2024 is expected to bring about significant changes in the technology and business landscape, providing organisations with new opportunities as well as challenges. As businesses continue to increase their reliance on third-party software and services, effective third-party risk management will remain critical for maintaining business continuity.
In this article, we reflect on the previous year, outline our expectations for 2024, and provide insight into how organisations can effectively manage third-party risk.
The increasing reliance on third parties and outsourced IT solutions, combined with other sources of business interruption, has prompted new approaches from regulatory bodies across the globe. In January 2023, the Digital Operational Resilience Act (DORA) came into force, imposing additional cyber security and resilience requirements on European financial institutions and their critical suppliers. This month (January 2024), the European Supervisory Authorities (ESAs) are expected to release a final report, submitting the draft Regulatory Technical Standards (RTS) to the European Commission.
Last year, the OCC, FDIC, and Federal Reserve Board (FED) issued a joint statement offering revised guidance focused on outsourcing and third-party risk management, naming escrow solutions as an important provision to consider. The Australian Prudential Regulation Authority (APRA) also released its new cross-industry Prudential Standard CPS 230 to strengthen operational risk management.
The Bank for International Settlements published Project Polaris; the framework highlighted software escrow as a pivotal step for secure and resilient CBDC systems. The requirement for software escrow was also included in the updated standards - ISO 27001:2022.
In November, the Reserve Bank of India (RBI) issued a draft Master Direction with a set of controls to be employed and complied with by April 2024. The direction requires that the source code of critical applications be acquired. Where that is not possible, the bank expects institutions to implement escrow, or similar arrangements.
In December, the Financial Stability Board (FSB) responded to concerns over the risks related to outsourcing and third-party service relationships by issuing updated guidance on third-party risk management (TPRM).
The Prudential Regulation Authority (PRA) SS2/21 regulations prompted UK institutions to review third-party arrangements and assess the requirement for software escrow. The National Risk Register 2023 also identified supplier failure (technological failure) as a potential risk facing the UK.
In December 2023, the UK FCA, PRA, and the Bank of England initiated a joint consultation on proposed requirements and expectations for critical third parties (CP23/30: Operational resilience). Regulators aim to release final requirements by H2 2024.
On January 1, 2024, the Swiss Regulatory Authority's FINMA Circular 2023/1 on Operational Risks and Resilience at Banks came into force, providing institutions with a two-year transition period (till the start of 2026) to demonstrate full compliance.
In 2024 and beyond, regulatory bodies are expected to continue to introduce additional regulations aimed at ensuring businesses are protected from unexpected disruptions such as supplier failure. Aligning with global counterparts, many of these guidelines are expected to recommend measures like software escrow agreements as components of comprehensive business continuity and stressed exit plans.
While specific regulatory requirements for IT outsourcing in the financial services sector vary by region and regulator, escrow solutions have gained recognition from many global regulators. Software escrow is a proportional preventive, detective, and corrective control mechanism to reduce the duration, severity, velocity, and overall total cost of the settlement of IT supplier failure.
In 2023, we saw economic uncertainty and increased insolvencies. According to statistics published by gov.uk, the number of registered company insolvencies in November 2023 was 21% higher than in the same month in the previous year (November 2022). Similarly, bankruptcy filings in the USA totaled 37,860 in November 2023, marking a 21% increase from the November 2022 total of 31,187.
In March 2023, the collapse of Silicon Valley Bank highlighted the critical need for resilience across the entire supply chain and tech stack to ensure business continuity. As a leader in venture debt, providing loans to many tech start-ups and scale-ups, SVB’s failure had a significant impact on tech companies and the customers they service.
The global fintech market encountered challenging conditions in 2023. Venture capital funding for fintech start-ups globally plummeted by 49% year-over-year to $23 billion in the first half of 2023 amid an economic downturn, according to S&P Global Market Intelligence data. Risks such as high inflation, rising interest rates, geopolitical tensions, and tech sector challenges were potential threats to the market. These factors placed significant financial strain on vendors and the software supply chain, leading to heightened risks of bankruptcy.
The insolvency or failure of a software vendor can have substantial impacts on businesses reliant on their services. This includes disruption or complete failure of critical operations, resulting in both financial implications and reputational damage.
Recognising the ongoing economic uncertainty, organisations are increasingly acknowledging the value of software escrow agreements. These agreements play a crucial role in protecting the continuity of their critical operations in the event of a software vendor facing bankruptcy.
As we step into 2024, SaaS adoption is expected to continue its growth trajectory, with businesses increasingly shifting towards cloud-based software solutions. In the coming months, our SaaS insights guide will be released, offering invaluable market insights to help businesses ensure SaaS resilience.
In 2024 and beyond, organisations must prioritise operational resilience and mitigate third-party risk. To achieve this, businesses should stay informed about regulatory changes, assess third-party supplier risk, and implement robust business continuity plans that include software escrow agreements. By taking these steps, businesses can prepare for disruption, protect critical operations, and navigate future challenges with confidence and resilience.
