Escode and CeFPro Report finds 4 in 5 US financial institutions lack tested vendor exit plans, leaving supply chains exposed
Global CeFPro Whitepaper shows most firms have work to do in strengthening resilience in vendor failures
Only 1 in 5 have verified if their SaaS or cloud providers have credible stressed exit plans for their own vendors
Leading software escrow provider Escode says SaaS supply chains are the 'weak link' that could leave banks and insurers exposed to weeks of disruption
ATLANTA, Oct. 21, 2025 /PRNewswire/ -- A groundbreaking report has found that nearly 80% of financial institutions have not verified that their SaaS or cloud providers have tested exit plans in place for their own critical vendors.
The Center for Financial Professionals (CeFPro) has released the Global CeFPro Whitepaper: Supplier Stability in Operational Resilience, which lifts the curtain on a number of potential risks for banks and insurers around the world.
The report revealed that downstream SaaS risk – the vendors behind vendors – is often overlooked when assessing whether a business could be brought down by the failure or closure of another supplier.
The data was commissioned by Escode, the global leader in software escrow solutions, and CeFPro, an international research organization focused on the financial services sector. It shows that just 21% of financial institutions have reviewed their providers' stressed exit plans to understand whether a downstream vendor failure could disrupt access to critical applications – revealing a key opportunity for the majority of firms.
Of those that had taken the step of reviewing their stressed exit plans, confidence levels in operational resilience were significantly higher. More than a third (38%) said they were highly confident in the robustness of their plans, while just over half (52%) said they were fully aligned with evolving supervisory expectations.
By contrast, 40% of organizations admitted they had either not asked for evidence of a plan, had no intention to do so, or were unsure if a request for evidence had been made. Within this group, not a single firm expressed high confidence in its own stressed exit planning, and only 21% reported being fully compliant with evolving regulations.
Andreas Simou, Managing Director at CeFPro, said the findings highlight a critical area of improvement in resilience planning, adding: "Organizations may be getting better at recognising immediate supply chain risks, but downstream risk is still too often assumed, rather than tested.
"Without verifying the exit plans of their software suppliers, businesses risk being under prepared and blindsided by failures they can't control, leading to application downtime that could cripple an institution.
"However, this also represents a clear opportunity for firms to strengthen resilience. By proactively verifying supplier exit plans and embedding independent checks, organizations can turn a potential weakness into a source of confidence – improving continuity, protecting customers, and staying aligned with regulatory expectations."
One of the potential solutions highlighted in the report is software escrow, which ensures businesses can still access and use the critical source code underpinning key applications if a vendor fails.
Among firms using escrow for SaaS and on-premise software, 21% reported high confidence in their stressed exit plans.
Julie Antonelli, VP of Sales at Escode, said: "Firms are increasingly expected to understand and manage exit risks across their extended supply chain – a focus reinforced by guidance from the OCC, the Federal Reserve, the SEC, and state regulators such as the NYDFS.
"There was a clear boost in confidence for firms that were using escrow agreements in terms of stressed exit planning and that comes as no surprise as they allow organizations to test and verify that systems can be rebuilt and run in practice, whether the supplier goes out of business, withdraws support, or suffers disruption.
"This turns a theoretical safeguard into a proven recovery path – cutting the risk of costly downtime and giving firms a proven way to validate recovery paths, reduce downtime risk, and show regulators they can protect customers and operators."
The Global CeFPro Whitepaper: Supplier Stability in Operational Resilience is based on responses from more than 100 senior operational resilience, vendor risk, and technology leaders across the global financial sector, including major US institutions.
A full copy of the whitepaper can be downloaded here.
Logo - https://mma.prnewswire.com/media/2794788/Escode_Logo.jpg
View original content to download multimedia:https://www.prnewswire.com/news-releases/escode-and-cefpro-report-finds-4-in-5-us-financial-institutions-lack-tested-vendor-exit-plans-leaving-supply-chains-exposed-302590155.html
SOURCE Escode