Which of the following best describes your organization’s use of SaaS services for material/critical functions?
Who in your organization is responsible for mitigating supplier failure, service deterioration, and concentration risk within your SaaS supply chain?
Have you requested proof from your Cloud/SaaS provider that they have stressed exit plans for their critical third-party vendors?
How confident are you in the completeness of your organization’s stressed exit plans for critical third-party service providers?
How frequently does your organization assess the financial stability of its critical third-party providers?
Is your organization adopting any different approaches to on-premise versus cloud applications?
Does your organization currently use software escrow services to protect against supplier failure, service deterioration, and concentration risk?
How well does your organization manage third-party risks in accordance with evolving regulatory frameworks (DORA, FFIEC, SS2/21)?
Over the next 12 months, what will be your organization’s top priorities for improving third-party risk management?
represent?
Who in your organization is primarily responsible for managing third-party risks, including supplier failure and service deterioration?
About CeFPro & Escode
Page 5
About Us
About CeFPro
The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for the global community of finance, technology, risk, and compliance professionals from across the financial services industry. CeFPro is driven by high-quality, reliable, primary market research. It has developed a comprehensive methodology that incorporates data from its global community that has been validated by an international team of independent experts.
Examples of some of CeFPro’s research include:
• Non-Financial Risk Leaders: the most comprehensive independent study of trends, opportunities, and challenges within non-financial risk
• Fintech Leaders: an international survey to assess the status of the fintech industry and provide details for informed decisions on technology and business-related matters.
To find out more, visit www.cefpro.com/research
About Escode
Escode is the global leader in software escrow, and the only provider offering fully tailored agreements backed by in-house legal and technical teams. Our services cover both cloud-based and on-premise environments, and are designed to flex with the scale and complexity of modern systems.
As part of the NCC Group, we bring over 40 years of experience working with some of the world’s most recognized financial institutions. With global teams and deep regulatory insight, we help organizations meet resilience expectations, secure critical software assets, and protect long-term business continuity.
Our service model extends beyond contractual access. Through regulatory guidance and hands-on verification, Escode helps firms operationalize escrow and build confidence in their third-party resilience strategies.
Introduction
Page 7
Methodology
Page 8
Today, 93% of financial institutions rely on cloud-based systems for material or critical functions. Yet many still operate without clear oversight: stressed exit strategies go untested, risk ownership remains undefined, and operational continuity is often assumed. Now that cloud systems are central to critical operations, risk strategies must evolve.
Regulators have raised expectations. Firms must now demonstrate operational resilience — across both internal systems and software-as-a-service (SaaS) providers — through tested, verifiable controls, not policy alone.
2025 marks a shift from preparation to enforcement. The EU’s Digital Operational Resilience Act (DORA) became applicable in January1, and the UK’s transition period for SS2/21 concluded in March2. These frameworks now require firms to prove they can withstand disruption. Without clear visibility or independent verification, continuity under stress cannot be assured. Risk can be distributed across vendors, but accountability under these frameworks rests with the financial institution.
Building on 2024 research, this paper explores the state of SaaS resilience amid higher stakes and shifting expectations.
It examines the gap between confidence and actual preparedness — especially when managing indirect risks in the SaaS supply chain — and shows how software escrow services help firms verify continuity, satisfy regulatory demands, and build lasting assurance.
93% of financial institutions rely on cloud-based systems in a major way. Yet, 27% don’t know who owns risk in their SaaS supply chain — a key layer of cloud services.
A:
*Data
Figure
Methodology
This report is based on a two-phase research process. Our survey engaged 101 industry professionals within financial services, with additional insight gathered through one-to-one interviews with industry experts to add depth and real-world context.
