NCC Group insights report:

Software Resilience
Insights Report
A platform for growth and innovation
Contents
Executive summary 3

Software Runs the World 4

Technologies on the rise 5

A new mind-set 7

Which sectors have the greatest need for resilience? 9

Is your business prepared for service disruption? 11

The business opportunity of Software Resilience 13

Starting the journey to Software Resilience 15

Developing a Software Resilience strategy 16

Best practice approach to Software Resilience 17

Software Resilience solutions 18

Do I need Software Escrow verification testing? 19

Businesses succeeding with Software Resilience 20

Why NCC Group? 21

Executive summary

At the core of almost all modern businesses

are software applications, infrastructures In this report, we’ll explore the new
and platforms that enable their continued technological landscape that is emerging
operation, service delivery and ability to through the accelerated adoption of third-
party software, along with guidance on
compete. As we continue to progress
how software customers can assess their
further into the digital age, the adoption of
preparedness for service disruption.
business-critical software is on the rise.
We’ll demonstrate the business opportunity
The implementation of innovative technology has also of software resilience and provide guidance
increased in response to the global pandemic as businesses on the strategy and solutions businesses
adapt to accommodate new ways of working and changing can implement to ensure they can prepare
customer expectations. for, respond to and recover from third-party
service disruption.
But as businesses reliance on technology increases so does
their reliance on the specialist third-party software suppliers
that often provide it. New risks of inevitable third-party
disruption due to insolvency, acquisition, technical failures and
more, presents software customers with a new challenge to
ensure their business-critical applications are resilient and
available for the long-term.

www.nccgroup.com | response@nccgroup.com 3
Software Runs the World

Every day, companies of all sizes across all

sectors are becoming more reliant on their
technology. From key business functions
and processes to reporting, software
applications, infrastructures and platforms
play a critical role in successful day-to-day
operations and service fulfilment. This
reliance has particularly increased recently,
with the challenges of 2020 accelerating
digital transformation and the adoption of
emerging technologies.
“We’ve moved to a world defined by software
– where the physical fabric of what underpins
us is highly malleable and dynamic.
Organisations are not buying new products.
Instead, they’re upgrading software to
increase functionality. This is allowing them
to define what their networks look like; instead
of wires and switches, its lines of code. This
code is highly valuable to businesses and
they want assurance of its resilience.”
Ollie Whitehouse, Global Chief Technical Officer, NCC Group

Due to the complexities of developing and maintaining

software in-house, more and more companies are choosing to
outsource IT. And with the ongoing economic uncertainty,
businesses are focusing on the resilience of their third-party
software applications to ensure they are prepared for and can
recover from service disruption.

www.nccgroup.com | response@nccgroup.com 4
Technologies on the rise

The adoption of emerging technologies will

not only enable businesses to survive (or
recover from) the impact of the global
pandemic, it will also bring new benefits such
as optimised business processes, better and
more personalised customer experiences,
enhanced automation and new business
models to overcome environmental and
societal challenges.

But combine the increasing reliance on emerging technology

and third-party suppliers with the disruption all businesses are
experiencing, and the importance of software resilience
becomes more apparent than ever.

Neither established businesses nor innovative start-ups are

immune to the current economic climate, which is an uncertain
landscape, regardless of industry or sector. Whether it’s the
unpredictability of consumer demand, the introduction of
national safety measures or changes in customer behaviour,
today’s markets can transform in an instant.

This uncertainty and the resulting risks create a barrier to innovation

and growth at a time where these pursuits are essential.

