“My Software Owner Is Too Big To Fail” & 5 Other Escrow Myths

Many people automatically discount Software Escrow without truly understanding the risks of not protecting their business critical applications. We have busted some of the common myths surrounding Escrow, enabling you to make informed decisions regarding the protection of your third party applications.

“Our software owner is a global organisation, they have been around for many years, everybody uses them… They are too big to fail”

Unfortunately no organisation (software owner or end user) is too big to fail. Their industry, size, market share, turnover or even media coverage are irrelevant.

A prime example of this is 2e2 Limited – System Integrators and Data Centre for 1000’s of well-known global organisations that included Vodafone, NHS Trust, Citigroup, O2 and Kellogg’s, entered into voluntary liquidation in 2013. What followed was the administrators asking 2e2 customers for nearly £1 million in funding if they wanted uninterrupted services and access to their Data Centre facilities.

If these companies had an Escrow agreement in place with 2e2 they would have been able to legally access a copy of the source code (as well as potentially their data, a runtime, version, install version and a runtime report on how to rebuild it etc.) for the applications provided by 2e2, enabling them to maintain their applications going forward without having to pay the large fees to the administrators.

“We use a scoring system when procuring a new software owner”

This is a crucial part of procuring any third party software. However, a ‘scoring system’ can only mitigate so much risk, generally for the short term visibility.

However, there is no way of predicting what will happen in the long term and therefore creation of an Escrow agreement should be an essential requirement when working with third party software owners to protect you from unforeseen circumstances.

“We wouldn’t be able to use the code if it was released”

This statement can be both true and false. True in the sense that if the deposit has not been fully validated then it’s unclear if the code is complex or correct, and whether all the relevant documentation including the ‘build guide’ is included. Having the deposit fully validated ensures that upon release either you or an appointed third party can maintain the application going forward. Therefore in this case the statement would be false.

“We don’t see it as value for money”

This is more of an opinion. A more accurate way of indicating whether an Escrow agreement provides value for money would be to identify the criticality and cost of the application VS the cost an impact of not having it at all and the combined cost, time and effort you would need to spend procuring a replacement application. By definition an Escrow agreement also reduces the amount of money needed to be set aside to potentially replace a failed system.

“You have to have all your applications in Escrow and tested”

Another myth. An audit should be undertaken on each of your applications to determine its criticality and then you can determine whether or not to Escrow the application.

If you do have multiple applications which require Escrow, you can also place these under a Master Escrow Agreement which consolidates all of your Escrow agreements in one location.

“You cannot Escrow hosted software (SaaS)”

This myth stems from the confusion that if an application isn’t hosted onsite then how can it be placed in Escrow? The truth is that whilst it can be slightly more complex to Escrow hosted software, it is definitely possible and amounts to almost 25% of our live agreements here at SES.

In fact, there can often be a stronger argument for protecting SaaS applications than those installed on-site. Should a Vendor providing on-site services fail, their clients retain access to their servers with all data and the compiled software. However, SaaS services are generally hosted by the Vendor or the Vendor’s chosen third party hosting service provider, if the Vendor fails the client can lose access to everything including their data – often without any notice period. This is why SES provides Escrow services that not only capture source code but also data on a frequency that suits your requirement which could be as often as monthly, weekly, daily or even in real time. In addition SES can retain runtime/install versions and a recorded build of the application. With this protection in place the client is assured of being able to replicate the critical services they depend on including their data.

Almost anything can be placed in Escrow (within reason). It’s all about understanding who owns what, what is to be deposited and what the release conditions will be? When SES first started we only had three different agreements, now we offer more than 20 different agreements to meet all of your Escrow requirements.

If you would like to find out more about how a bespoke Escrow solution can protect your business, please get in touch and one of our specialists will get back to you within one business day.

© SES Secure Limited and ses-escrow.co.uk, 2017. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to SES Secure Limited and ses-escrow.co.uk, with appropriate and specific direction to the original content.