Tech & Sourcing @ Morgan Lewis

Last week, we posted on the guidance issued by the US Department of Labor (DOL) for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on cybersecurity best practices. Last week’s post focused on the guidance provided for hiring a service provider. In this week’s post, we will highlight some the DOL’s cybersecurity program best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data.

The US Department of Labor (DOL) recently announced guidance for plan sponsors, plan fiduciaries, recordkeepers and plan participants on cybersecurity best practices. The guidance focuses on three areas: (1) tips for hiring a service provider; (2) cybersecurity program best practices; and (3) online security tips. In this post, we will focus on the DOL’s tips for plan sponsors and plan fiduciaries in selecting a service provider.

Customers engaging a software as a service (SaaS) vendor often end up using the vendor’s form agreement, which can range from being extremely vendor friendly to middle of the road. Regardless of where it falls on the spectrum, a SaaS vendor’s agreement will most likely contain one or more provisions giving the vendor rights to suspend the services being provided under the agreement. Some common suspension rights we have seen in vendor agreements include suspension rights relating to nonpayment, disruptive use of the services, and violation of law through use of the services.

In a recent Lawflash, our colleagues Ken Kulak and Ariel Braunstein reported that at the Leaders Summit on Climate, hosted by the Biden-Harris administration on April 22 and 23 in Washington, DC, President Joseph Biden set aggressive goals for reducing greenhouse gas emissions in the United States and set forth his aim to encourage the investment in and use of new green technology and to explore pollution reduction strategies.

The European Commission (the Commission) began to invite feedback on April 1 on its roadmap to strengthen the Code of Practice on Disinformation (the Code) via new guidance. The roadmap was released in response to perceived failings of the Code to date to tackle the spread of disinformation on online platforms.

The EU Commission recently released its proposal to legislate a European Union–wide artificial intelligence (AI) framework. The EU Commission’s intention is that the proposed regulation on AI will provide greater safety and fundamental rights protection, while also supporting innovation and enabling trust without preventing innovation.

Picking up where we left off on April 6, below are some additional key issues to consider and address when negotiating an application purchase agreement.

When negotiating a digital health collaboration agreement between a tech company and a life sciences company, whether for the development of artificial intelligence or other software, the provision of data hosting and analysis services, or a more complex collaboration, the parties should consider the following.

The UK Prudential Regulation Authority (PRA) published a policy statement (PS7/21) and a supervisory statement (SS2/21) on clarifying and modernizing regulatory expectations of outsourcing and third-party risk management on March 29. The expectations in PS7/21 and SS2/21 are relevant to banks, PRA-designated investment firms, insurers, and branches of overseas banks and insurers and apply not just to “outsourcing” but also non-outsourcing material or high-risk service arrangements. The expectations apply at a legal entity level rather than at a group level (save for expectations on intragroup arrangements).

We recently noted that the UK Financial Conduct Authority (FCA) published the outcome of a review into the factors that determine failure or success when implementing technology change in the financial services sector and discussed the importance of this review for firms seeking to improve the operational resiliency of their technology change management process.