www.nccgroup.com | response@nccgroup.com 5
How emerging technologies are being used:
Cloud Adoption & Business Transformation
The global pandemic has driven the need for collaborative,
flexible solutions, resulting in a huge rise in the adoption of
cloud-hosted software. Companies are investing in cloud-
hosted software to enable remote working with Microsoft
experiencing a 775% increase in the number of people using
its Teams platform in Italy in just one month . Those without this
1
infrastructure in place have fast-tracked initiatives with 82% of
IT leaders prioritising their use of the cloud as a direct response
to the pandemic2.
Reliance on third-party software applications will
continue and by 2022 it’s expected that up to
60% of organisations will use an external service
provider’s cloud-managed service offering3.
Machine to Machine (M2M)
M2M devices using wireless communications are expected
to represent fundamental components of a future Internet,
where applications allow users to transparently interact with its
physical surroundings. However, M2M systems compromise
a complex chain of connected systems and devices, making
privacy, fraud and the exposure of mission-critical applications
problematic when trying to protect the integrity of M2M.
Internet of Things (IoT)
IoT is enabling organisations to bring together disparate
systems to create one large, connected ecosystem made up of
different elements such as hardware, software, smart devices
and sensors. During uncertain economic times, IoT is enabling
organisations to reduce costs, improve safety, increase
responsiveness and, most crucially, re-design their operations
to future proof their business model.

Transitioning to the cloud and its associated services comes

with its own challenges, including a growing volume of
business-critical network workloads that need protection
against potential third-party supplier failures.
81% of those who have
already adopted IoT say
Artificial Intelligence
Adoption of Artificial Intelligence (AI) technology has
that their reliance has
accelerated during the global pandemic and is now considered grown with 76% of
a critical resource for many organisations, enabling them to
overcome uncertainties and remain resilient. Behind every
adopters saying that
application of AI/machine learning there are algorithms their IoT projects are
which give computers a set of rules to process data. And
since algorithms are an instance of logic written in software already mission-critical4.
by developers – often third-party software developers – it’s
important that the source code is protected.

However, due to the increasing complexity of IoT ecosystems

and software supply chains, businesses need to ensure the
resilience of this technology.

1
www.accenture.com
2
www.computerweekly.com
3
www.gartner.com
4
www.vodafone.com

www.nccgroup.com | response@nccgroup.com 6
A new mind-set

Behind every digital transformation programme is a complex ecosystem of innovative third-

party software solutions meaning that service disruptions are a real possibility, especially
during times of heightened economic uncertainty.

During the peak of the global pandemic companies
experienced a wide range of third-party incidents including
supply chain and logistics failures, as well as data breaches
resulting in fines, all of which can have a significant impact on
customer service, regulatory compliance and reputation.5
Unexpected surges in demand for specific third-party
applications during the pandemic also increased the risk of
third-party service unreliability or service failure, potentially
impacting the business continuity for thousands of organisations.
This was the case in March 2020 when Microsoft experienced
cloud capacity issues due to a sudden surge in demand and
other COVID-19 related disruptions in their supply chain.
The experienced Cloud Service Provider was forced to make
adjustments to maintain performance and prevent a failure for
its millions of Office 365 users.7
Whilst there are many benefits to businesses utilising third-
party applications to power critical day-to-day operations,
6
reliance on these services introduces new and significant risks.
With companies experiencing double the amount of IT-related
incidents since the beginning of the pandemic, and in some
verticals 11x the number of incidents8, it’s evident that
service disruption is inevitable and businesses must manage
third-party risk.

5
www.deloitte.com
6
www.accenture.com
7
www.zdnet.com
8
www.pagerduty.com

www.nccgroup.com | response@nccgroup.com 7
 In other words, outsourcing business-
critical technology can potentially put an
organisation’s business continuity, regulatory
compliance, brand reputation and financial
status at risk.

Software customers should prepare for

severe but plausible events, such as supplier
insolvency or failure, as well as routine
disruptions where remediation measures are
well known and pre-determined. Software
suppliers should support their customers with
a proactive approach to risk management,
including activities aimed at strengthening
their operational resilience.

Working together, software suppliers and

customers should implement, document
and test risk management controls such as
business continuity and exit plans that cover
both stressed and non-stressed exits. Only
by doing this can all parties be confident in
the resilience and continued availability of
business-critical third-party software.

Only by doing this can all parties

be confident in the resilience
and continued availability of
business-critical third-party
software.

www.nccgroup.com | response@nccgroup.com 8
Which sectors have the
greatest need for resilience?

