AI risk management - How software escrow safeguards financial institutions

As AI integration accelerates across industries, financial services must adopt software escrow to protect long-term investments and ensure operational continuity. File Picture: Courtney Africa / Independent Newspapers

As AI integration accelerates across industries, financial services must adopt software escrow to protect long-term investments and ensure operational continuity. File Picture: Courtney Africa / Independent Newspapers

Published Oct 22, 2024

Share

In August 2024, the European Union's Artificial Intelligence (AI) Act came into force, marking a milestone in global AI regulation. Following suit, South Africa's Department of Communications and Digital Technologies (DCDT) is currently reviewing feedback on its draft national policy framework for AI.

This framework will form the basis for AI regulation in South Africa, with potential for a stand-alone AI Act. Amid this regulatory momentum, there is growing concern in the financial services sector about the risks AI-driven solutions present and the need for comprehensive risk mitigation strategies, including software escrow.

As AI technologies rapidly become integral to operations across industries, the financial services sector is especially reliant on third-party AI solutions.

According to Guy Krige, Executive Risk Consultant at ESCROWSURE, the surge in AI adoption is driving the need for more stringent risk management.

"AI models are increasingly essential to enhancing services and operations, but like any third-party software, they introduce risks," says Krige. "This is where software escrow comes into play."

Software escrow is a global best practice that safeguards the source code of third-party software, ensuring access under predetermined conditions. In the context of AI, this measure becomes even more critical due to the pivotal role AI models play in business operations.

Recent security breaches involving AI technology highlight its vulnerability across various industries. According to a 2024 study, 77% of businesses reported AI-related security breaches, with experts noting that AI is particularly susceptible at multiple stages, from code development to network deployment.

The rise in breaches reflects AI’s widespread use in handling sensitive data, making it an attractive target for cybercriminals.

Notable incidents include attacks on Microsoft, where hackers exploited vulnerabilities in AI systems to gain access to sensitive emails from senior leadership and federal agencies.

Additionally, healthcare systems experienced disruptions due to AI-related vulnerabilities, which compromised patient data.

Krige explains: “Software escrow for AI is designed to protect both the AI models and the data, which are increasingly integral to companies' functioning.”

In financial services, the risks extend beyond external attacks. Many AI-driven solutions come from third-party vendors, leaving users — such as banks and insurance companies — vulnerable, if their vendor fails.

"In the event of a vendor's failure, software escrow ensures access to the source code, allowing the user to continue operating the AI software independently or transition smoothly to an alternative provider," Krige said.

Financial institutions face further risks related to Intellectual Property (IP) disputes if AI providers are involved in legal issues or fail to protect their IP rights. Software escrow agreements safeguard operations by guaranteeing access to the source code, enabling companies to maintain their systems without infringing on IP rights.

Furthermore, as South Africa's AI regulations develop, particularly within sensitive sectors like financial services, escrow agreements will likely play a crucial role in regulatory compliance.

Krige adds: “Guidelines from South Africa's Financial Sector Conduct Authority already emphasise the importance of continuity planning in technology outsourcing.

“AI regulations will likely impose specific rules on customer data protection and operational continuity, making software escrow a key component in risk management.”

As AI becomes more embedded across industries, software escrow helps build trust between AI providers and users. Companies with escrow agreements can confidently update or modify their AI systems, ensuring smooth operation, even if a provider can no longer support the software.

“AI technologies evolve rapidly, and companies must adapt to maintain their systems,” concludes Krige. “Software escrow is vital to ensure the long-term viability of AI investments, particularly in financial services, where operational continuity is critical.”

IOL