RegTech cloud services agreements – assessing the real risks
Part 1 – Setting the scene, service levels and data
The conversation usually goes a little like this when you ask most cloud services providers to amend their terms…
“We’re a one to many provider, our pricing is based on having a single offering with a consistent approach to risk”
“We don’t control your data, the solution allows you to configure appropriate protections and you are responsible for back-ups”
“We don’t even know what sorts of data you use through the solution”
At this point, it’s time to do a practical risk assessment to work out which key issues you want to raise for negotiation, having regard to the factors which mitigate the risks associated with the agreement at a top level, such as:
- the size, reputation and longevity of the supplier;
- any existing relationship you have with the supplier (and the track-record of that relationship); and
- the strategic and dollar value of the deal to both you and the supplier.
Once that assessment is complete, the key risk areas usually include issues such as service commitments (including service levels), intellectual property licensing and ownership considerations (including any period of exclusivity), data privacy and data security, governing law, term and termination rights (including auto-renewal), and of course allocation of liability through warranties, indemnities, liability caps and exclusions.
In this ‘Part 1’ we consider the factors which are relevant to assessing the real risk in relation to two areas which frequently arise in the context of reg tech solutions– the commitment to service provision; and data security and privacy, to help you determine the criticality and priority of any contract amendments during negotiations.
Area of concern | Assessing the real risk | |
Consideration: | Note: | |
Poor (or no) service description, service standards or service level commitments | Solution criticality?
What is the purpose of the solution? What is the impact if it’s not available |
|
Market alternatives?
Are there real alternate solutions in market you could quickly/easily move to if dissatisfied? Is the supplier or the solution a key player in the relevant market?
|
|
|
Contract flexibility?
Do you have the right to terminate for convenience at any time with a partial refund of any upfront fees? Are you committing to a minimum term, minimum spends or any kind of exclusivity? Will you require disengagement assistance? |
|
|
Data security and privacy | Types of data involved?
What sorts of data will actually be uploaded to, or generated by the solution – in terms of nature, sensitivity and volume? For example, personal information of customers, personal information about employees, confidential information about your business plans? What is the likelihood that serious harm would occur if data was compromised? |
|
Supplier location? |
|
|
Supplier’s security posture
What is the supplier’s approach to security – are they compliant with industry standards such as ISO27001, PCI DSS? How much do they invest in security? What is their reputation for compliance with their stated security positions? |
|
|
Type of cloud solution?
Will you be using a public or private cloud solution? |
|
By considering the real risks of a reg tech solution for you and your business (including whether there are any practical mitigations) you can determine the criticality and priority of contract amendments. Knowing your key negotiation points can streamline the negotiation to matters that really affect you, and ultimately lead to a more satisfactory outcome.
Please get in touch with the Digital and IP team at McCullough Robertson if you have any questions or need any further information.
This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.