Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Transcription

1 Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig Mary Jane Wilson-Bilik Robert J. Pile

2 Agenda Presenters Michael Steinig Mary Jane Wilson-Bilik Robert J. Pile Quick Overview on SaaS (and this presentation!) Managing SaaS Performance Data Custody and Access Security and Data Breach Risks Business Continuity Risks Vendor Oversight Requirements 2

3 Presenters Michael Steinig, Partner Michael Steinig advises clients in complex information technology and business process outsourcing transactions, software agreements, SaaS and other internet-related service agreements, and strategic procurements. He represents clients in their most critical strategic initiatives, ranging from global transactions by multinational corporations to the core business deals of early stage start-up companies. Michael advises on agreements that often deliver millions of dollars in savings, improved service capability and increased business agility for his clients. Mary Jane Wilson-Bilik, Partner For more than 20 years, Mary Jane Wilson-Bilik has helped her insurance company clients comply with the fast-changing requirements of state and federal regulators and successfully anticipate evolving consumer and regulatory demands in the digital economy. Over the past few years, Mary Jane has been particularly focused on the implications of SEC cybersecurity and privacy regulations on insurance companies. Her regulatory interest in company management of big data initiatives and oversight of vendors processing sensitive information has positioned her to be a thought leader in this space, working with many U.S. insurance companies on issues and challenges being faced. 3 Robert J. Pile, Partner Bob Pile represents parties in joint ventures, partnering arrangements, acquisitions and restructurings. Bob has particular experience in the payments industry, having represented industry participants in numerous strategic alliances, joint ventures, sourcing arrangements, investments and acquisitions, including some of the largest strategic relationships and transactions in the payments industry. Bob also advises clients with respect to compliance matters, particularly with respect to the Durbin Amendment under the Dodd-Frank Act, federal and state regulations affecting providers of financial services, and payment network rules.

4 QUICK OVERVIEW ON SAAS 4

5 What is SaaS What is Software as a Service (SaaS)? Definition Distribution model where application is hosted by a supplier and made available via a network connection, typically Internet Next generation of ASP model (Application Service Provider) Big part of the Cloud (both public and private) Key Characteristics Replaces on premises software OR functions traditionally performed on more manual basis Typically purchased through a subscription model Examples: Salesforce.com, Workday, Microsoft, Google 5

6 Pros and Cons Pros Cons More and better options: easier for suppliers to implement and distribute Less costly to SaaS customers investment and ongoing Highly scalable No licensee maintenance obligations - automatic updates Global access and easy sharing Relatively easy to switch Lack of flexibility Lack of transparency Data risks Business continuity risks 6

7 SaaS Environment SaaS Provider SaaS Provider SaaS Customer Data Flow Hosting Provider Consumer 7

8 MANAGING SAAS PERFORMANCE 8

9 Governance & Control - Risks Lack of Transparency Does the SaaS customer know what is happening, where, and by what party? How robust is the reporting, and is it tailored to the SaaS customer s experience? How limited are the SaaS customer s audit rights, if any? Depends on many factors Flexibility Contracting Is there room to negotiate terms and conditions? 9

10 Governance & Control Mitigations Transparency & Flexibility Diligence: Treat like an outsourcing initiative, rather than a software purchase Audit rights Possible rights to audit Otherwise, certs and audit reports ISO, SOC1, SOC2 Other Reporting Know the eco-system where the data is, particularly at rest Contracting & Relationship Management Pick your spots in contracting Contract for relationship management Go off paper 10

11 Service Levels - Risks Like rest of contract, there often is only limited ability to negotiate Service Levels Standard offerings, subject to change by the supplier Often very small credit amounts Less assumption of SLA risk built into SaaS pricing models Business or outcome based SLAs are still difficult to achieve SLA measurements often blended across the SaaS customer base Does measurement reflect a particular SaaS customer s experience? 11

12 Service Levels Mitigations Published results Market pressure is real Negotiation Points Higher credits Credits as non-exclusive remedies Still limited but greater Fine tune the process around SLAs and credits Vendor has more control Reporting Including customized reports Termination Rights 12

13 Interoperation - Risks More points of failure What happens when bad data runs through the system? Often a highest common denominator problem A lower-priority function can bring down or contaminate a business critical one 13

14 Interoperation Mitigations Better and better with APIs and other tools Particularly rich for the established SaaS providers APIs for use by SaaS customers Application exchanges Whole companies build their offerings off of other key SaaS providers (ISVs) Key questions to consider: ownership, exclusivity, compatibility 14

