Tech & Sourcing @ Morgan Lewis

With the exponential growth of cyber threats, cloud computing and remote working, contract provisions regarding data security requirements have also expanded in size and frequency. It has become common practice to prepare schedules to detail (and limit) security requirements. Customers and vendors both have a vested interest in clearly identifying expectations and obligations for such requirements. In this week’s Contract Corner, we explore considerations when it comes to drafting security schedules.

Companies are transforming legacy systems, implementing automation and artificial intelligence tools, embedding digital capabilities into their products, shifting to cloud solutions and leveraging technology to better connect to their customers, personnel, and third parties, all at an unprecedented pace. The focus on businesses to get to market faster, reach a broader audience and provide real-time interaction has in turn put pressure on legal and sourcing documents to keep up. The complexity and volume of the numbers of projects (and contracts) can be daunting — especially for companies that have not yet elevated the importance of the technology law function within their organizations.

The Board of the International Organization of Securities Commissions (IOSCO) has published a set of revised outsourcing principles for regulated entities. IOSCO is an international policy forum for securities regulators and a global standard-setter for securities regulation whose membership regulates more than 95% of the world's securities markets.

During the last year, we have seen a significant shift to “as a service” models and cloud solutions, as well as heightened attention on outsourcing as a strategic business tool to enable scalability, improved service, and accelerated access to in-demand technology and resources. This increased reliance on vendor performance to enable business operations has underscored the importance of implementing a solid service level methodology in order to: establish performance metrics that align with the customer’s expectations and business requirements; measure, monitor, and report performance against the metrics; set out the remedies for service level defaults, including service level credits and termination rights; and agree to events that may excuse performance resulting in missed service levels.

The Chancery Lane Project, a UK-based nonprofit network of legal professionals, has published a “Net Zero Toolkit” to help organizations achieve net zero goals. The toolkit includes 100 “climate clauses” aligned with the 2015 Paris Agreement goals.

Over the last year, companies implemented new digital technology solutions at record levels, looking to implement emerging technologies, improve the user digital experience, leverage cloud solutions to store the massive amounts of data being generated, and test the waters on how to transact using digital assets. And we don’t see things slowing down.

In order to stay competitive, companies are investing in major technology transformations, including the modernization of foundational platforms and the implementation of new customer-facing digital channels, as well as shifting significant workloads from on-premises solutions to the cloud.

We recently highlighted the Morgan Lewis financial services team’s overview of proposed guidance released by the three federal banking agencies with respect to third-party relationships within the fintech industry. The federal banking agencies, though, are not alone when it comes to guidance on third-party vendors.

As further guidance and regulations are proposed and begin to take shape with respect to relationships between banking organizations and third parties, including those in the fintech industry, our multidisciplinary teams here at Morgan Lewis are tracking each development. In July, shortly after the three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) released their proposed risk management guidance regarding third-party relationships, our banking and financial services team provided a general overview highlighting the key takeaways from the proposal. If you have any specific questions, please reach out to your Morgan Lewis team for assistance.

As a reminder, China’s new Data Security Law (DSL), which entails more expansive and restrictive requirements on data localization, mandatory security level certification, and severe penalties for unauthorized foreign transfer of data, will come into effect on September 1, 2021. The DSL will potentially affect all business operators in China, including multinational corporations. Our privacy and cybersecurity team recently published a more detailed analysis of the DSL. If you have any specific questions, don’t hesitate to reach out to your Morgan Lewis contact for assistance.

Read the full LawFlash >>