Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection

0
This content is contributed or sourced from third parties but has been subject to Finextra editorial review.
A clear and present danger
In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches.
For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime.
As reported by Finextra on 15 May, NatWest's head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month.
That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information.
Rules are rules
Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures.
Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers.
Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached.
Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001.
Get it in writing
The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies.
Contract standards
Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice.
standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Detailed security provisions, including compliance with the customer's own information and systems security policies Warranties of compliance with any information provided by the supplier pre-contract as part of the customer's due diligence process. Early warning requirements related to suspected cyber incidents or data breaches. Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA. Compliance with specific industry standards including PCIDSS and ISO27001 Regular conduct of security testing and the provision of results to the customer (this can be a source of debate - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier's own internal or third party testing may be the best which can be achieved). An obligation to rectify any detected weaknesses after testing. Restrictions against use of sub-contractors and/or AI systems without the customer's consent. Requirement to use at least 'industry – standard' cybersecurity measures such as firewalls, malware blockers etc.
requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example:
Rights and remedies
Making sure that the supplier's liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of 'indirect or consequential' liability.
Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have 'supercaps' for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines).
Indemnities for issues such as security or data breach
Audit rights for the customer (and also its regulators) - which would extend to the supplier's sub-contractors.
Definite termination rights in the event of a cyber or data related breach
A right to remove supplier personnel or sub-contractors or the service if there are any concerns.
Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers.
However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

BBC News

13 minutes ago

• BBC News

River Island to close 33 shops

River Island plans to close 33 shops in the UK in a move which puts hundreds of jobs at clothing retailer said more people shopping online and higher costs to run stores were behind its proposals to also wants its landlords to cut rents at a further 71 stores which are at family-owned retailer currently has 230 shops and employs about 5,500 people, but has suffered heavy financial losses. Ben Lewis, chief executive of River Island, said that although River Island is "a much-loved" British high street retailer, more online shopping means it has "a large portfolio of stores that is no longer aligned to our customers' needs".He added that a "sharp rise in the cost of doing business over the last few years has only added to the financial burden".He said a turnaround plan was in place, but restructuring was also necessary."We regret any job losses as a result of store closures, and we will try to keep these to a minimum," he Island made a £33.2m loss in 2023 after sales fell 19%, according to its most recent set of accounts. The chain said it intends to consult employees over the possible job losses, and will redeploy staff where head office staff will be directly affected by the proposed closures, a company source will start to vote on the plan on 4 August, and a court will decide whether to approve the plan on 7 Island was founded in 1948 under the Lewis and Chelsea Girl brand before being renamed in the 1980s.

The Independent

13 minutes ago

• The Independent

Scottish city to charge visitors in bid to fund public services

Glasgow has approved a new tourist tax, becoming the second Scottish city to implement such a levy after Edinburgh. The visitor levy will charge tourists an additional five per cent on their accommodation bills, estimated to average £4.83 per night. The tax is projected to generate £16 million annually, with funds allocated to Glasgow's infrastructure projects, events, and public services. Following an 18-month implementation phase required by national legislation, the levy is expected to be rolled out by January 2027 at the earliest. The decision received cross-party support from the SNP, Labour, Greens, and Conservatives, following a public consultation.

The Independent

13 minutes ago

• The Independent

Martin Lewis shares important council tax payment update on live TV

Martin Lewis announced that the government is launching a consultation into council tax payments, which will affect over three million people. The Money Saving Expert founder criticised the current council tax debt collection process as "so rapid and aggressive it would make banks blush". Mr Lewis said that forcing individuals to pay for a year when they cannot afford a month is "destroying lives". The consultation will consider slowing down the debt collection process to allow people more time to pay before further action is taken. Watch the video in full above.