Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

(1)

Cloud Computing Risks in Financial

Services Companies:

How Attorneys Can Best Help In An

Increasingly SaaS-ified World

July 30, 2015

Sutherland Webinar

Michael Steinig | 202.383.0804 | [email protected]

Mary Jane Wilson-Bilik | 202.383.0660 | [email protected] Robert J. Pile | 404.853.8487 | [email protected]

(2)

• Presenters

 Michael Steinig

 Mary Jane Wilson-Bilik

 Robert J. Pile

• Quick Overview on SaaS (and this presentation!)

• Managing SaaS Performance

• Data Custody and Access

• Security and Data Breach Risks • Business Continuity Risks

• Vendor Oversight Requirements

2

(3)

Presenters

Michael Steinig, Partner

Michael Steinig advises clients in complex information technology and business process outsourcing transactions, software agreements, SaaS and other internet-related service agreements, and strategic procurements. He represents clients in their most critical strategic initiatives, ranging from global transactions by multinational corporations to the core business deals of early stage start-up companies. Michael advises on agreements that often deliver millions of dollars in savings, improved service capability and increased business agility for his clients.

Mary Jane Wilson-Bilik, Partner

For more than 20 years, Mary Jane Wilson-Bilik has helped her insurance company clients comply with the fast-changing requirements of state and federal regulators and successfully anticipate evolving consumer and regulatory demands in the digital economy. Over the past few years, Mary Jane has been particularly focused on the implications of SEC cybersecurity and privacy regulations on insurance companies. Her regulatory interest in company

management of big data initiatives and oversight of vendors processing sensitive information has positioned her to be a thought leader in this space, working with many U.S. insurance companies on issues and challenges being faced.

Robert J. Pile, Partner

Bob Pile represents parties in joint ventures, partnering arrangements, acquisitions and restructurings. Bob has particular experience in the payments industry, having represented industry participants in numerous strategic alliances, joint ventures, sourcing

arrangements, investments and acquisitions, including some of the largest strategic relationships and transactions in the payments industry. Bob also advises clients with

(4)

QUICK OVERVIEW ON SAAS

(5)

What is SaaS

• What is Software as a Service (SaaS)?

 Definition

 Distribution model where application is hosted by a supplier and made available via a network connection, typically Internet

 Next generation of “ASP” model (Application Service Provider)

 Big part of the “Cloud” (both public and private)

 Key Characteristics

 Replaces “on premises software” OR functions traditionally performed on more manual basis

 Typically purchased through a subscription model

(6)

6

Pros and Cons

• Pros

 More and better options: easier for suppliers to implement and distribute

 Less costly to SaaS customers – investment and ongoing

 Highly scalable

 No licensee “maintenance” obligations - automatic updates

 Global access and easy sharing

 Relatively easy to switch

• Cons

• Lack of flexibility

• Lack of transparency

• Data risks

(7)

SaaS Environment

SaaS Customer SaaS Provider Hosting Provider Data Flow Consumer SaaS Provider

(8)

MANAGING SAAS PERFORMANCE

(9)

Governance & Control - Risks

• Lack of Transparency

 Does the SaaS customer know what is happening, where, and by what party?

 How robust is the reporting, and is it tailored to the SaaS customer’s experience?

 How limited are the SaaS customer’s audit rights, if any?

 Depends on many factors

• Flexibility

• Contracting

(10)

• Transparency & Flexibility

 Diligence: Treat like an outsourcing initiative, rather than a software purchase

 Audit rights

 Possible rights to audit

 Otherwise, certs and audit reports – ISO, SOC1, SOC2

 Other Reporting

 Know the eco-system where the data is, particularly “at rest”

• Contracting & Relationship Management

 Pick your spots in contracting

 Contract for relationship management

 Go “off paper”

10

(11)

Service Levels - Risks

• Like rest of contract, there often is only limited ability

to negotiate Service Levels

 Standard offerings, subject to change by the supplier

 Often very small credit amounts

 Less assumption of SLA risk built into SaaS pricing models

• “Business” or “outcome” based SLAs are still difficult

to achieve

• SLA measurements often blended across the SaaS

customer base

 Does measurement reflect a particular SaaS customer’s experience?

(12)

Service Levels – Mitigations

• Published results

 Market pressure is real

• Negotiation Points

 Higher credits

 Credits as non-exclusive remedies

 Still limited but greater

 Fine tune the process around SLAs and credits

 Vendor has more control

• Reporting

 Including customized reports

• Termination Rights

(13)

Interoperation - Risks

• More points of failure

• What happens when ‘bad’ data runs through the

system?