Any organisation that outsources business-critical IT services should consider if they have
processes and policies in place to guarantee the resilience and long term availability of
third-party software. Certain industries, such as those that are heavily regulated, and those
where adoption is essential to remain competitive – have an even greater need to ensure their
software is resilient.

Finance, Banking and Private Equity Transport & Manufacturing

Becoming operationally resilient has never been more
important, nor challenging for financial organisations.
Technology plays a huge role in the delivery of services and
staying competitive; from the instant processing of millions of
transactions to delivering fast, convenient payment methods
for consumers. Many such technologies rely on an ecosystem
of third-party providers, placing firms under increased
pressure to properly manage the associated risks.
34% of financial services organisations stated
their resilience plans contained gaps in how
to address technology, in response to the
global pandemic.9
Many manufacturing organisations have facilities, distribution
and storage partners, and other assets located in different
cities, across the country or even around the world. This
makes for complex supply chains that involve the digitisation
of systems and tasks, making business continuity across all
locations even more challenging.
To address information silos, many have adopted Edge, IoT
and cloud technology, enabling them to centralise data and
information in dashboards and reports. With these business-
critical solutions in place, software resilience is essential,
especially considering the disruptive impacts incidents like the
global pandemic has had on supply chains.
Other emerging manufacturing advancements that are reliant
on technology include connected cities, smart tracking and
industrial automation.

9
www.deloitte.com

www.nccgroup.com | response@nccgroup.com 9
Professional Services
Advancements such as accounting software and automation
are revolutionizing the way professional services firms serve
their clients. However, with clients relying on their trusted
advisers to protect their confidential and personal data, firms
must be confident about their own internal processes, as well
as those of suppliers and partner organisations.
The recent pandemic has caused a global economic
slowdown, which is significantly impacting the growth of
professional services, with an expected compound annual
Retail
No matter their size or speciality, retailers are investing in new
applications such as inventory management and payment
processing software to meet ever-changing customer demands.
The global pandemic has shifted what consumers are buying,
their methods of purchase, and how much they are spending:
• In Canada, 21% of consumers expect to spend more on
groceries, while 44% will spend less on apparel and footwear.11
• U.S retail e-commerce reached $211.5 billion in Q2 2020, up

growth rate (CAGR) of only 0.1% in 2020.10 31.8% from Q1, and 44.5% year-on-year.12

This highlights the necessity for firms to ensure challenges to Many retailers have had to respond to these shifts by adapting

their business-critical technologies – such as ERP systems, their strategies and adopting technologies that can fulfil rising

predictive analytics, Big Data processing and cloud platforms needs. Due to their very nature, downtime of these applications

– does not impact their ability to deliver services to their can mean large revenue losses and lasting damage to not only a

clients or impact security. single retail outlet, but an entire network or critical infrastructure.

Information Technology
Though digital transformation was already a priority for
businesses in many sectors, demand for emerging technologies
such as IoT, cloud computing, automation software and
more, has seen a huge increase in 2020. Remote working,
increased use of SaaS solutions and the need for flexibility
places increased pressure on IT providers.

Those that utilise an ecosystem of third-party partners to

deliver their IT services must therefore respond to this by
taking measures to ensure business continuity:

“Most organisations do not have a tech stack

in place for a reliable business continuity
plan (BCP). Due to enhanced remote work
scenarios, IT departments will play a larger
role in BCPs, and will need help from IT
service providers in procuring devices, setting
up a resilient flexible and secure network,
disaster recovery systems, IT security, etc.”13
Deloitte.

10
www.businesswire.com
11
Voice of Canadians and impact to retailers, Deloitte
12
www.techcrunch.com
13
Understanding the sector impact of Covid-19, Technology sector, Deloitte

www.nccgroup.com | response@nccgroup.com 10
Is your business prepared
for service disruption?

