LegalFlash
23 August 2024
In the weeks following a faulty software update that brought multiple industries worldwide, including financial services, aviation, retail and emergency services, to a halt, remediation efforts continue as companies examine their supply chains to identify vulnerabilities and potential countermeasures for future disruptions. The incident was a stark warning about the importance of business resilience, including “operational resilience,” which extends to a company’s ability to detect and prevent disruptive events, not just how it responds to and recovers from them.
The concept of “resilience” is at the heart of cybersecurity service planning and delivery and is also adopted by many regulators around the world when it comes to the ability of organizations to continue to provide their services in the event of such an event.
In this LawFlash, we look at current trends and outlooks and how companies can enter into and manage third-party contracts in the future to improve their overall resilience position.
BACKGROUND
On July 19, 2024, an update to a widely used security software designed to protect customer systems by identifying and remediating advanced threats caused global systems with such software built in to crash, resulting in a “Blue Screen of Death” for end users.
On August 6, a root cause analysis was published by the software vendor in question, which attributed this event to, among other things, a mismatch between input parameter fields and input values in the upgrade code. The bug seemed to bypass several levels of build validation and checking, and even several successful deployments of the update. Another important factor was that the upgrade was made available to almost all customers at the same time.
After discovering the issue, the software vendor regularly released publicly available updates about the incident and its efforts to resolve it.
Notably, the outage was not caused by malware or a similar malicious attack.
THIRD PARTY RISK MANAGEMENT – RESILIENCE CONSIDERATIONS
Resilience has played an increasingly central role in third-party risk management and supply chain design in recent years. Geopolitics and the COVID-19 pandemic have had a guiding influence, highlighting challenges such as supplier or geographic concentration and changing work patterns. A survey found that 97% of organizations in the Americas have made changes to their cybersecurity policies to support remote working since the pandemic began.
Now more than ever, businesses know they need to prepare for ‘low probability, high impact’ events. From a third-party risk management perspective, it is therefore particularly important to ensure that businesses have contractual terms with their suppliers (and, as this event has shown, these extend to sub-suppliers) that enable the business to achieve its own resilience objectives.
Push for more uniformity of conditions along the entire supply chain
Contract resilience requirements are largely based on long-standing contract provisions, such as disaster recovery and business continuity response provisions and audit provisions that allow organizations to monitor their suppliers. A holistic view of resilience would lead organizations to apply such terms consistently to all suppliers (e.g. broadly the same audit rights regardless of the type of service or delivery, consistent recovery periods) and it appears that many organizations are attempting to implement their third-party risk management controls in this way. At the same time, however, suppliers have sought to standardize their own delivery terms, particularly “as a service” and cloud providers.
We find that this area is in constant flux as the supplier community recognizes the changes facing their customers. The key to aligning contract provisions with the competing consistency objectives of customer and supplier is the mechanisms for changes under the contract, and we see sophisticated discussions taking place as changes are implemented.
Rigid approaches (on the part of customers and suppliers) can make it very difficult to agree on contract changes (if necessary) or to get a contract concluded. It can also lead to a loss of both the industry-wide view (on the part of the supplier) and the right understanding (on the part of the customer) of how to integrate solutions into operations.
To meet the growing challenges of ensuring business stability, it is now more important than ever to understand a customer’s industry and how solutions and/or services will be integrated into their operations.
MAIN CONTRACTUAL PROVISIONS
As mentioned above, the most important contract terms are disaster recovery and business continuity provisions and audit provisions. The scope of audit rights is currently one of the most hotly negotiated areas, with challenges particularly arising when auditing multi-tenant environments.
Other treaty areas critical to achieving resilience include the following:
- Providing information and transparency. The overall resilience of an organization requires an understanding of the individual components of a service. This contractually places more emphasis on due diligence and issue notification. Visibility of IT or other third-party services that are part of the overall service offering is critical for mapping dependencies and vulnerabilities. While specific knowledge of subcontracting arrangements may not have prevented the July 19 incident, it may have enabled organizations to respond more quickly and accurately. We must admittedly speculate regarding this specific incident, but the adage “better safe than sorry” applies as a general principle here.
- Improved and coordinated incident response and resolution. Another trend is a focus on response and recovery provisions and, as mentioned above, greater uniformity across a company’s supply chain. Uniform recovery timelines, development of recovery pathways and contingencies are now at the heart of technology contracts. Greater emphasis is also being placed on supplier coordination and collaboration to manage interdependencies.
- Oversight and accountability. Contractual provisions increasingly need to ensure that third party providers participate in governance procedures established by the customer organization that ensure oversight and management of accountability. We see this applies to both prevention and incident response, for example by implementing key changes to services such as delivering software upgrades.
- Cooperation with regulatory authorities. Companies supervised by data protection authorities, as well as those in highly regulated industries, are increasingly receiving questions from their respective regulators about their risk management towards third-party service providers and the impact of IT disruptions on data security or, in regulated industries, on the services provided to their customers. Some regulators may conduct inspections or audits of risk management frameworks and incident response. Any of these analyses are likely to require collaboration with third-party service providers.
RISK ALLOCATION
In addition to operational measures, risk allocation is a key aspect of contract considerations. An incident in which key IT systems fail can have a direct impact on customer service and result in real economic losses for the organizations affected.
Customers should consider whether they can compensate for certain types of losses (and to what extent) given financial limitations and liability exclusions. Conversely, technology providers need to consider what types of losses they may incur if a customer is unable to serve its customers due to a technology failure (whether caused by the provider or its subcontractors).
An incentive to move operations in-house?
Technology and outsourcing consultancies report a trend of companies bringing their IT and business process services back in-house. While such trends are never one-way, we are seeing a stronger push to create captives or “global capability centers” that effectively keep the services in-house (or mostly so) while companies try to take advantage of talent centers and wage arbitrage.
The operational attractiveness of building a supply center to which a company can simply go through its established resilience procedures is a key factor, not just the increased automation opportunities (facilitated by AI). The supplier community is undoubtedly considering resilience when responding to customer demands.
Impact and influence of regulations on resilience
For affected companies, particularly in regulated industries, the disruptions have brought to the forefront issues around operational resilience that policymakers and regulators have also been addressing in recent years.
In financial services, the EU’s upcoming Digital Operational Resilience Bill is the most comprehensive legislation focused on operational resiliency and third-party IT services. Regulators in the United States are also increasingly focusing on operational resiliency issues. For example, in a speech in March 2024, Acting Comptroller of the Currency Michael Hsu suggested that new rules to strengthen basic operational resiliency for larger deposit-taking institutions could come into force by the end of 2024.
In addition to regulators, we are also seeing an increasing focus on resilience from industry associations across many sectors, including aviation, healthcare, life sciences and pharmaceuticals. These industry associations are in many cases taking their cues from regulatory developments in other sectors, and we believe the technology industry as a whole is (at different speeds and in different ways) shifting its focus to resilience.
As the dust settles from the latest and reportedly worst example of a global IT disruption, resilience considerations within third-party risk management and supply chain design will most likely remain front and center. Morgan Lewis lawyers stand ready to help companies navigate this evolving landscape.
