Sutherland Webinar - Cloud Computing Risks in Financial ......maintain than traditional software...

©2015 Sutherland Asbill & Brennan LLP www.sutherland.com

Cloud Computing Risks in Financial Services Companies:How Attorneys Can Best Help In An Increasingly SaaS-ified World

July 30, 2015Sutherland Webinar

Michael Steinig | 202.383.0804 | [email protected] Mary Jane Wilson-Bilik | 202.383.0660 | [email protected] J. Pile | 404.853.8487 | [email protected]

©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP

• Presenters Michael Steinig Mary Jane Wilson-Bilik Robert J. Pile

• Quick Overview on SaaS (and this presentation!)• Managing SaaS Performance• Data Custody and Access• Security and Data Breach Risks• Business Continuity Risks • Vendor Oversight Requirements

2

Agenda

©2015 Sutherland Asbill & Brennan LLP©2015 Sutherland Asbill & Brennan LLP3

Presenters

Michael Steinig, PartnerMichael Steinig advises clients in complex information technology and business process outsourcing transactions, software agreements, SaaS and other internet-related service agreements, and strategic procurements. He represents clients in their most critical strategic initiatives, ranging from global transactions by multinational corporations to the core business deals of early stage start-up companies. Michael advises on agreements that often deliver millions of dollars in savings, improved service capability and increased business agility for his clients.

Mary Jane Wilson-Bilik, PartnerFor more than 20 years, Mary Jane Wilson-Bilik has helped her insurance company clients comply with the fast-changing requirements of state and federal regulators and successfully anticipate evolving consumer and regulatory demands in the digital economy. Over the past few years, Mary Jane has been particularly focused on the implications of SEC cybersecurityand privacy regulations on insurance companies. Her regulatory interest in company management of big data initiatives and oversight of vendors processing sensitive information has positioned her to be a thought leader in this space, working with many U.S. insurance companies on issues and challenges being faced.

Robert J. Pile, PartnerBob Pile represents parties in joint ventures, partnering arrangements, acquisitions and restructurings. Bob has particular experience in the payments industry, having represented industry participants in numerous strategic alliances, joint ventures, sourcing arrangements, investments and acquisitions, including some of the largest strategic relationships and transactions in the payments industry. Bob also advises clients with respect to compliance matters, particularly with respect to the Durbin Amendment under the Dodd-Frank Act, federal and state regulations affecting providers of financial services, and payment network rules.

©2015 Sutherland Asbill & Brennan LLP

QUICK OVERVIEW ON SAAS

4


What is SaaS

• What is Software as a Service (SaaS)? Definition

Distribution model where application is hosted by a supplier and made available via a network connection, typically Internet

Next generation of “ASP” model (Application Service Provider)

Big part of the “Cloud” (both public and private) Key Characteristics

Replaces “on premises software” OR functions traditionally performed on more manual basis

Typically purchased through a subscription model Examples: Salesforce.com, Workday, Microsoft, Google


Pros and Cons

• Pros More and better options: easier for suppliers to implement

and distribute Less costly to SaaS customers – investment and ongoing Highly scalable No licensee “maintenance” obligations - automatic updates Global access and easy sharing Relatively easy to switch

• Cons• Lack of flexibility• Lack of transparency• Data risks• Business continuity risks


SaaS Environment

SaaSCustomer

SaaSProvider

HostingProvider

Data Flow

Consumer

SaaSProvider

7


MANAGING SAAS PERFORMANCE

8


Governance & Control - Risks

• Lack of Transparency Does the SaaS customer know what is happening, where,

and by what party? How robust is the reporting, and is it tailored to the SaaS

customer’s experience? How limited are the SaaS customer’s audit rights, if any? Depends on many factors

• Flexibility• Contracting

Is there room to negotiate terms and conditions?

9


• Transparency & Flexibility Diligence: Treat like an outsourcing initiative, rather than a

software purchase Audit rights

Possible rights to audit Otherwise, certs and audit reports – ISO, SOC1, SOC2

Other Reporting Know the eco-system where the data is, particularly “at rest”

• Contracting & Relationship Management Pick your spots in contracting Contract for relationship management Go “off paper”

10

Governance & Control – Mitigations


Service Levels - Risks

• Like rest of contract, there often is only limited ability to negotiate Service Levels Standard offerings, subject to change by the supplier Often very small credit amounts

Less assumption of SLA risk built into SaaS pricing models

• “Business” or “outcome” based SLAs are still difficult to achieve

• SLA measurements often blended across the SaaScustomer base Does measurement reflect a particular SaaS customer’s

experience?

