Skip to content

  • Home
  • COVID-19 Guide
  • Podcast library
  • Client results
  • Expertise
  • News & Insights
  • People
  • Our DNA
  • Inclusion and Diversity
  • Join us
  • Contact Us
Home / NEWS & INSIGHTS / Blog / Spotlight on RegTech Series / RegTech cloud services agreements – assessing the real risks
Insight / Spotlight on RegTech Series 23 April 2021

RegTech cloud services agreements – assessing the real risks

Part 1 – Setting the scene, service levels and data

The conversation usually goes a little like this when you ask most cloud services providers to amend their terms…

“We’re a one to many provider, our pricing is based on having a single offering with a consistent approach to risk”

“We don’t control your data, the solution allows you to configure appropriate protections and you are responsible for back-ups”

“We don’t even know what sorts of data you use through the solution”

At this point, it’s time to do a practical risk assessment to work out which key issues you want to raise for negotiation, having regard to the factors which mitigate the risks associated with the agreement at a top level, such as:

  • the size, reputation and longevity of the supplier;
  • any existing relationship you have with the supplier (and the track-record of that relationship); and
  • the strategic and dollar value of the deal to both you and the supplier.

Once that assessment is complete, the key risk areas usually include issues such as service commitments (including service levels), intellectual property licensing and ownership considerations (including any period of exclusivity), data privacy and data security, governing law, term and termination rights (including auto-renewal), and of course allocation of liability through warranties, indemnities, liability caps and exclusions.

In this ‘Part 1’ we consider the factors which are relevant to assessing the real risk in relation to two areas which frequently arise in the context of reg tech solutions– the commitment to service provision; and data security and privacy, to help you determine the criticality and priority of any contract amendments during negotiations.

Area of concern Assessing the real risk  
  Consideration: Note:
Poor (or no) service description, service standards or service level commitments Solution criticality?

What is the purpose of the solution?
E.g. is it customer facing, does it generate revenue, assist with regulatory compliance, drive efficiencies?

What is the impact if it’s not available
(either short/medium/long-term) – are there manual workarounds and what would implementing them cost?

  • If the reg tech solution assists you in meeting your compliance obligations (and there is no easy manual workaround) then it is likely that you will want greater clarity around exactly how the solution will help you meet those requirements including uptime commitments, technical support during relevant operating hours, and a strong governance framework to address any issues.
  • If the solution isn’t business critical (e.g. it drives efficiency but you can satisfy your compliance obligations without it), then you may be willing to live with a service description or service level commitment which is lower than you would require for a business critical solution.
  Market alternatives?

Are there real alternate solutions in market you could quickly/easily move to if dissatisfied?

Is the supplier or the solution a key player in the relevant market?

 

  • The fewer alternatives there are in market, or the trickier it would be to transition to alternatives, the more important it is to get the service standards and levels right.
  • You might be willing to live with poor service descriptions if the Supplier or the solution is a key player in the market.  Equally, if you are comfortable with the current functionality of the solution, you may be able to get comfortable with a poor service description.
  Contract flexibility?

Do you have the right to terminate for convenience at any time with a partial refund of any upfront fees?

Are you committing to a minimum term, minimum spends or any kind of exclusivity?

Will you require disengagement assistance?

  • If you don’t have a right to terminate for convenience, or if you are agreeing to a minimum spend or exclusivity, it will be important to get the service standards and service levels right and to include appropriate rights to terminate and/or suspend the minimum spend and exclusivity commitments if those requirements are not met.
  • Consider what assistance you might need on disengagement and whether a formal plan should be agreed early on during the engagement so exercising your termination rights is actually a practical option.
Data security and privacy Types of data involved?

What sorts of data will actually be uploaded to, or generated by the solution – in terms of nature, sensitivity and volume?  For example, personal information of customers, personal information about employees, confidential information about your business plans?

What is the likelihood that serious harm would occur if data was compromised?

