CONTRACTING FOR CLOUD
WHAT TO LOOK OUT FOR IN A CHANGING REGULATORY ENVIRONMENT

WALKER MORRIS

Financial services institutions, like many other businesses outside of the sector, continue to rely on cloud-based solutions to drive efficiencies, streamline processes and improve customer experience. This is despite lingering cybersecurity and data privacy concerns that are rooted in the resilience of such tools (and potential consequences if they were to fail).

This risk inherent in swathes of individual’s data sitting on third party – often overseas – databases remains undoubtedly at the forefront of regulators, both here in the UK as well as on the continent. Hot on the heels of the Digital Operational Resilience Act in the EU, further developments look to be in the horizon domestically with lawmakers setting their sights on the ‘critical third parties’ (that supply cloud services to financial services firms) in particular.

And yet, adoption of cloud technologies remains almost a necessity in retaining efficiency of service. We’ll be keeping a close eye on this space over the next twelve months, but as the legal landscape continues to unfold here are a few issues for financial service companies looking to move to cloud based solutions to bear in mind:

DUE DILIGENCE IS KEY
Undertake detailed DD on data security, control and exit. Consider the nature of the data set and any specific form you may need it in on exit. When it comes to termination, it pays to agree that post-termination support will be provided (even if there is an agreed cost for it).

PICK THE RIGHT BATTLES IN THE CONTRACT NEGOTIATION
Though standard does not necessarily mean “fixed”, expectations need to be realistic when it comes to negotiation (services are largely standardised and, as such, providers need to maintain a consistent risk profile across their platform).

That being said, suppliers will countenance movement of termination rights for default, enhanced service credit regimes and increased caps for data breaches, especially where customers are paying for an enhanced / premium” service package or paying for additional levels of support.

OBTAIN COMMITMENTS ON INFORMATION SECURITY STANDARDS
A key selling point for providers is the operational security their system offers; that being the case, ask for it to be warranted.

BE PROACTIVE AROUND BCDR
Test and document operational resilience plans, outlining the steps your business has taken to ensure security of the data that is being processed by the cloud provider, the alternative providers in event of failure and the steps that would need to be taken on termination of the arrangement. Ensure that any providers have similar business continuity / disaster recovery plans in place and get contractual commitments that back them up where possible.