• Often a “highest” common denominator problem

 A lower-priority function can bring down or contaminate a business critical one

(14)

Interoperation – Mitigations

• Better and better with APIs and other tools

 Particularly rich for the established SaaS providers

 APIs for use by SaaS customers

 Application exchanges

 Whole companies build their offerings off of other key SaaS providers (ISVs)

 Key questions to consider: ownership, exclusivity, compatibility

(15)

(16)

Data Custody and Access - Risks

• Key questions

 What data are we talking about?

 How critical is the data?

 Is it replicated, and if so, where and how often?

 Is data being preserved?

 Who owns the data?

• Access to data

 Need contractual right

 During term and upon termination (and after!)

 Litigation holds

 Need technical ability

 Does security allow for it?

 How “multi-tenanted” is the environment?

(17)

Data Custody and Access - Mitigations

• Diligence, Diligence, Diligence

 On yourself

 On the supplier

• Contracting

 Ensure it is clear what data is being referred to, and who owns the data going in, and, as applicable, the data coming out

 Supplier must ensure that it will be able to segregate the data, and provide it to SaaS customer in (easily) usable form

 Right to require data preservation, in particular after the agreement ends

(18)

SECURITY AND DATA

BREACH RISKS

(19)

Security - Risks

• Authentication and access control

 How does the cloud vendor control access to systems and data? What types of testing are done?

• Encryption

 Does the data need to be encrypted? If so, which party is encrypting?

• Security requirements

 Hard to impose unique SaaS customer requirements

• Breach notification and incident response process

 Among other things, need contract protections

• Cyberliability

 Does SaaS customer’s insurance cover the SaaS environment?

(20)

Security - Mitigations

• Pre-Contract and Ongoing Due Diligence

 Involve information security team so one business unit does not circumvent the governance processes around

cybersecurity risks

 Ethical hacking

 Limits on access to your data by vendor employees

• Contract terms – SLAs

 Certs – ISO 27001, SSAE16/SOC 2

 Data breach notification – cooperate with litigation/exams

 Cyber insurance

 Encryption

 Limits on use of subcontractors and where located?

(21)

(22)

Natural Disasters and Force Majeure

-Risks

• How critical is the function performed by the SaaS

product?

 Consumer facing

 Revenue generating

 Business critical

• Is there a workaround?

• Is there a short- and medium- term replacement?

(23)

Natural Disasters and Force Majeure –

Mitigations

• Disaster Recovery / Business Continuity

 Diligence is critical

 Plans, Facilities, Testing

• Contract protections focusing on key areas

 Recovery Point Objective (RPO)

 Recovery Time Objective (RTO)

 Functionality/SLAs in Disaster Mode

 And if degradation permissible, then for how long

(24)

Termination and Extraordinary Events

-Risks

• Situations:

 Termination or expiration of the Agreement

 Bankruptcy / Closing of operations

• Similar considerations as with natural disaster

scenario

 But much more of a long term problem

• Basic issue: How can the function continue or be

replaced if the SaaS supplier disappears?

 How does the SaaS customer get the data?

 How can the service be replaced, and by whom?

 How does it get transitioned?

 How quickly/easily can that happen?

(25)

Termination and Extraordinary Events –

Mitigations

• Data

 Often most important issue

 Does SaaS customer maintain a copy?

 How portable is it?

 Third party offerings to replicate and validate data

 More on this below

• Transition Assistance

 Include relevant, strict contractual obligations for supplier to provide necessary assistance

• Right to convert to traditional software license

 Including through source code escrow

(26)

Termination and Extraordinary Events –

Mitigations (cont.)

• Third party offerings

 Key issue: SaaS generally is more difficult to operate and maintain than traditional software

 Third party offerings currently in the marketplace:

 New but quickly growing market

 Services include: data replication, vendor validation, SaaS-tailored verification and documentation, temporary and more permanent backup solutions, third party DR

 Availability depends on several factors, including:

 SaaS supplier must agree

 Data must be able to be segregable and portable

 Often easier if there is third party hosting provider

 Varying degrees of cost and affordability

(27)

VENDOR OVERSIGHT

REQUIREMENTS

(28)

Vendor Oversight Requirements

• Third-party oversight is a hot button for all regulators

overseeing financial services – OCC, FFIEC, FDIC,

State regulators, among others

• Supplier risk is a type of operational risk that has

been ranked alongside credit risk as among the top

safety and soundness concerns

• This increased regulatory focus on third-party risk has

taken shape in pronouncements and regulatory

activity related to third-party relationships

 See for example OCC Bulletin 2013-29: “Third Party Relationships”, issued on October 30, 2013, and FFIEC Information Technology Subcommittee statement on “Outsourced Cloud Computing” dated July 10, 2012.

(29)

• Fundamental Charges

 Diligence

 In determining which functions are properly outsourced

 In selection of third parties with whom you do business

 In assessing risk

 Comprehensive Written Contracts

 See OCC Bulletin 2013-29 for specific contract provisions

 Follow-through

 Ongoing management and oversight of relationships and related risk, including independent reviews