©2015 Sutherland Asbill & Brennan LLP www.sutherland.com
Cloud Computing Risks in Financial Services Companies:How Attorneys Can Best Help In An Increasingly SaaS-ified World
July 30, 2015Sutherland Webinar
Michael Steinig | 202.383.0804 | [email protected] Mary Jane Wilson-Bilik | 202.383.0660 | [email protected] J. Pile | 404.853.8487 | [email protected]
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
• Presenters Michael Steinig Mary Jane Wilson-Bilik Robert J. Pile
• Quick Overview on SaaS (and this presentation!)• Managing SaaS Performance• Data Custody and Access• Security and Data Breach Risks• Business Continuity Risks • Vendor Oversight Requirements
2
Agenda
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP3
Presenters
Michael Steinig, PartnerMichael Steinig advises clients in complex information technology and business process outsourcing transactions, software agreements, SaaS and other internet-related service agreements, and strategic procurements. He represents clients in their most critical strategic initiatives, ranging from global transactions by multinational corporations to the core business deals of early stage start-up companies. Michael advises on agreements that often deliver millions of dollars in savings, improved service capability and increased business agility for his clients.
Mary Jane Wilson-Bilik, PartnerFor more than 20 years, Mary Jane Wilson-Bilik has helped her insurance company clients comply with the fast-changing requirements of state and federal regulators and successfully anticipate evolving consumer and regulatory demands in the digital economy. Over the past few years, Mary Jane has been particularly focused on the implications of SEC cybersecurityand privacy regulations on insurance companies. Her regulatory interest in company management of big data initiatives and oversight of vendors processing sensitive information has positioned her to be a thought leader in this space, working with many U.S. insurance companies on issues and challenges being faced.
Robert J. Pile, PartnerBob Pile represents parties in joint ventures, partnering arrangements, acquisitions and restructurings. Bob has particular experience in the payments industry, having represented industry participants in numerous strategic alliances, joint ventures, sourcing arrangements, investments and acquisitions, including some of the largest strategic relationships and transactions in the payments industry. Bob also advises clients with respect to compliance matters, particularly with respect to the Durbin Amendment under the Dodd-Frank Act, federal and state regulations affecting providers of financial services, and payment network rules.
©2015 Sutherland Asbill & Brennan LLP
QUICK OVERVIEW ON SAAS
4
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP5
What is SaaS
• What is Software as a Service (SaaS)? Definition
Distribution model where application is hosted by a supplier and made available via a network connection, typically Internet
Next generation of “ASP” model (Application Service Provider)
Big part of the “Cloud” (both public and private) Key Characteristics
Replaces “on premises software” OR functions traditionally performed on more manual basis
Typically purchased through a subscription model Examples: Salesforce.com, Workday, Microsoft, Google
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP6
Pros and Cons
• Pros More and better options: easier for suppliers to implement
and distribute Less costly to SaaS customers – investment and ongoing Highly scalable No licensee “maintenance” obligations - automatic updates Global access and easy sharing Relatively easy to switch
• Cons• Lack of flexibility• Lack of transparency• Data risks• Business continuity risks
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
SaaS Environment
SaaSCustomer
SaaSProvider
HostingProvider
Data Flow
Consumer
SaaSProvider
7
©2015 Sutherland Asbill & Brennan LLP
MANAGING SAAS PERFORMANCE
8
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Governance & Control - Risks
• Lack of Transparency Does the SaaS customer know what is happening, where,
and by what party? How robust is the reporting, and is it tailored to the SaaS
customer’s experience? How limited are the SaaS customer’s audit rights, if any? Depends on many factors
• Flexibility• Contracting
Is there room to negotiate terms and conditions?
9
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
• Transparency & Flexibility Diligence: Treat like an outsourcing initiative, rather than a
software purchase Audit rights
Possible rights to audit Otherwise, certs and audit reports – ISO, SOC1, SOC2
Other Reporting Know the eco-system where the data is, particularly “at rest”
• Contracting & Relationship Management Pick your spots in contracting Contract for relationship management Go “off paper”
10
Governance & Control – Mitigations
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Service Levels - Risks
• Like rest of contract, there often is only limited ability to negotiate Service Levels Standard offerings, subject to change by the supplier Often very small credit amounts
Less assumption of SLA risk built into SaaS pricing models
• “Business” or “outcome” based SLAs are still difficult to achieve
• SLA measurements often blended across the SaaScustomer base Does measurement reflect a particular SaaS customer’s
experience?