Understanding if your business is prepared

for service disruption starts with an
assessment of how resilient your third-party Questions to determine
services are. This includes the resilience of your preparedness for
both existing business-critical solutions and service disruption
any you are likely to procure in the future.
Would your business be unable to
function effectively if the application
Global spend in enterprise software is set
suddenly became unavailable?
to reach $556B by 2021, a 10.5% increase
since 2019.14
What would happen if one of your
key software suppliers were acquired,
With extensive software portfolios and multiple risk involved in a legal dispute or went out
management and business continuity initiatives running of business?
simultaneously, it’s often difficult to determine if existing
policies and processes ensure software resilience. If required, can you be sure that you
would still be able to access your
software source code in order to
25% of Software Customers don’t have any maintain and support it?
kind of business continuity plan in place.15
If it becomes necessary to rebuild
your source code from its component
We’ve included some of the questions below which software parts, can you be sure you are able to
customers can use to determine if their software is resilient do so?
and if they are prepared for and equipped to respond to and
recover from third-party service disruption. Do you have concerns about
application availability in the cloud?

14
www.gartner.com
15
IT Leaders’ Perception of Risk in Cloud Computing, NCC Group Report

www.nccgroup.com | response@nccgroup.com 11
 Taking a proactive approach to software
resilience is the best way for you to ensure
you’re managing the risks associated
with IT outsourcing and can recover from
service disruption.
It also enables you to confidently innovate
and implement new technology, safe in the
knowledge that it is resilient and will always
be available – even if your supplier is no
longer around to support and maintain it.

What is Software Resilience?

Software Resilience focuses on a business’
ability to prepare for, respond to and
recover from third-party service disruption
and an effective Software Resilience
strategy enables the continued availability
of business-critical third-party software.
Software Resilience solutions enable
business continuity by guaranteeing access
to the application environment, the source
code and the knowledge and guidance
required to rebuild or restore the application
from scratch should the need arise.

www.nccgroup.com | response@nccgroup.com 12
The business opportunity of
Software Resilience

Developing a Software Resilience strategy,

implementing the right solutions, and investing
time and energy into protecting business-
critical applications before inevitable service
disruption occurs allows you to:

Strengthen operational resilience

Operational resilience is an organisation’s ability to rapidly
adapt to changing environments. This includes the resilience of
systems and processes, and the ability to continue operations
during disruptive events. With the right measures, businesses
can minimise the impact of software-related disruption and get
back to normal operations quicker.

Protect your investment

Managing the risks associated with third-party failures helps
you protect your investments in business-critical software and
minimises potential impacts of a loss of service, like reputational
damage and financial loss.

Third-party failures can cost companies as

much as £783 million per incident16

Enables confident innovation

With Software Resilience, you can be confident in the
availability of the innovative third-party provided technology that
drives key business functions, processes data and provides
the level of service expected by you and your customers.

16
www.fsmatters.com

www.nccgroup.com | response@nccgroup.com 13
Enhanced customer trust and loyalty What business initiatives does
Software Resilience solutions ensure your business can Software Resilience support?
recover rapidly from service disruption, meaning the impact to
the end user is minimal, if at all. Meeting end user expectations Software Resilience supports a whole host of business

is vital in an increasingly competitive marketplace, as failure to initiatives and is therefore beneficial across several business

do so could result in a loss of business. functions; from operations to compliance:

• Digital transformation
Software Resilience can also help enhance customer trust
and loyalty, as it enables you to out-perform competitors when • Cloud migration
responding to and recovering from unplanned events. • Business continuity assurance

• Regulatory compliance
Enhanced internal processes
• Supply chain and software risk management
Taking a proactive approach to compliance keeps internal
processes front of mind, allowing you to easily find ways to
improve and implement changes in line with the latest
requirements.

www.nccgroup.com | response@nccgroup.com 14
Starting the journey to
Software Resilience

Ensuring the resilience of business-critical services is an ongoing journey, as you may on-board
new software suppliers in the future or the criticality of an application may change over its lifetime.

When should you discuss Software Resilience?

