Wayne Scott, GRC Solutions Lead at Escode
In financial services, disruption can often emerge through the software supply chain, particularly where organisations rely on critical software they cannot independently maintain or recover.
Modern financial services systems are built on layered dependency. Core software sits on top of third-party platforms, which themselves rely on cloud infrastructure, external services and – increasingly – AI models. Each additional layer introduces exposure, while reducing visibility into how critical systems would be maintained or rebuilt if a supplier fails.
Under stable conditions, these dependencies rarely attract scrutiny. However, when conditions shift, whether it’s through geopolitical instability, economic pressure or market correction, the risk of failure increases and becomes far more exposed.
How geopolitical instability exposes software supply chain risk
Recent instability, including the war in Ukraine and tensions in the Middle East, has shown how quickly disruption can propagate across supply chains, infrastructure and interconnected services. Conflict affects trade routes, energy supply and critical materials that underpin digital infrastructure.
Things like semiconductor manufacturing, cloud platforms and data centres all rely on these critical resources, many of which are concentrated in geopolitically exposed regions, including parts of the Middle East and Asia. When they’re disrupted, pressure flows directly to the third-party software, infrastructure and service providers that financial institutions rely on.
Disruption in those regions can quickly translate into third-party risk for financial institutions. In many cases, organisations only discover how dependent they are on critical third-party software, cloud and service providers when those dependencies fail and they are forced to recover operations. Supplier risk emerges through a number of things, such as financial pressure, ownership changes, licensing adjustments, service deterioration or the gradual withdrawal of support. In periods of instability, those pressures can escalate quickly. In other cases, risk builds gradually under stress before eventually emerging as service disruption.
In our experience, many financial institutions rely on the same core software platforms, providers and infrastructure. When stress affects one part of that ecosystem, the impact can spread far beyond a single organisation.
There is also a tendency to assume that the largest providers are inherently stable, but that’s a dangerous position to adopt. Some of these companies now operate at a scale where traditional intervention becomes increasingly difficult. Thinking these organisations are ‘too big to fail’ is risky. Instead, the issue actually becomes whether they are too big to save.
For financial institutions, the priority must be ensuring operations can continue when critical third-party software, cloud or infrastructure dependencies fail or are disrupted.
Why resilience plans often fail under pressure
Plenty of organisations believe they have plans in place to manage the failure of their critical third-party dependencies. Contracts with third-party software and service providers are in place, due diligence has been completed and contingency plans exist. However, research from Escode and the Center for Financial Professionals found that almost 80% of financial institutions have not verified whether their SaaS or cloud providers have credible stressed exit plans in place for their own suppliers. There is a perceived sense of control, but the reality is that much of it remains untested. In many cases, firms are still relying on contractual assurance rather than independently verified recovery capability. Some also treat insurance as a fallback, but insurance compensates after disruption – it does not mitigate the operational impact of supplier failure.
The key question firms need to be asking is whether those plans would actually hold under pressure. Can systems be maintained or rebuilt independently? Is there sufficient access to the underlying software and dependencies? Have recovery pathways been tested in realistic scenarios? In many cases, the answers are ambiguous at best.
Regulators are already pushing firms to do more – particularly in financial services. Frameworks such as DORA, SS2/21, the UK’s Critical Third Parties regime and the US Interagency Guidance on Third-Party Relationships are all focusing less on documented intent and more on evidence that critical services can continue to operate under stress. Similar thinking is also emerging more broadly across the Middle East, including through CST guidance recognising software escrow as part of wider operational resilience planning.
For many organisations, that requires a different approach. It means testing recovery and exit strategies in a meaningful way, validating that systems can actually be rebuilt, and understanding how critical applications would be supported if suppliers are no longer able to deliver.
The pressure on financial services is likely to increase
Over the past few years, large volumes of investment have flowed into tech companies and AI development, often supported by expectations of long-term recurring revenue and rapid growth. If parts of that market come under pressure, the impact will feed directly into the software, cloud and infrastructure dependencies that financial institutions rely on.
Geopolitical instability has a habit of exposing assumptions very quickly. Weak third-party dependencies and untested recovery capabilities often remain hidden until periods of stress expose these weaknesses.
Accountability for these risks ultimately sits at board level. Decisions around supplier strategy, technology adoption and risk appetite are made there, as are the contingency plans when disruption affects customers, markets or regulatory standing.
The organisations in the strongest position will be the ones that already understand where their exposure sits, and have already tested whether critical systems can continue operating if suppliers fail.