11
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Service Levels – Mitigations
• Published results Market pressure is real
• Negotiation Points Higher credits Credits as non-exclusive remedies
Still limited but greater Fine tune the process around SLAs and credits Vendor has more control
• Reporting Including customized reports
• Termination Rights
12
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Interoperation - Risks
• More points of failure• What happens when ‘bad’ data runs through the
system?• Often a “highest” common denominator problem
A lower-priority function can bring down or contaminate a business critical one
13
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Interoperation – Mitigations
• Better and better with APIs and other tools Particularly rich for the established SaaS providers
APIs for use by SaaS customers Application exchanges
Whole companies build their offerings off of other key SaaSproviders (ISVs)
Key questions to consider: ownership, exclusivity, compatibility
14
©2015 Sutherland Asbill & Brennan LLP
DATA CUSTODY AND ACCESS
15
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Data Custody and Access - Risks
• Key questions What data are we talking about? How critical is the data? Is it replicated, and if so, where and how often? Is data being preserved? Who owns the data?
• Access to data Need contractual right
During term and upon termination (and after!) Litigation holds
Need technical ability Does security allow for it? How “multi-tenanted” is the environment?
16
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Data Custody and Access - Mitigations
• Diligence, Diligence, Diligence On yourself On the supplier
• Contracting Ensure it is clear what data is being referred to, and who
owns the data going in, and, as applicable, the data coming out
Supplier must ensure that it will be able to segregate the data, and provide it to SaaS customer in (easily) usable form
Right to require data preservation, in particular after the agreement ends
17
©2015 Sutherland Asbill & Brennan LLP
SECURITY AND DATA BREACH RISKS
18
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Security - Risks
• Authentication and access control How does the cloud vendor control access to systems and
data? What types of testing are done?
• Encryption Does the data need to be encrypted? If so, which party is
encrypting?
• Security requirements Hard to impose unique SaaS customer requirements
• Breach notification and incident response process Among other things, need contract protections
• Cyberliability Does SaaS customer’s insurance cover the SaaS
environment? Does the SaaS provider have adequate insurance?19
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Security - Mitigations
• Pre-Contract and Ongoing Due Diligence Involve information security team so one business unit does
not circumvent the governance processes around cybersecurity risks
Ethical hacking Limits on access to your data by vendor employees
• Contract terms – SLAs Certs – ISO 27001, SSAE16/SOC 2 Data breach notification – cooperate with litigation/exams Cyber insurance Encryption Limits on use of subcontractors and where located?
20
©2015 Sutherland Asbill & Brennan LLP
BUSINESS CONTINUITY RISKS
21
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Natural Disasters and Force Majeure -Risks
• How critical is the function performed by the SaaSproduct? Consumer facing Revenue generating Business critical
• Is there a workaround?• Is there a short- and medium- term replacement?
22
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Natural Disasters and Force Majeure –Mitigations
• Disaster Recovery / Business Continuity Diligence is critical Plans, Facilities, Testing
• Contract protections focusing on key areas Recovery Point Objective (RPO) Recovery Time Objective (RTO) Functionality/SLAs in Disaster Mode
And if degradation permissible, then for how long Termination Rights and Penalties
23
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Termination and Extraordinary Events -Risks
• Situations: Termination or expiration of the Agreement Bankruptcy / Closing of operations
• Similar considerations as with natural disaster scenario But much more of a long term problem
• Basic issue: How can the function continue or be replaced if the SaaS supplier disappears? How does the SaaS customer get the data? How can the service be replaced, and by whom? How does it get transitioned? How quickly/easily can that happen?
24
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Termination and Extraordinary Events –Mitigations
• Data Often most important issue Does SaaS customer maintain a copy? How portable is it? Third party offerings to replicate and validate data
• Transition Assistance Include relevant, strict contractual obligations for supplier to
provide necessary assistance
• Right to convert to traditional software license Including through source code escrow
25
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Termination and Extraordinary Events –Mitigations (cont.)
• Third party offerings Key issue: SaaS generally is more difficult to operate and
maintain than traditional software Third party offerings currently in the marketplace:
New but quickly growing market Services include: data replication, vendor validation,
SaaS-tailored verification and documentation, temporary and more permanent backup solutions, third party DR
Availability depends on several factors, including: SaaS supplier must agree Data must be able to be segregable and portable Often easier if there is third party hosting provider
Varying degrees of cost and affordability
26
©2015 Sutherland Asbill & Brennan LLP
VENDOR OVERSIGHT REQUIREMENTS
27
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
Vendor Oversight Requirements
• Third-party oversight is a hot button for all regulators overseeing financial services – OCC, FFIEC, FDIC, State regulators, among others
• Supplier risk is a type of operational risk that has been ranked alongside credit risk as among the top safety and soundness concerns
• This increased regulatory focus on third-party risk has taken shape in pronouncements and regulatory activity related to third-party relationships See for example OCC Bulletin 2013-29: “Third Party
Relationships”, issued on October 30, 2013, and FFIECInformation Technology Subcommittee statement on “Outsourced Cloud Computing” dated July 10, 2012.
28
©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP
• Fundamental Charges Diligence
In determining which functions are properly outsourced In selection of third parties with whom you do business In assessing risk
Comprehensive Written Contracts See OCC Bulletin 2013-29 for specific contract
provisions Follow-through
Ongoing management and oversight of relationships and related risk, including independent reviews
Vendor Oversight Requirements (cont.)