cpt, jhb
+27 21 852 7198

Company directors, officers urged to re-evaluate their exposure to IT risk — by Escrow Europe managing director, Andrew Stekhoven

‘Directors: The Steinhoff debacle highlights your exposure to personal liability’ was the warning trumpeted in the headline to a recent BGR Pyper Turner newsletter article. 

The article referred to the ‘new’ Companies Act of 2008, which promised to place greater accountability and liability burdens on directors and officers (in response to directors being given greater powers in the Act) and reiterated that a director is to act in good faith and in the best interests of the company.  

Importantly, the Act did not distinguish between non-executive and executive directors and brought into law the fact that directors and officers would be personally liable for any costs, losses or damages resulting from a breach of their duties.

In fact, several have mooted directors and officers take out insurance to provide financial assistance to fund the defence costs for any directors or senior managers who find that a claim about the way in which they have managed the company has been made against them. These claims can be made by a variety of sources including Regulators, Employees, Shareholders and Creditors etc.

To date, no non-executive director (Steinhoff or otherwise) has been held liable under these provisions. This could change as unhappy overseas investors are gearing up to sue the directors of Steinhoff for their losses suffered.

Many directors are all to aware of their exposure to personal liability when it comes to financial dealings (as in the Steinhoff case) but that too few have evaluated their exposure when it comes to other facets of a company’s business.

Of particular concern is the pervasiveness of information and technology (IT) in business today, which I believe mandates the governance of IT as a corporate imperative.

As King III (Note 1) correctly identified, information systems were historically used as enablers to business but have now become pervasive in the sense that they are built into the strategy of the business.

Some South African directors have reacted smartly to this very real threat to the company’s business continuity. They have recognised that today’s fragile social and economic environments necessitate quick and decisive action, prompting them to evaluate all the possible risks – not just financial – and put appropriate measures in place to ensure their business continuity for the foreseeable future.

King IV provided guidelines. Practices under principle 12 recommended that any governing body (board of directors) should:

  • assume responsibility by setting the direction for how the organisation should approach and address information and technology (IT),
  • approve policy to give effect to the direction, delegate to management the responsibility to manage IT effectively,
  • oversee the management of IT, including overseeing that:

o    IT risks are integrated into the organisation-wide risk management,

o    the organisation is resilient,

o    management responds to security and social media incidents with a breach coach,

o    IT is used ethically and responsibly through an IT policy,

o    IT laws are complied with,

o    information management sustains and enhances the intellectual property protection of the organisation,

o    an enabling and supportive IT architecture exists,

o    data protection,

o    information security law aspects are in place,

o    the risks pertaining to the sourcing of IT in IT contracts are managed,

o    the organisation responds to disruptive technologies,

  • consider receiving periodic independent assurances on the organisation’s IT arrangements, including outsourced services,
  • disclose the governance and management of IT by the organisation, including disclosing an overview, focus areas, actions taken and plans.

Business continuity in a cash-strapped world is uncertain and never before has the need to ensure information security and integrity been so vital, with safeguards like active escrow – a vital operational risk management measure – necessary to mitigate disaster.

A big question that has been overlooked by South African directors and officers when it comes to risk management in the context of mission critical ICT is ‘What are our annual revenues streams that are dependent on technology platforms over which we have limited or no control’.

For corporate entities, this is to be measured in millions of Rands and therefore provides the imperative for the practice of active source code escrow in underwriting technology dependent risk.

According to Gartner, technology escrow is a smart and effective component of a business continuity strategy that software licensees can use to protect their mission critical applications in an ever-changing environment.

As an alternative to purchasing an actual source code license, an active escrow arrangement is the only way whereby access to maintainable information systems, by the software end-user, can be guaranteed:

  1. Irrespective of the stability or commercial status of the software supplier.
  2. If certain predefined commitments such as warranty, support and maintenance are not     honoured.

Escrow is used to reassure customers, protect intellectual property and maintain a competitive edge. Software suppliers, worldwide, are recognising that software escrow is a stamp of quality for demonstrating commitment to their clients in respect of their company and product, and that their client’s need for escrow is perfectly legitimate as the arrangement deals with mission critical software that requires additional continuity of use warranties.

You can assess your risk by providing answers to the following questions:

  • How many mission critical software platforms do we use?
  • What are our annual revenue streams that depend on these platforms?
  • Do we have escrow agreements in place for each platform, and if so, how many (different) escrow agreements do we have? Are they of any use (ie. active or passive)? Are they governed by foreign jurisdiction (ie. would pursuing a release be so costly as to call into question the value of having such an escrow arrangement in the first place?)
  • Do we have an escrow standard that provides a uniform risk profile for all vendors that supply and support our mission critical software platforms?

To manage the risk of your business’s absolute dependence on your software supplier, active software escrow provides your business with guaranteed access to the source code for your mission critical systems. It is an elegant and cost effective solution for managing the multifaceted business continuity risks and due diligence obligations facing you as a director and/or officer.




  1. IoD guidelines on the subject of active escrow protection can be found at http://www.iodsa.co.za/ezine_view.asp?StoryID=69. This guide (and a comprehensive 27 page White Paper) is the result of an instruction to Escrow Europe from Judge Mervyn King to produce proper guidelines for South African Directors and Officers as to professional escrow good governance practice.
  2. “Software escrow is an insurance policy to make sure you have access to that source code should that vendor no longer maintain that software for your organisation, so this gives you an alternative.” Jane Disbrow, Gartner Research Director for the IT Asset Management and Applied Research Group.