IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Financial office worried employees disconnected cloud icons broken data links supply chain disruption planning
#
SaaS
#
Supply Chain
#
Risk & Compliance

Financial firms risk disruption by neglecting supplier exit plans

Tue, 18th Nov 2025
Author image
By Catherine Knowles, Journalist

Most financial institutions have not confirmed whether their cloud or SaaS providers have tested exit plans for their own critical vendors, a new industry survey has revealed. The data highlights concerns about overlooked operational risks in financial firms' complex technology supply chains.

Vendor blind spots

Research from the Centre for Financial Professionals (CeFPro) and Escode found that almost 80% of surveyed firms have not checked if their technology vendors are prepared to handle the failure of their own essential suppliers. This creates a risk that banks and insurers could face significant disruption if a single point of failure occurs further down the supply chain.

The study found that only 21% of financial institutions have reviewed their providers' stressed exit plans. These plans are designed to ensure continuity in the event that a critical upstream supplier fails or withdraws services. Downstream SaaS vendor risk is frequently overlooked, with many firms assuming resilience rather than requiring proof.

Regulatory pressures

Regulators have tightened their expectations for operational resilience across the financial sector in response to high-profile technology failures and increasing reliance on external providers. Rules such as DORA in Europe, the Prudential Regulation Authority's SS2/21 in the UK, and the UK's upcoming Critical Third Parties regime have all placed supplier risk under greater scrutiny.

Among firms that have reviewed provider exit plans, confidence in operational resilience is much higher. Thirty-eight percent of this group report strong confidence in their ability to withstand critical supplier failures, and just over half are confident they meet current regulatory requirements. In contrast, among organisations that have not requested exit plan evidence, not one expressed high confidence in their own resilience, and only 21% reported full regulatory compliance.

Planning deficits

The report also uncovered an apparent lack of urgency in addressing these gaps. Forty percent of respondents said they had either not asked their providers for evidence of a plan, had no intention to do so, or were unsure whether a request had been made at all. The absence of clear oversight and planning could lead to unanticipated audit findings, fines, or operational failures.

Independent verification of supplier plans is emerging as a critical step in meeting the evolving regulatory environment. The findings suggest self-assessment alone is insufficient, and firms need more robust oversight of their software supply chains.

Escrow arrangements

Software escrow has been identified as one approach to mitigate these risks. By holding the underlying source code of essential applications in trust, firms can ensure they retain access to critical systems if a vendor fails. Among those using escrow for their SaaS and on-premise software contracts, 21% reported high confidence in their exit planning.

Testing the ability to restore systems independently is central to many of the regulatory expectations emerging worldwide.

Andreas Simou, Managing Director, CeFPro, said, "Organisations may be getting better at recognising immediate supply chain risks, but downstream risk is still too often assumed, rather than tested. Without verifying the exit plans of their software suppliers, businesses risk being under prepared and blindsided by failures they can't control, leading to application downtime that could cripple an institution.
"However, this also represents a clear opportunity for firms to strengthen resilience. By proactively verifying supplier exit plans and embedding independent checks, organisations can turn a potential weakness into a source of confidence - improving continuity, protecting customers, and staying aligned with regulatory expectations."

Wayne Scott, GRC Solutions Lead at Escode, commented: "Firms are increasingly expected to understand and manage exit risks across their extended supply chain - a focus reinforced by DORA, SS2/21, and the UK's forthcoming Critical Third Parties regime. There was a clear boost in confidence for firms that were using escrow agreements in terms of stressed exit planning and that comes as no surprise as they allow organisations to test and verify that systems can be rebuilt and run in practice, whether the supplier goes out of business, withdraws support, or suffers disruption. This turns a theoretical safeguard into a proven recovery path - cutting the risk of costly downtime and helping firms demonstrate compliance with regulatory standards."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Agentic AI surge in 2026 sparks fresh cyber security risks
AI-driven cyber threats spur surge in intel spending
TXP warns on low code, AI overload & supplier risk in 2026
BlueCat predicts AI will reshape networks & security
Enterprises race to modernise asset management as digital demands rise

Top stories

Oxylabs experts forecast AI bubble risks & browser wars
AI reshapes cyber threats as experts warn on automation
AI set for post-transformer shift to memory-led tools
Tenable hack of Copilot AI agent exposes fraud risks
FPT, SCSK launch COBOL PARK to tackle 2025 ‘digital cliff’