current and that they have all necessary passwords. Define this escrow verification as an internal control procedure scheduled at least annually to ensure the verification and evidence of such takes place. Develop a detailed recovery plan for each mission critical application and schedule a test of these recovery plans. Your management and your Board will appreciate how you lead the way to leverage compliance to protect the organization from a disastrous system outage.
About the Authors
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting LLC, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications, and the “Leverage Compliance” blog. Glenn provides licensee compliance audits in conjunction with Licensing Compliance Group and Penetration Tests/SOC for Cyber/SOC 2/3 Assessments in conjunction with Ra Security Systems. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/, follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/
Chris Smith is Founder and CEO of PRAXIS Technology Escrow, LLC and a veteran of the technology escrow industry since the late 1990’s. Throughout much of the past three decades Chris has helped financial intuitions, Fortune 500 companies and countless software and technology companies implement customized technology escrow solutions. Chris has held executive level positions with Iron Mountain and the NCC Group and was Co-Founder and President of Escrow Associates, LLC which was acquired by NCC Group in 2011. Throughout his career Chris has been an educator and is certified to deliver continuing legal education (CLE) courses in several states. Find Chris’s full profile at https://www.linkedin.com/in/therealchrissmith