subscribe: Daily Newsletter

 

Natsure gains ‘peace of mind’ with software escrow

0 comments

Averting risk and protecting Natsure's mission critical business processes
and functions with an active escow agreement was a logical and vital step in
providing 'peace of mind' for the company, said Natsure's IT manager, Cobus
van Schalkwyk.

Natsure is a structure insurer in South Africa and covers the full gamut of
the construction and property sectors, from general insurance to detailed
niche concerns like thatch and geyser insurance. Established in 1968,
Natsure has evolved into providing insurance for the property market in
general, from individual home owners to large commercial property concerns.
Uniquely, Natsure not only insures completed properties, but also provides
risk cover during all phases of property development and construction.
The key issue for companies such as Natsure is 'What are our annual revenues
that are dependent upon technology platforms over which we have no control?'
and, historically, the Prestasi/Dexdata debacle is an excellent reminder as
to why ICT operational risk measures need diligent attention.
Van Schalkwyk appointed Escrow Europe in October last year to develop ICT
operational risk management standards for Natsure to protect its interest
and investments when it comes to software products that are vital to their
business.
A standardised set of terms and conditions provide for the deposit of the
source code of a mission critical software platform and form the basis of
the active escrow agreement between Natsure and Escrow Europe. Escrow Europe
is authorised to release the source code to Natsure under conditions agreed
upon between the platform supplier and end-user in the escrow agreement.
"At Natsure, we realised that there is a huge risk of not having business
continuity if something would happen with any one of our application
providers," explains van Schalkwyk, "with talk of risks,  control and
compliance being commonplace in the boardroom today, we knew an active
escrow agreement is a must-have."
Most corporate governance protocols hold directors personally responsible
for the organisation's assets and reputation, including the assurance that
systems and technology are adequate to run the organisation. In the US,
Sarbanes-Oxley calls for an operational system of internal controls over
financial information encompassing contracts for mission-critical software
and their susceptibility to changes in vendor business conditions. Protocols
such as COBIT, Turnbull and King II expect the board of directors of all
companies to take a robust approach to risk management and particularly in
relation to IT related risks.
Gartner puts it simply in one of their statements on the subject "Technology
escrow is a smart and effective component of a business continuity strategy
that software licensees can use to protect their mission critical
applications in an ever-changing environment," says Jane Disbrow, Gartner
Research Director, IT Asset Management and Applied Research Group.
The Institute of Directors (IoD) fully endorses the practice of Active
Escrow and has confirmed that King III will address what it is that is
required of South African Directors and Officers to manage the ICT
Operational Risk associated with the use of licensed technology such as
software products.
To safeguard the continuity of mission critical applications and mitigate
the potentially devastating consequences of such risks materialising, it is
essential to consider escrow. Professional active escrow is a highly
effective, low cost measure to mitigate against ICT operational risk. While
this vehicle is usually associated with ICT, it also extends beyond that
industry.
The guidelines in ISO9001 confirm source code escrow as a process whereby
access to maintainable information systems can be guaranteed, irrespective
of the stability of the commercial status of the software supplier and where
certain predefined commitments such as warranty, support and maintenance are
not honoured.
Escrow Europe is unique because it concentrates entirely on active escrow,
in other words escrows including both compulsory verification of every
deposit and tracking of updates and new releases thereby safeguarding the
quality of the deposits. This guarantees that Natsure will be able to
continue maintainance and support of mission critical software products in
the absence of the licensor.
"Supplier insolvency, a change of ownership or a new strategic priority (for
example, discontinuation of support and maintenance) could leave you
stranded and have an extremely serious, possibly catastrophic, impact on the
financial and business health of your company, and this risk is also
excluded from all Directors & Officers (D&O) and loss of profit/business
interruption insurance policies," says Escrow Europe director, Andrew
Stekhoven.
"Fear of vendor bankruptcy is no longer the predominant driver in the
software escrow market; potential mergers and acquisitions activity within
the IT vendor community is now the main cause for concern. An active escrow
arrangement is the only proper re-assurance that an organisation has that
software that is vital to the survival of their business will not become
'orphanware'.
"Active software escrow is well used in Europe and the US to manage risks
and comply with good governance regulations, but many South African
companies either ignore its potential for managing the multifaceted risks
and due diligence obligations facing their company directors and/or
officers, or they mistakenly believe that a passive escrow arrangement
offers the same protection as one that is active," he says.
Natsure has avoided the passive escrow trap. Most escrow agreements in South
Africa are passive, meaning there is no guarantee that the source code
released by the agent will be usable. In fact, technical verification of
deposit material reveals that up to 90% of software held under passive
escrow would be of little or no use when released.
For the software supplier, the benefits of active software escrow are
numerous too: it reinforces your ownership rights in the source code –
typically, your most valuable asset; assures risk management and business
continuity; preserves patents and copyrights; reduces dependency on
employees and gives disaster recovery.
TIAL Technologies is the supplier of Natsure's primary mission critical
software platform. and recognizes that  an active software escrow agreement
is vital for their Clients to comply with good corporate governance practice
and to provide them with peace of mind regarding the continuity of their
businesses.
Says TIAL chief executive, Alan Hayward, TIAL CE: "As a world class software
supplier, TIAL recognises that software escrow is a stamp of quality for
demonstrating commitment to our clients in respect of our company and
products, and that our client's need for escrow is perfectly legitimate as
the arrangement deals with mission critical software that requires
additional continuity of use warranties.
"For the supplier, the key objectives of escrow are therefore good
governance practice and reassurance for our licensed end-users as to our
commitment to their business."
Having a professional escrow arrangements in place for your clients gives
you a tangible advantage over competitors of any size. Active escrow
arrangements eliminate business continuity risk for your clients and
encourages the client to use your licensed products in preference to those
of even the largest software vendors and developers.
Escrow Europe is the only BEE certified provider of active software escrow
in South Africa and has put in place place over 20 active escrow agreements
over the past few months, including those for Business Connexion, Ellerines,
Hollard Select Brokers, Natsure, Santam, South African Express Airways and
Vodacom. They are continuing to work with Hollard Insurance to secure their
other software platforms that the business depends upon.
The Institute of Risk Management of South Africa (IRMSA) has recognised
Escrow Europe's role in assisting South African companies manage their
mission critical business risks and named the company as the recipient of
the Best Small Business Initiative Related to Risk Management Award for 2007
at its annual conference.