For over 30 years NCC Group has • When entering new agreements with unestablished third parties.
been providing robust and effective
• For any software applications that support a business-critical process.
software resilience strategies. This
supports software customers to • Customised applications that are specific to your organisation and
strengthen operational resilience, cannot be replaced easily.
mitigate third-party risk, and ensure • Applications that contain significant financial investment.
the continued availability and further
• Applications from niche software suppliers.
development of business-critical
third-party software.

www.nccgroup.com | response@nccgroup.com 15
Developing a Software
Resilience strategy

A software resilience strategy enables the continued availability of business-critical software. To

achieve this, organisations should focus on three key activities:

01. Identify and assess 02. Manage

The level of risk that your organisation is exposed to through Implement controls, processes and policies to manage the
dependency on third parties will depend on a number of factors. risks across all stages of the software journey – from choosing
To ascertain your level of risk exposure, implement a robust risk a supplier, through to procurement, to software end of life
assessment model taking into account issues including: and even exit plans. This enables you to mitigate the impact
of third party failure as much as possible, allows you to get
• Solvency of third party critical software and solution
back to business quicker and protects the experience of
providers, with consideration given to regional regulations
your customers. Actions such as adding Software Resilience
and IT questionnaires.
solutions to initial negotiations of the licensee agreement allows
• Financial or reputational loss associated with the the interests of your business and intellectual property of the
discontinuation of critical solutions and systems, resulting in supplier to be protected.
compromised services.

• Whether sufficient protection is provided over the intellectual 03. Monitor

property rights to access and use source code, for those The successful ongoing monitoring of your software portfolio
applications identified as critical to business operations. also minimises the impact of any service disruption or
• Whether alternatives for critical systems and applications downtime. Regularly review Software Resilience solutions to
exist or have been identified and if so, whether application see if they are fit for purpose and if any additional services
and system risk is mitigated for any transition period to any need to be incorporated. Software Resilience Verification
identified products. testing should be conducted annually as a minimum, after
major software releases or updates and for agile projects at a
• Knowledge retention with regard to the development of in-
predefined frequency.
house applications and systems, ensuring application build
and deployment processes are documented to the required
standard in order to safeguard against resource loss.

For Software Resilience Assessment to be effective, you

should assess, at the very least, four key areas – the vendor,
the application, internal technical expertise and internal
operations. Using NCC Group’s Software Resilience
Assessment tool, you can quickly classify low, medium and
high-level software risks.

www.nccgroup.com | response@nccgroup.com 16
Best practice approach
to Software Resilience

To establish a consistent approach to third-party software risk management and to

protect the investment made in software applications, NCC Group recommends:

• Bringing the issue of risk to board and strategic level in order to raise awareness of managing third-party software risk
internally.

• Using recommended risk assessment tools or methodologies from independent assurance specialists to review the current
software application landscape and assess the level of risk you could be exposed to.

• Developing an on-boarding process for the use of any new third-party software supplier with escrow agreements and an
entry-level of verification testing as a minimum.

• Establish a secure library with all tested and documented details of business-critical applications, ensuring that details of the
environments, resource and expertise requirements are recorded.

• Testing the rebuild or data extraction of any high dependency applications ensuring that they form part of any business
continuity plans.

• Implementing a consistent approach across the organisation with a documented process to assess the level of risk posed
and for the implementation of escrow and testing with a recommended provider.

• Reviewing and testing this approach on a regular, consistent basis.

www.nccgroup.com | response@nccgroup.com 17
Software Resilience solutions

NCC Group’s Software Escrow and Verification services enable your organisation to
strengthen its operational resilience and ensure the continuity of business-critical third-party
software applications. NCC Group’s team of in-house legal and technical experts can guide
you through a comprehensive risk assessment of your software portfolio to determine the
appropriate level of protection and ensure you are prepared for any eventuality.

