A hallmark of this era of rapid technological advancement and digitalisation of financial services is the ever-increasing reliance on third-party software suppliers. It’s a complex dependency that has expanded the threat landscape of South African banks, asset managers and insurers. In response, the country’s Financial Sector Conduct Authority and the Prudential Authority have now brought the new Joint Standard for IT Governance and Risk Management into force on 15 November 2024.
This landmark regulation raises the bar for IT governance frameworks and brings South Africa into alignment with global standards governing IT risk management protocols and business continuity practices. With the implementation of the Joint Standard, financial entities must act swiftly to implement robust measures to meet these critical regulatory requirements.
Building a foundation of resilience
The Joint Standard mandates that financial institutions address IT-related risks to safeguard their operations and maintain service delivery. South African banks, insurers, and other financial institutions must now implement more stringent IT governance and risk management practices, which will be assessed one year from the regulation’s effective date. Non-compliance may result in the issuing of financial penalties and/or the withholding of essential operating licences.
Guy Krige, Executive Risk Consultant at ESCROWSURE says, “Not surprisingly, given the current scale of third-party risks, the new regulation puts forward a comprehensive approach to managing supply chain vulnerabilities, maintaining an inventory of critical service providers, and instituting clear business continuity plans. An essential component of these efforts is ensuring access to critical software applications, even if an external provider faces disruptions. This requirement amplifies the need for solutions like software escrow, which not only aids in compliance but also offers a lifeline to financial services companies in the event of service disruptions or vendor insolvencies. It’s interesting to note that in markets such as Singapore and India, similar regulations explicitly prescribe software escrow as an essential part of business continuity and IT risk management and governance.”
Software Escrow as a practical compliance solution
Software escrow, which involves depositing source code with a trusted third party, provides financial institutions with access to critical software in the event of vendor failure. By placing essential applications in escrow, South African financial institutions can ensure operational continuity while meeting the compliance demands of the Joint Standard. The availability of source code through escrow means that even if a third-party supplier cannot fulfil its obligations, institutions can retrieve and maintain critical software themselves, reducing service disruption risks.
Krige adds, “In the context of South Africa’s new IT governance standard, software escrow becomes a proactive tool, allowing institutions to meet regulatory requirements while securing an operational contingency that mitigates the growing threats of software supplier failure.”
Looking forward – preparing for the upcoming Joint Standard on Cybersecurity
While financial institutions work toward compliance with the Joint Standard on IT Governance and Risk Management, another significant regulation is just on the horizon. The Joint Standard on Cybersecurity and Cyber Resilience, set to take effect on 1 June 2025, will introduce new requirements specifically focused on protecting financial entities from cyber threats. Much like the current standard, this regulation will emphasise third-party risk management, making software escrow an invaluable solution for continuity and security in case of cyber vulnerabilities or breaches in supplier networks.
Krige concludes, “As South African financial institutions integrate these new standards, software escrow will play an increasingly critical role in the country. By investing in escrow agreements now, companies not only comply with the current IT governance requirements but also position themselves to tackle cybersecurity risks and the heightened compliance demands of 2025 with greater resilience and confidence. As the South African financial services sector navigates these evolving regulatory waters, software escrow emerges as a cost-effective, proactive measure to boost operational resilience, safeguard IT assets and ensure both continuity and compliance.”