Key demographics included
Sectors
Exactly half (50%) of respondents were from banks. Other participants came from insurance (12%), asset management (8%) and fintechs (6%), with a smaller portion from regulatory bodies (3%). The remaining 21% fell in an ‘other’ category, spanning advisory firms, pension schemes, retail, risk service providers, and several additional categories.3
Functions
Most participants work directly in risk-related roles. Third-party risk management (29%), enterprise risk (17%), and operational risk (14%) made up the majority. Other areas included procurement (8%), compliance/legal (5%), IT/ cybersecurity (5%), and audit (1%). An additional 20% came from senior leadership, governance, or cross-functional oversight roles.4
Geography
Organizations were primarily based in North America (37%), the UK (25%), and the EU (22%). The remaining 17% spanned other regions, including Asia-Pacific, the Middle East, and Africa.5
THE CONFIDENCE GAP
Confidence ≠ Compliance
Page 10
Due Diligence Drives Confidence
Page 12
Awareness ≠ Assurance
Page 15
Confidence ≠ Compliance
Ownership of SaaS supply chain risk remains unclear. While slightly improved from 32% last year, 27% of firms still say they don’t know who is responsible for mitigating key supply chain risks, including supplier failure, service deterioration, or concentration risk. This lack of clarity weakens a foundational pillar of operational resilience.
Yet despite this uncertainty, many respondents believe they are prepared for a stressed vendor exit. Among those without clear risk ownership, 22% expressed high confidence in their stressed exit plans. Over half (52%) reported full compliance with frameworks like DORA, SS2/21, and US Federal Financial Institutions Examination Council (FFIEC) guidance. This disconnect reveals a core issue: a false sense of confidence where clear responsibility is missing.
Among firms unsure who owns SaaS supply chain risk, 1 in 5 report high confidence in their stressed exit plans, and over half claim full regulatory compliance.
Figure B:
Internally, responsibility for managing thirdparty risk varies widely — from dedicated third-party risk teams to enterprise risk to procurement6. In some firms, the function evolved out of procurement rather than being built around resilience from the start. Without a dedicated function, ownership of key third-party risks is fragmented — making it harder to maintain oversight and embed resilience in day-to-day operations.
This becomes especially critical in SaaS environments, where financial institutions rely on external platforms to run essential processes and manage sensitive data. To build resilience, roles and responsibilities must be embedded across third-party risk frameworks — from onboarding to oversight to service migration.
The survey shows that confidence remains high even without clear responsibility, yet that confidence is unlikely to hold under stress.
Due Diligence Drives Confidence
Only 21% of firms have verified that their SaaS or cloud providers have credible stressed exit plans for their own vendors. This reveals a deeper blind spot: how resilient are the vendors your providers rely on?
Among firms that reviewed these plans, confidence levels were noticeably higher. 38% reported high confidence in their stressed exit plans, and 52% claimed full compliance with regulatory frameworks.
In contrast, 40% of firms had either not requested proof, had no plans to do so, or were unsure whether a request had been made. None of these firms reported high confidence in their own stressed exit planning, and only 21% reported full compliance with evolving regulations. The connection is clear: firms that conduct due diligence beyond the immediate third party are significantly more confident in their resilience and compliance.
So why are 40% of firms still not reviewing these plans? Part of the challenge is structural. In legacy on-premise environments, exit planning focused on familiar failure models — hardware outages or physical disruptions. Cloudbased ecosystems are more complex. Their dynamic and decentralized natures make it harder to map interdependencies. Understanding what an exit looks like and how it plays out operationally requires both time and technical fluency.
This highlights a growing skill and capacity gap — a concern echoed by several experts during interviews. Many vendors are reluctant to share documentation, often citing confidentiality concerns. Even when plans are provided, many risk teams lack the cloud expertise to assess them or to determine which elements apply to their environment. Together, these factors help explain why 32% of firms are still working through
Internal dynamics adds another barrier. Coordinating testing requires clear leadership but in many firms, that role is undefined. Without clear ownership, due diligence often becomes a box-ticking exercise — but true resilience depends on sustained oversight and validation. Smaller firms experience additional barriers: vendors may be unwilling to support tailored reviews for accounts they consider less strategic.
Despite these challenges, firms are increasingly expected to understand and manage exit risks across their extended supply chain — a focus reinforced by DORA, SS2/21, and the UK’s forthcoming Critical Third Parties regime7
Confidence in continuity: How software escrow supports stressed exit plans
Software escrow gives firms a practical safeguard for business continuity when relying on thirdparty software. It enables access to critical software assets — including source code and documentation — if the original vendor can no longer support them. For many organizations, that access strengthens operational resilience and forms a vital component of a credible stressed exit plan. Software escrow helps firms meet financial regulatory requirements — including DORA, PRA SS2/21, and the FFIEC IT Handbook — by ensuring compliance with IT outsourcing rules and protecting business-critical software.