Software Escrow Agreement Software Escrow Verification Testing

Our Software Escrow Agreements are legal contracts between
three key parties – the software supplier, the end user of the
software and NCC Group.
With an escrow contract, software source code or other IP
from the developer is placed in a secure escrow account held
by NCC Group — either in physical or virtual vaults. If in the
future, the supplier is no longer able to support the product for
reasons specified in the escrow agreement—such as bankruptcy,
obsolescence, merger or acquisition—the technology user will
still have access to the source code, IP, and other “know how”
to keep their mission-critical applications and systems up and
running.
With an escrow agreement guaranteeing that the software
source code is accessible, Software Escrow Verification
Testing provides assurance that, should an application ever
need to be restored or recreated from the original source code,
the knowledge and guidance to do so will be available.
Customers gain the knowledge and guidance to be able to
take over the maintenance and management of the application
service if necessary. Software suppliers can reassure their
customers by demonstrating the quality of their services and
their commitment to best practice.
Escrow as a Service (EaaS)

The agreement details the material held in escrow and the terms For cloud-hosted systems, NCC Group’s EaaS solutions

of the release of the material in the event of predefined trigger ensure the continuity of services and enable organisations to

scenarios. Once released, the software customer can then employ effective risk mitigation procedures that protect the use

maintain the software, working from the original source code, of the system and access to individual data in an emergency

whether that be in-house or by engaging with another supplier. scenario. EaaS Agreements and Verification options are fast
becoming the standard for organisations looking to protect their
business-critical cloud applications.

www.nccgroup.com | response@nccgroup.com 18
Do I need Software Escrow
verification testing?

If your answers to the following questions suggest the application is tailored to your
business, requires frequent support or cannot be easily replaced, then you will need testing
as part of your escrow protection.

Does your supplier provide you

Is the application bespoke? with upgrades and/or fixes to the
application on a regular basis?

Has it been built specifically to

support your organisation and is How frequently do you have to call
not supplied by the software on your supplier for support?
owner to any other organisation?

Is the application off-the-shelf How quickly could the application be

but with elements that have replaced? – Consider how long the
been tailored specifically for your procurement and implementation
organisation? of the application originally took.

www.nccgroup.com | response@nccgroup.com 19
Businesses succeeding
with Software Resilience

We’ve already empowered businesses across a range of sectors to enhance their Software
Resilience. Here’s what they had to say:

Andy Ellis Malcolm Bridgeford

Head of NatWest Ventures Chief Operating Officer, Aerogility

“Being proactive and placing security and
resilience at the start of any development
means that we can confidently explore ideas
and push boundaries, safe in the knowledge
that we are managing any risk associated
with our software supply chain responsibly”
“With NCC Group’s assistance in reviewing
our application, we have provided further
assurance to our customers that they are
deploying a secure and robust application to
adhere to the day-to-day challenges faced
with fleet availability”.

Gavin Leigh Andy Earnshaw

Group Commercial Director, Civica Senior Commercial Analyst, National Grid

“Our long-standing affiliation with NCC Group
has helped shape our approach to business
continuity in addition to providing a smooth
delivery of services to our customers. We
look forward to partnering with NCC Group to
assist us in driving growth and helping
transform the way our customers work”.
“Working with NCC Group was easy, the team
understood the importance of the Regional
Nomination Platform to both the organisation
and our strategic partners. NCC Group’s
Escrow as a Service solution fitted our needs,
the unique application and our business
continuity plan”.

Andriy Begunov
Chief Information Officer, First Ukranian International Bank

“Having NCC Group protect and verify our software means we have an independent,
comprehensive audit and report of the software build process, providing us with a robust
business continuity plan should the need arise’. We look forward to a long and successful
working relationship with NCC Group”.

www.nccgroup.com | response@nccgroup.com 20
Why NCC Group?
With over 30 years’ experience in Software
Escrow alone, NCC Group is a leading
independent technology assurance provider.
Our in-house legal and technical experts
are trusted by some of the world’s leading
businesses to protect and provide resilience
for their critical software assets.
www.nccgroup.com | response@nccgroup.com
Our range of resilience-led risk mitigation solutions provide
organisations with a foundation for innovation, and our
partnerships with leading cloud providers AWS and Azure
extend this opportunity to the cloud.
To provide our customers with the highest possible standard
of security, we have a sophisticated global network of state-
of-the-art virtual vaults, which are used to safely store the data
required to access or recreate business-critical applications.
21
For support in starting your journey to Software
Resilience, or for more information on how NCC
Group Software Resilience solutions can support
your business, get in touch with our team of in-
house legal and technical experts at:

response@nccgroup.com

www.nccgroup.com