Natsure gains 'peace of mind' with active software escrow

Averting risk and protecting Natsure's mission critical business processes and functions with an active escow agreement was a logical and vital step in providing 'peace of mind' for the company, said Natsure's IT manager, Cobus van Schalkwyk.

Natsure is a structure insurer in South Africa and covers the full gamut of the construction and property sectors, from general insurance to detailed niche concerns like thatch and geyser insurance. Established in 1968, Natsure has evolved into providing insurance for the property market in general, from individual home owners to large commercial property concerns. Uniquely, Natsure not only insures completed properties, but also provides risk cover during all phases of property development and construction.

The key issue for companies such as Natsure is ‘What are our annual revenues that are dependent upon technology platforms over which we have no control?’ and, historically, the Prestasi/Dexdata debacle is an excellent reminder as to why ICT operational risk measures need diligent attention.

Van Schalkwyk appointed Escrow Europe in October last year to develop ICT operational risk management standards for Natsure to protect its interest and investments when it comes to software products that are vital to their business.

A standardised set of terms and conditions provide for the deposit of the source code of a mission critical software platform and form the basis of the active escrow agreement between Natsure and Escrow Europe. Escrow Europe is authorised to release the source code to Natsure under conditions agreed upon between the platform supplier and end-user in the escrow agreement.

"At Natsure, we realised that there is a huge risk of not having business continuity if something would happen with any one of our application providers," explained van Schalkwyk, "with talk of risks, control and compliance being commonplace in the boardroom today, we knew an active escrow agreement is a must-have."

Most corporate governance protocols hold directors personally responsible for the organisation's assets and reputation, including the assurance that systems and technology are adequate to run the organisation. In the US, Sarbanes-Oxley calls for an operational system of internal controls over financial information encompassing contracts for mission-critical software and their susceptibility to changes in vendor business conditions. Protocols such as COBIT, Turnbull and King II expect the board of directors of all companies to take a robust approach to risk management and particularly in relation to IT related risks.

Gartner puts it simply in one of their statements on the subject “Technology escrow is a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment,” says Jane Disbrow, Gartner Research Director, IT Asset Management and Applied Research Group.

The Institute of Directors (IoD) fully endorses the practice of Active Escrow and has confirmed that King III will address what it is that is required of South African Directors and Officers to manage the ICT Operational Risk associated with the use of licensed technology such as software products.

To safeguard the continuity of mission critical applications and mitigate the potentially devastating consequences of such risks materialising, it is essential to consider escrow. Professional active escrow is a highly effective, low cost measure to mitigate against ICT operational risk. Whilst this vehicle is usually associated with ICT, it also extends beyond that industry.

The guidelines in ISO9001 confirm source code escrow as a process whereby access to maintainable information systems can be guaranteed, irrespective of the stability of the commercial status of the software supplier and where certain predefined commitments such as warranty, support and maintenance are not honoured.

Escrow Europe is unique because it concentrates entirely on active escrow, in other words escrows including both compulsory verification of every deposit and tracking of updates and new releases thereby safeguarding the quality of the deposits. This guarantees that Natsure will be able to continue maintainance and support of mission critical software products in the absence of the licensor.

"Supplier insolvency, a change of ownership or a new strategic priority (for example, discontinuation of support and maintenance) could leave you stranded and have an extremely serious, possibly catastrophic, impact on the financial and business health of your company, and this risk is also excluded from all Directors & Officers (D&O) and loss of profit/business interruption insurance policies,” said Escrow Europe director, Andrew Stekhoven.

"Fear of vendor bankruptcy is no longer the predominant driver in the software escrow market; potential mergers and acquisitions activity within the IT vendor community is now the main cause for concern. An active escrow arrangement is the only proper re-assurance that an organisation has that software that is vital to the survival of their business will not become 'orphanware'.

"Active software escrow is well used in Europe and the United States to manage risks and comply with good governance regulations, but many South African companies either ignore its potential for managing the multifaceted risks and due diligence obligations facing their company directors and/or officers, or they mistakenly believe that a passive escrow arrangement offers the same protection as one that is active," he said.

Natsure has avoided the passive escrow trap. Most escrow agreements in South Africa are passive, meaning there is no guarantee that the source code released by the agent will be usable. In fact, technical verification of deposit material reveals that up to 90% of software held under passive escrow would be of little or no use when released.

For the software supplier, the benefits of active software escrow are numerous too: it reinforces your ownership rights in the source code - typically, your most valuable asset; assures risk management and business continuity; preserves patents and copyrights; reduces dependency on employees and gives disaster recovery.

TIAL Technologies (Pty) Ltd is the supplier of Natsure’s primary mission critical software platform. and recognizes that an active software escrow agreement is vital for their Clients to comply with good corporate governance practice and to provide them with peace of mind regarding the continuity of their businesses.

Said TIAL chief executive, Alan Hayward, TIAL CE: “As a world class software supplier, TIAL recognises that software escrow is a stamp of quality for demonstrating commitment to our clients in respect of our company and products, and that our client’s need for escrow is perfectly legitimate as the arrangement deals with mission critical software that requires additional continuity of use warranties.

“For the supplier, the key objectives of escrow are therefore good governance practice and reassurance for our licensed end-users as to our commitment to their business.”

Having a professional escrow arrangements in place for your clients gives you a tangible advantage over competitors of any size. Active escrow arrangements eliminate business continuity risk for your clients and encourages the client to use your licensed products in preference to those of even the largest software vendors and developers.

Escrow Europe is the only BEE certified provider of active software escrow in South Africa and has put in place place over 20 active escrow agreements over the past few months, including those for Business Connexion, Ellerines, Hollard Select Brokers, Natsure, Santam, South African Express Airways and Vodacom. They are continuing to work with Hollard Insurance to secure their other software platforms that the business depends upon.

The Institute of Risk Management of South Africa (IRMSA) has recognised Escrow Europe’s role in assisting South African companies manage their mission critical business risks and named the company as the recipient of the Best Small Business Initiative Related to Risk Management Award for 2007 at its annual conference.