Firms that verified their providers’ plans for downstream disruption are nearly 4x more likely to report high confidence in their own exit planning.
Awareness ≠ Assurance
For the second year, only 18% of firms report being highly confident in the completeness of their stressed exit plans for critical thirdparty providers. While low-confidence responses have declined since last year, overall confidence hasn’t improved. This year, 27% of respondents described their confidence level as neutral — a shift that likely reflects growing awareness of gaps rather than increased readiness.
Many firms are aware of gaps in their continuity planning — but haven’t yet turned that awareness into testing or evidence. Even in organizations with mature governance
programs, confidence goes so far without real-world validation. Interviewees noted that desktop reviews and internal checklists may satisfy tick-box compliance boxes, but resilience remains theoretical until vendors are part of the testing process.
Assurance isn’t earned through documentation alone. It requires testing, coordination, and follow-through. Until that happens, many firms will remain in the middle — aware of the risks but still uncertain of their ability to respond under stress.
27% of respondents are unsure whether their stressed exit plans for critical third-party vendors are complete — reflecting rising doubt, not confidence.
BUILDING RESILIENCE INTO OVERSIGHT
Ad-hoc Financial Oversight: A Weak Link in Resilience Page 16
Oversight Uncertainty in Cloud Environments Page 17
Siloed Safeguards Undermine Resilience Page 18
Ad-hoc Financial Oversight: A Weak Link in Resilience
Despite rising regulatory expectations, many firms still lack structured oversight of vendor risk in a critical area: financial stability. 40% of respondents said they assess this risk inconsistently or not at all. Within that group, only 11% report high confidence in their stressed exit plans — and just 15% say they fully comply with relevant frameworks.
In many cases, financial stability assessments occur only at onboarding or during occasional spot checks. But vendor viability can shift quickly — shaped by sanctions, tariffs, political change, and market shocks. Without regular, structured reviews, early warning signs go unnoticed.
40% of firms assess the financial stability of their critical third-party vendors inconsistently or not at all.
E: Q13. How frequently does your organization assess the financial stability of its critical third-party providers?
This gap extends beyond direct providers. Many firms overlook the financial health of vendors further down their supply chain, where instability can ripple upstream and disrupt core services. These dependencies are often assumed to be covered contractually, but in practice, they rarely receive the same scrutiny.
When financial oversight is reactive, resilience is too. Even firms with mature governance can be caught off guard without structured, regular review. Inconsistent oversight weakens a financial institution’s ability to respond effectively to disruption and meet rising regulatory expectations.
Increasingly, global regulations expect firms to assess financial stability on a regular basis. Continuous, verifiable oversight — not point-in-time checks — is now the industry expectation.
Figure
Oversight Uncertainty in Cloud Environments
40% of respondents said they’re unsure whether their organization treats cloud and on-premise environments differently — a signal that many lack clarity on how risk responsibilities are defined or applied in cloud contexts.
Meanwhile, 37% of respondents said they apply distinct approaches to managing risk across these environments. Within that group, firms noted a range of measures — from external audits to internal assessments and contractual controls — though many are still formalizing or experimenting with their approach.
This variation reflects deeper organizational complexity. On-premise systems are often legacy environments with an embedded
governance structure, managed directly by internal IT teams. These teams have well-defined controls over systems, configurations, and longstanding risk protocols.
Cloud-based environments, by contrast, span multiple business units, internal stakeholders, and third-party providers — creating a more complex landscape with less centralized control and blurred lines of responsibility. As a result, they demand a more adaptive oversight model.
Many financial institutions are still figuring out how to integrate cloud oversight into risk management frameworks, and until these models mature, resilience and accountability gaps will likely persist.
40% of firms aren’t sure how cloud oversight differs — a signal of blurred accountability in critical environments.
Siloed Safeguards Undermine Resilience
36% of respondents said they don’t know whether software escrow services are currently used to protect against supplier failure, service deterioration, and concentration risk — a sign of limited internal visibility and weak communication around risk management practices.
This uncertainty often reflects siloed ownership. Critical safeguards like escrow can sit within different departments outside the teams responsible for resilience. When teams lack visibility into existing mechanisms, it can create blind spots.
In many cases, escrow arrangements are managed by IT or legal but not communicated to third-party risk teams.