11


Service Levels – Mitigations

• Published results Market pressure is real

• Negotiation Points Higher credits Credits as non-exclusive remedies

Still limited but greater Fine tune the process around SLAs and credits Vendor has more control

• Reporting Including customized reports

• Termination Rights

12


Interoperation - Risks

• More points of failure• What happens when ‘bad’ data runs through the

system?• Often a “highest” common denominator problem

A lower-priority function can bring down or contaminate a business critical one

13


Interoperation – Mitigations

• Better and better with APIs and other tools Particularly rich for the established SaaS providers

APIs for use by SaaS customers Application exchanges

Whole companies build their offerings off of other key SaaSproviders (ISVs)

Key questions to consider: ownership, exclusivity, compatibility

14


DATA CUSTODY AND ACCESS

15


Data Custody and Access - Risks

• Key questions What data are we talking about? How critical is the data? Is it replicated, and if so, where and how often? Is data being preserved? Who owns the data?

• Access to data Need contractual right

During term and upon termination (and after!) Litigation holds

Need technical ability Does security allow for it? How “multi-tenanted” is the environment?

16


Data Custody and Access - Mitigations

• Diligence, Diligence, Diligence On yourself On the supplier

• Contracting Ensure it is clear what data is being referred to, and who

owns the data going in, and, as applicable, the data coming out

Supplier must ensure that it will be able to segregate the data, and provide it to SaaS customer in (easily) usable form

Right to require data preservation, in particular after the agreement ends

17


SECURITY AND DATA BREACH RISKS

18


Security - Risks

• Authentication and access control How does the cloud vendor control access to systems and

data? What types of testing are done?

• Encryption Does the data need to be encrypted? If so, which party is

encrypting?

• Security requirements Hard to impose unique SaaS customer requirements

• Breach notification and incident response process Among other things, need contract protections

• Cyberliability Does SaaS customer’s insurance cover the SaaS

environment? Does the SaaS provider have adequate insurance?19


Security - Mitigations

• Pre-Contract and Ongoing Due Diligence Involve information security team so one business unit does

not circumvent the governance processes around cybersecurity risks

Ethical hacking Limits on access to your data by vendor employees

• Contract terms – SLAs Certs – ISO 27001, SSAE16/SOC 2 Data breach notification – cooperate with litigation/exams Cyber insurance Encryption Limits on use of subcontractors and where located?

20


BUSINESS CONTINUITY RISKS

21


Natural Disasters and Force Majeure -Risks

• How critical is the function performed by the SaaSproduct? Consumer facing Revenue generating Business critical

• Is there a workaround?• Is there a short- and medium- term replacement?

22


Natural Disasters and Force Majeure –Mitigations

• Disaster Recovery / Business Continuity Diligence is critical Plans, Facilities, Testing

• Contract protections focusing on key areas Recovery Point Objective (RPO) Recovery Time Objective (RTO) Functionality/SLAs in Disaster Mode

And if degradation permissible, then for how long Termination Rights and Penalties

23


Termination and Extraordinary Events -Risks

• Situations: Termination or expiration of the Agreement Bankruptcy / Closing of operations

• Similar considerations as with natural disaster scenario But much more of a long term problem

• Basic issue: How can the function continue or be replaced if the SaaS supplier disappears? How does the SaaS customer get the data? How can the service be replaced, and by whom? How does it get transitioned? How quickly/easily can that happen?

24


Termination and Extraordinary Events –Mitigations

• Data Often most important issue Does SaaS customer maintain a copy? How portable is it? Third party offerings to replicate and validate data

More on this below

• Transition Assistance Include relevant, strict contractual obligations for supplier to

provide necessary assistance

• Right to convert to traditional software license Including through source code escrow

25


Termination and Extraordinary Events –Mitigations (cont.)

• Third party offerings Key issue: SaaS generally is more difficult to operate and

maintain than traditional software Third party offerings currently in the marketplace:

New but quickly growing market Services include: data replication, vendor validation,

SaaS-tailored verification and documentation, temporary and more permanent backup solutions, third party DR

Availability depends on several factors, including: SaaS supplier must agree Data must be able to be segregable and portable Often easier if there is third party hosting provider

Varying degrees of cost and affordability

26


VENDOR OVERSIGHT REQUIREMENTS

27


Vendor Oversight Requirements

• Third-party oversight is a hot button for all regulators overseeing financial services – OCC, FFIEC, FDIC, State regulators, among others

• Supplier risk is a type of operational risk that has been ranked alongside credit risk as among the top safety and soundness concerns

• This increased regulatory focus on third-party risk has taken shape in pronouncements and regulatory activity related to third-party relationships See for example OCC Bulletin 2013-29: “Third Party

Relationships”, issued on October 30, 2013, and FFIECInformation Technology Subcommittee statement on “Outsourced Cloud Computing” dated July 10, 2012.

28


• Fundamental Charges Diligence

In determining which functions are properly outsourced In selection of third parties with whom you do business In assessing risk

Comprehensive Written Contracts See OCC Bulletin 2013-29 for specific contract

provisions Follow-through

Ongoing management and oversight of relationships and related risk, including independent reviews

Vendor Oversight Requirements (cont.)

Date post:	09-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Sutherland Webinar - Cloud Computing Risks in Financial ......maintain than traditional software...

Documents