As further guidance and regulations are proposed and begin to take shape with respect to relationships between banking organizations and third parties, including those in the fintech industry, our multidisciplinary teams here at Morgan Lewis are tracking each development. In July, shortly after the three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) released their proposed risk management guidance regarding third-party relationships, our banking and financial services team provided a general overview highlighting the key takeaways from the proposal. If you have any specific questions, please reach out to your Morgan Lewis team for assistance.
Tech & Sourcing @ Morgan Lewis
TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Through legislation, Connecticut has incentivized businesses to conform to one or more industry recognized cybersecurity frameworks. As we recently discussed, cybersecurity incidents and risks are taking centerstage. Under Connecticut’s recently enacted Public Act No. 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Business (the Act), as further described below, a business that implements a qualifying cybersecurity program is shielded from punitive damages in connection with any data breach-related tort claim that is brought in, or under the laws of, Connecticut.
Contract Corner
With the recent onslaught of ransomware attacks, it’s time to revisit force majeure clauses (again). Earlier in the pandemic, we reviewed how COVID-19 could impact force majeure provisions. Since then, there has been a flurry of analyzing, renegotiating, and testing contractual language, as parties work through, or anticipate, pandemic-related difficulties. While contracting parties focus on striking a balance of when, and to what extent, a party’s performance will be excused due to pandemic-related circumstances, a different threat could follow a similar trajectory.
Contract Corner
Planning for major service disruptions and disasters, such as prolonged power failures, fires, flooding, and other extreme weather events, is an important element of strategic technology and service agreements.
As discussed in a post from last month, annual spending worldwide on cloud services continues to rise with an expected increase up to $332 billion by the end of 2021, which is an increase from $270 billion in 2020. While the private sector is marching forward with increased reliance on hosted services, US government organizations have followed suit by increasing spending in cloud-based solutions allowing them to capitalize on the cost-savings and innovation gained by SaaS offerings.
The European Cloud User Coalition (ECUC) published a paper (the Position Paper) on May 17 recommending, among other matters, the adoption of “model clauses” for the long-term compliant use of cloud technologies.
The European Securities and Markets Authority (ESMA) on May 10 published final guidelines on outsourcing to cloud service providers (ESMA Guidelines) to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements. Subject to a few clarifications, the ESMA Guidelines are broadly consistent with the draft guidelines.
Annual spending worldwide on cloud services is expected to increase by 23% in 2021, according to a recent article in The Wall Street Journal, which cites a forecast by IT research and consulting firm Gartner Inc. Since the beginning of the COVID-19 pandemic, businesses have shifted to cloud-based services to support remote work, but businesses are also using the shift in attitudes toward cloud services to move more complex IT needs to the cloud. The article reasons that the push to use cloud services may also be due to the hybrid workplace model that many businesses are adopting, where workers can work both in the office and from home. This model requires that remote workers have access to critical software and infrastructure.
The UK Prudential Regulation Authority (PRA) published a policy statement (PS7/21) and a supervisory statement (SS2/21) on clarifying and modernizing regulatory expectations of outsourcing and third-party risk management on March 29. The expectations in PS7/21 and SS2/21 are relevant to banks, PRA-designated investment firms, insurers, and branches of overseas banks and insurers and apply not just to “outsourcing” but also non-outsourcing material or high-risk service arrangements. The expectations apply at a legal entity level rather than at a group level (save for expectations on intragroup arrangements).
As we noted in our Outsourcing 2021 webinar last week, a lot has happened and changed in the last 12 months since January 2020. There have been significant and unprecedented changes in the way our companies do business, the way we engage and interact with colleagues, and the way we interact with external parties, including how our companies and each of us leverage technology to market, process transactions, and otherwise communicate.