The disconnect suggests that awareness gaps may be driving uncertainty. However, experts noted that because of escrow’s role in continuity, it should sit within third-party risk oversight frameworks. Without a clear communication loop between technical stakeholders and risk functions important continuity measures can be overlooked.
G:
Figure
Regulatory Alignment Page 20
Resilience and Readiness Page 22
Regulatory Alignment
Figure H: How well does your organization manage third-party risks in accordance with evolving regulatory frameworks (DORA, FFIEC, SS2/21)?
Firms using software escrow services report stronger confidence in managing disruption and greater alignment with evolving regulatory expectations. Among those using escrow to protect against supplier failure, service deterioration, and concentration risk, 69% say they fully comply with key frameworks like DORA, SS2/21, and FFIEC guidance.
This suggests that adopting escrow, especially with active oversight and regular testing, may be a marker of operational maturity.
As regulatory scrutiny intensifies around how firms manage software dependencies, escrow helps firms meet rising expectations in IT outsourcing, audit readiness, and business continuity. When integrated into broader governance frameworks, escrow transforms policies into verifiable, testable practices — giving firms a concrete way to demonstrate compliance.
While many financial institutions focus on immediate vendor contracts, SaaS platforms often introduce deeper, less visible dependencies. Escrow offers assurance for the dependencies, and failure points deeper in the supply chain.
51% of all respondents report full compliance with evolving third-party risk regulations — but that figure rises to 69% among firms using software escrow services for both SaaS and on-premise systems.
How Escode helps you meet DORA requirements8
Establish legal rights to critical software
Escrow agreements give you contractual access to source code, technical documentation, and essential data — even in the event of supplier failure — satisfying DORA’s continuity and third-party access requirements.
Enable knowledge transfer and vendor independence
Escode supports ongoing access and usability through verified deposits, so your teams have the right tools and expertise to operate independently of the original vendor.
Support scenario testing and exit planning
With Escrow Verification Services you can simulate stressed exit events — a DORA expectation — and confirm the usability of escrow materials under real-world conditions
Provide evidence for regulators
Escode’s documentation and verification reports serve as concrete proof of resilience planning — demonstrating that you can maintain operations without disruption, in line with regulatory expectations
Resilience and Readiness
Among firms using escrow for SaaS and on-premise software, 21% report high confidence in their stressed exit plans. This suggests a meaningful correlation between escrow use and broader operational preparedness. Escrows signal a more mature risk posture — one where exit strategies are stress-tested, verified, and integrated into wider resilience frameworks.
Escrow strengthens resilience by preserving access to essential technology — giving firms a concrete mechanism to execute stressed exits and maintain continuity under pressure.
But resilience isn’t only about surviving disruption. It’s also about enabling secure growth. Escrow agreements give firms the assurance to onboard new providers, adopt emerging technologies, and scale without introducing unmanaged risk.
21% of firms using escrow for both SaaS and on-premise report high confidence in their stressed exit plans.
How NatWest uses Escode’s escrow services to build confident, compliant growth9
Escrow software in action: Case Study
NatWest Ventures partnered with Escode to embed software escrow agreements and verification into the foundation of its fintech innovation program. With a complex supplier ecosystem spanning global and niche vendors, the bank needed a way to future-proof continuity without slowing development. Escode’s solution — built on validated source code deposits and consistent testing — allowed NatWest to scale ventures like Tyl, Esme Loans, and Mettle with confidence. Regular collaboration ensures the latest builds are securely stored, while risk levels are assessed by criticality across the portfolio.
“Being proactive and placing security and resilience at the start of any development means that we can confidently explore ideas and push boundaries, safe in the knowledge that we are managing any risk associated with our software supply chain responsibly.” - Andy Ellis, Head of NatWest Ventures
LOOKING AHEAD
Where Firms are Focusing Third-Party Efforts
Page 24
Where Firms are Focusing Third-Party Efforts
When asked about their top third-party risk management priorities for the next 12 months, most organizations pointed to improving visibility. 42% cited enhancing vendor risk assessment capabilities, while 29% prioritized strengthening regulatory compliance measures.
Only 15% identified exit planning as a key focus, and just 14% plan to invest in risk management technology. This suggests that many financial institutions continue to focus on surface-level evaluations while overlooking the underlying risks that threaten operational continuity.