15 DATA CUSTODY AND ACCESS 15

16 Data Custody and Access - Risks Key questions What data are we talking about? How critical is the data? Is it replicated, and if so, where and how often? Is data being preserved? Who owns the data? Access to data Need contractual right During term and upon termination (and after!) Litigation holds Need technical ability Does security allow for it? How multi-tenanted is the environment? 16

17 Data Custody and Access - Mitigations Diligence, Diligence, Diligence On yourself On the supplier Contracting Ensure it is clear what data is being referred to, and who owns the data going in, and, as applicable, the data coming out Supplier must ensure that it will be able to segregate the data, and provide it to SaaS customer in (easily) usable form Right to require data preservation, in particular after the agreement ends 17

18 SECURITY AND DATA BREACH RISKS 18

19 Security - Risks 19 Authentication and access control How does the cloud vendor control access to systems and data? What types of testing are done? Encryption Does the data need to be encrypted? If so, which party is encrypting? Security requirements Hard to impose unique SaaS customer requirements Breach notification and incident response process Among other things, need contract protections Cyberliability Does SaaS customer s insurance cover the SaaS environment? Does the SaaS provider have adequate insurance?

20 Security - Mitigations Pre-Contract and Ongoing Due Diligence Involve information security team so one business unit does not circumvent the governance processes around cybersecurity risks Ethical hacking Limits on access to your data by vendor employees Contract terms SLAs Certs ISO 27001, SSAE16/SOC 2 Data breach notification cooperate with litigation/exams Cyber insurance Encryption Limits on use of subcontractors and where located? 20

21 BUSINESS CONTINUITY RISKS 21

22 Natural Disasters and Force Majeure - Risks How critical is the function performed by the SaaS product? Consumer facing Revenue generating Business critical Is there a workaround? Is there a short- and medium- term replacement? 22

23 Natural Disasters and Force Majeure Mitigations Disaster Recovery / Business Continuity Diligence is critical Plans, Facilities, Testing Contract protections focusing on key areas Recovery Point Objective (RPO) Recovery Time Objective (RTO) Functionality/SLAs in Disaster Mode And if degradation permissible, then for how long Termination Rights and Penalties 23

24 Termination and Extraordinary Events - Risks Situations: Termination or expiration of the Agreement Bankruptcy / Closing of operations Similar considerations as with natural disaster scenario But much more of a long term problem Basic issue: How can the function continue or be replaced if the SaaS supplier disappears? How does the SaaS customer get the data? How can the service be replaced, and by whom? How does it get transitioned? How quickly/easily can that happen? 24

25 Termination and Extraordinary Events Mitigations Data Often most important issue Does SaaS customer maintain a copy? How portable is it? Third party offerings to replicate and validate data More on this below Transition Assistance Include relevant, strict contractual obligations for supplier to provide necessary assistance Right to convert to traditional software license Including through source code escrow 25

26 Termination and Extraordinary Events Mitigations (cont.) Third party offerings Key issue: SaaS generally is more difficult to operate and maintain than traditional software Third party offerings currently in the marketplace: New but quickly growing market Services include: data replication, vendor validation, SaaS-tailored verification and documentation, temporary and more permanent backup solutions, third party DR Availability depends on several factors, including: SaaS supplier must agree Data must be able to be segregable and portable Often easier if there is third party hosting provider Varying degrees of cost and affordability 26

27 VENDOR OVERSIGHT REQUIREMENTS 27

28 Vendor Oversight Requirements Third-party oversight is a hot button for all regulators overseeing financial services OCC, FFIEC, FDIC, State regulators, among others Supplier risk is a type of operational risk that has been ranked alongside credit risk as among the top safety and soundness concerns This increased regulatory focus on third-party risk has taken shape in pronouncements and regulatory activity related to third-party relationships See for example OCC Bulletin : Third Party Relationships, issued on October 30, 2013, and FFIEC Information Technology Subcommittee statement on Outsourced Cloud Computing dated July 10,

29 Vendor Oversight Requirements (cont.) Fundamental Charges Diligence In determining which functions are properly outsourced In selection of third parties with whom you do business In assessing risk Comprehensive Written Contracts See OCC Bulletin for specific contract provisions Follow-through Ongoing management and oversight of relationships and related risk, including independent reviews