  • The more sensitive the data, and the greater volume of data that will pass through the solution, the more you will want to negotiate additional protections to mitigate against the regulatory and reputational impacts of a data breach/compromise.
  • Also, consider whether you can reduce the risks by:
    • de-identifying or redacting the information so that it is no longer personal information or highly confidential information before uploading or transmitting it to or via the solution; or
    • if the data is not personal or confidential in nature, whether risks around data security can be managed through regular backups.
  Supplier location?
  • If the supplier is also located within Australia, or is located externally but will commit to hosting the solution from within Australia, the data risks reduce given the supplier will likely also have obligations under the Privacy Act.
  • If the supplier or the solution are offshore, consider the equivalency of any privacy and data security regimes which operate in those countries (and conflicting data-sovereignty issues, e.g. as a result of the US Patriot Act).
  • Data sovereignty issues are back in focus again after the recent Schrems II decision – click here to read more.
Supplier’s security posture

What is the supplier’s approach to security – are they compliant with industry standards such as ISO27001, PCI DSS?

How much do they invest in security?

What is their reputation for compliance with their stated security positions?

  • The more comfortable you can get from an operational perspective, the fewer amendments might need to be made to the agreement to reflect the actual level of data security.
  • For example, does the supplier already go through annual testing and certification of its data security arrangements consistent with industry standards? Do they share those certifications and annual testing reports?
  Type of cloud solution?

Will you be using a public or private cloud solution?

  • If the solution is available on a public or shared cloud instance, will your data be held so that it is logically separate, with specific security controls to ensure it cannot be accessed by other tenants of the solution?
  • If you are using a private cloud solution, you may have a greater ability to negotiate specific data requirements into the contract.

By considering the real risks of a reg tech solution for you and your business (including whether there are any practical mitigations) you can determine the criticality and priority of contract amendments. Knowing your key negotiation points can streamline the negotiation to matters that really affect you, and ultimately lead to a more satisfactory outcome.

Please get in touch with the Digital and IP team at McCullough Robertson if you have any questions or need any further information.

Thank you to Meena Muthuraman for her contribution to this article.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.

About the authors

  • Rebecca Lindhout

    Special Counsel
  • Matthew McMillan

    Partner

In other news

Branding on trend: Certification of Australian Fashion

10 May 2022Insight

Verification of identity: a refresher

10 May 2022Insight

Categorising land for rating purposes used for both permanent residential and temporary tourist accommodation

4 May 2022Insight

Court of Appeal decision brings welcome relief to local councils

4 May 2022Insight

VIEW ALL NEWS & INSIGHTS

BRISBANE

Level 11, 66 Eagle Street
Brisbane QLD 4000
GPO Box 1855
Brisbane QLD 4001
Tel +61 7 3233 8888
Fax +61 7 3229 9949

 

GET IN TOUCH

    Contact form

    We handle your personal information in accordance with our privacy policy.

    Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

    sydney

    Level 32, MLC Centre
    19 Martin Place
    Sydney NSW 2000
    GPO Box 462
    Sydney NSW 2001

    Tel +61 2 8241 5600
    Fax +61 2 8241 5699

     

    GET IN TOUCH

      Contact form


      We handle your personal information in accordance with our privacy policy.

      Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

      melbourne

      Level 27, 101 Collins Street
      Melbourne VIC 3000
      GPO Box 2924
      Melbourne VIC 3001

      Tel +61 3 9067 3100
      Fax +61 3 9067 3199

       

      GET IN TOUCH

        Contact form

        We handle your personal information in accordance with our privacy policy.

        Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

        follow us

        CLIENT LOGIN

        newcastle

        92 Young Street
        Carrington NSW 2294
        PO Box 394
        Newcastle NSW 2300

        Tel +61 2 4914 6900
        Fax +61 2 4914 6999

         

        GET IN TOUCH

          Contact form


          We handle your personal information in accordance with our privacy policy.

          Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

          canberra

          Level 9, 2 Phillip Law Street
          Canberra ACT 2601

          Tel +61 2 6243 3669
          Fax +61 2 8241 5699

           

          GET IN TOUCH

            Contact form


            We handle your personal information in accordance with our privacy policy.

            Please do not send us any confidential information. By submitting this form, you agree that our review of the information you submit will not create a lawyer-client relationship between you and our firm (or any lawyer in our firm) and it will not prevent us from representing a party in any matter where the information you submit is relevant, even if that information could be used against you.

            © 2017 McCullough Robertson. Site map Disclaimer Privacy Policy Statement of Business Ethics Credit Reporting Policy

            X