Risk assessments alone don’t build resilience. Without tested controls and embedded safeguards, preparedness remains theoretical. Escrow, as a foundational mechanism for operational continuity, remains significantly underused, even as regulators increasingly demand verifiable plans and auditable exit readiness.
Figure I: Q16. Over the next 12 months, what will be your organization’s top priorities for improving third-party risk management? *Data
CONCULSION
From Assumptions to Assurance
Page 26
Executive Summary: Escode’s Reaction
Page 27
From Assumptions to Assurance
True resilience depends on testable frameworks, clear accountability, and independent assurance. Escrow supports these efforts by formalizing continuity planning, preserving access to essential systems, and reinforcing compliance.
As SaaS supply chains grow more complex, indirect vendor risks are easier to overlook — and harder to control. To move from assumptions to assurance, firms must go beyond risk assessments and demonstrate
how continuity plans will hold under pressure. Escrow meets that demand by securing critical access to software dependencies and making resilience demonstrable.
Ready to safeguard your digital future? Learn more about our software escrow services by visiting www.escode.com.
Executive Summary: Escode’s Reaction
As third-party risk management continues to evolve across the financial services sector, organizations are expanding their lens beyond traditional cybersecurity. The focus is shifting toward broader, operational resilience—how to maintain continuity in the face of supplier failure, service disruption, or shifts in concentration risk.
This year’s findings build on the insights shared by the industry in our 2024 survey, providing a clearer picture of how organizations are advancing their resilience practices in a complex and evolving risk landscape. What we’re seeing is a continuation of a trend first observed last year: many firms have made meaningful strides in third-party oversight, particularly in response to evolving regulatory frameworks like DORA, SS2/21, and FFIEC. Yet challenges remain particularly in the areas of stressed exit planning, ownership clarity, and evidence-based assurance.
While confidence remains relatively high, the data suggests that some of that confidence is still rooted in assumption rather than verification. For example, a significant number of respondents who expressed confidence in their exit readiness also indicated they had not yet reviewed exit plans from their critical providers. This highlights an opportunity: to further strengthen confidence by reinforcing it with tangible, tested processes and shared understanding across teams.
We also noted a positive shift. Compared to last year, fewer respondents reported outright uncertainty. Many have moved into a more reflective, neutral stance, an indicator that teams are engaging more deeply with the complexities of operational resilience and beginning to identify the gaps that matter most.
A clear insight from the findings is that, although we can’t prevent supplier failures from occurring, we can shape how effectively we respond and recover. The ability to reduce the duration, severity, and operational impact of third-party disruption is where resilience efforts now need to focus. For regulated entities, this moment represents a shift from initial response and awareness to lessons learned and longerterm planning.
This is where tools like scenario tested escrow agreements and continuity assurance become increasingly relevant. Not as stopgap measures, but as structured components of a resilience strategy that aligns legal, risk, procurement, and IT teams around a common set of expectations and recovery options.
At Escode, we see our role as a supportive partner in this process helping organizations translate confidence into capability through practical, independently verified solutions. We hope this report contributes to ongoing discussions, regulatory readiness efforts, and the collective advancement of third-party risk management as a discipline.
Because resilience is no longer a siloed responsibility. It’s a shared, cross-functional practice and increasingly, a strategic advantage.
Scott GRC Solutions Lead Escode
Wayne
ADDITIONAL DATA
Additional Questions from the Survey
Figure J:
Figure K: Where is your organization primarily located?
No part of The State of Financial Reporting in Banking publication, or other material associated with CeFPro®, may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of Center for Financial Professionals Limited, or as trading as the Center for Financial Professionals or CeFPro®.
The facts of the The State of Financial Reporting in Banking are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that CeFPro® delivers will be based on information gathered in good faith, whose accuracy we cannot guarantee. CeFPro® acknowledges the guidance and input from the Advisory Board, though all views expressed are those of the Center for Financial Professionals, and CeFPro® accepts no liability whatever for actions taken based on any information that may subsequently prove to be incorrect or errors in our analysis. For further information, contact CeFPro®.
CeFPro®, Fintech Leaders™ and Non-Financial Risk Leaders™ are either Registered or Trade Marks of the Center for Financial Professionals Limited.Unauthorized use of the Center for Financial Professionals Limited, or CeFPro®, name and trademarks is strictly prohibited and subject to legal penalties.
