Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection

A clear and present danger

In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches.

For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime.

As reported by Finextra on 15 May, NatWest’s head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month.

That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information.

Rules are rules

Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures.

Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers.

Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached.

Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001.

Get it in writing

The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies.

1. Contract standards

• Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice.
• Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example:
  • Detailed security provisions, including compliance with the customer’s own information and systems security policies
  • Warranties of compliance with any information provided by the supplier pre-contract as part of the customer’s due diligence process.
  • Early warning requirements related to suspected cyber incidents or data breaches.
  • Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA.
  • Compliance with specific industry standards including PCIDSS and ISO27001
  • Regular conduct of security testing and the provision of results to the customer (this can be a source of debate  - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier’s own internal or third party testing may be the best which can be achieved).
  • An obligation to rectify any detected weaknesses after testing.
  • Restrictions against use of sub-contractors and/or AI systems without the customer’s consent.
  • Requirement to use at least “industry – standard” cybersecurity measures such as firewalls, malware blockers etc.

2. Rights and remedies

• Making sure that the supplier’s liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of “indirect or consequential” liability.
• Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have “supercaps” for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines).
• Indemnities for issues such as security or data breach
• Audit rights for the customer (and also its regulators)  - which would extend to the supplier’s sub-contractors.
• Definite termination rights in the event of a cyber or data related breach
• A right to remove supplier personnel or sub-contractors or the service if there are any concerns.

Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers.

However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.