Third-party software applications can be critical to the day-to-day operations of your business. But with lots of software vendors and solutions available to choose from, how do you ensure the solution supports your business needs without creating a weakness in your operational resilience?

Here are some steps to build into your procurement process

When evaluating potential software solutions, consider factors such as onboarding deadlines and the potential impacts of delays, the resources required to implement the software, and maintenance and additional license costs.

Are cloud-based or on-premise software the best fit for your organisation? Each option has its benefits and drawbacks, and it's important to weigh these factors against your organisation's specific needs. We delve deeper into the pros and cons of each option in our guide.

By incorporating these considerations, you can help ensure the third-party software solution you select supports your business needs. 

When procuring a new solution, plan for the unexpected. To evaluate your solutions efficiently, you should consider the following:

1.     Complete a risk assessment

Would your business function effectively if the application suddenly became unavailable? What would happen if the software supplier was involved in a legal dispute or went out of business?

According to research by Deloitte, third-party failures could cost a company as much as £783m per incident. It's also important to assess whether your team has the necessary skills to rebuild the solution internally if required.

2.     Does the software comply with regulations that apply to your business?

For example, third-party risk management or regulations such as PRA SS2/21 or the Digital Operational Resilience Act (DORA).

If something unexpected happened to your third-party software supplier, do you have a plan in place to avoid disruption that meets the regulators’ requirements?

3.     How is the application hosted, and where is your data stored?

In the case of cloud-based applications, note that cloud service providers (CSPs) aren't responsible for your application and data. As an end-user, you're responsible for backing up and restoring the data you store in their services. To learn more about how to protect cloud-based applications, download our guide.

Protect your software with a business continuity plan

Without the in-house expertise to rebuild or support an application, businesses can be left without access to critical software for prolonged periods of time in the event of vendor failure.

A business continuity plan mitigates this risk and details who’s responsible for providing continued access to your application.

As part of your Business Continuity plan, consider implementing a software escrow agreement. A Software Escrow Agreement is a tri-party arrangement with mutually agreed terms between you, the software supplier, and an independent Escrow service provider.

Under the Software Escrow Agreement, the supplier periodically deposits a copy of the software source code and associated materials for secure storage. In the event of a release, you can use the Escrow deposit to maintain the software, working from the source code in-house or with another supplier.

Neil Bellamy, the bank's Head of Technology, Media, Telecoms and Services says:

“The venture capital investor Marc Andreessen once said that ‘software will eat the world’. While it may not be as dramatic for your business, software applications can still be mission critical. This guide by our partners at NCC provides clear, practical information to help you consider the risks and plan accordingly.”

By following the steps in this guide, you can be confident that you have followed a procurement process with demonstrable business continuity planning.

For more information, visit NCC Group Software Resilience

For more cyber insights, see our Cyber Security hub