What is "the Cloud"? That depends on whom you ask.
Answers currently run from Apple and its competitors offering
storage and music and file synchronization to customers who are
individuals, to very large vendors at a global scale servicing very
large enterprises as customers. This is a frontier in many ways,
and if you are going to embark on a Cloud transaction, you will be
well advised to ask many questions, some of which may seem basic.
While this article is focused on the laws in the United States, the
risk management suggestions highlighted here are applicable
anywhere on earth.
Fundamentally, moving to the Cloud is an outsourcing transaction,
i.e., a company engages a third party to perform a function that
the company would otherwise have performed for itself. Cloud
computing is a business model that enables organizations to achieve
potentially significant cost savings by sharing services, software
and platforms in a third party's data center, instead of
operating in the company's own data center.
Often Cloud providers will dazzle the prospective client with the
potential for very significant cost savings, which is very alluring
in this economic climate. The mode of operation used by some
important name brands in the Cloud space is to put a "standard
form contract" in a prospective client's hand accompanied
by a smile and a request that you "sign here." Don't
do it! Don't sign a standard form for something as important as
a data center, which is the heartbeat of your operation. Go
directly to your lawyer. This warning is especially relevant to
regulated financial services institutions. If you sign the standard
form and you are subject to any type of risk management
governance-related obligations, which is the duty of every Board of
Directors, you may not be able to demonstrate that the company has
adequately managed its risks. Risk management functions for
financial institutions after Dodd-Frank are especially highlighted.
For example, FINRA has a list of examination priorities for 2012,
and cybersecurity and outsourcing are on that list. It is unlikely
that the vendor's standard form, drafted for its purposes, will
provide the company with the control and assurances that it will
need when FINRA examiners arrive.
Not intending to alarm, but if a data center is being replaced by a
Cloud provider, it is a "bet the farm" transaction.
Remember: great deals begin with great due diligence. Conduct your
due diligence assiduously, and negotiate carefully, especially if
you are in the financial services industry.
What follows is focused on financial services companies, but many
issues of control over data and processes and the ability to have
continuity of business functions are applicable to any company
considering Cloud services.
In financial services, you must take account of the important
macro-regulatory compliance themes for U.S. financial services
companies, which include:
- Dodd-Frank Act and related Bank & Securities Financial Stability Outsourcing Regulations;
- Sarbanes-Oxley Section 404;
- Laws pertaining to Cybersecurity and Data Privacy; and
- Record Retention.
Here are a few starting points.
1. Performance First
Can the Cloud provider actually do the job that you need done?
Getting an answer will require a great deal of conversation with
the prospective vendor. Consequently, all discussions with a Cloud
provider should begin with a Non-Disclosure Agreement. Your company
will want to protect its proprietary information during the
conversation. In order to determine whether the Cloud provider can
actually provide what you need to run your business, you will
necessarily be sharing a lot of information. During the early days
of the conversation, your company will need to disclose to the
Cloud provider a fair amount of information about procedures and
processes and data that may be competitively sensitive.
Also during the initial stages, probe how quickly the Cloud
provider recovers services and data if there is a failure of the
technology for any reason. Almost perfect uptime for on-line
capabilities, and very well devised and operated data protection
are fundamentals in your own data centers, and they must be present
in the company's Cloud arrangement. A relationship with your
Cloud provider relies on trust – once they are hired,
they are not easily fired. Verify capabilities in advance, and
write a contract that allows you to continue to monitor and react
if things change during the contract's term. The company should
be comfortable with the Cloud provider they select and this aspect
of due diligence will go a long way to ensure that comfort.
Importantly, you should ensure that the Cloud provider understands
what it is getting into. Depending on the substance of the service
being provided – for example, support of a consumer
banking application – the Cloud provider needs to
understand that bank regulators may examine the Cloud provider as
if it is a regulated entity.
The post Dodd-Frank outsourcing regulations – effective
and proposed – are clear that when a company outsources a
function, the company is not off the hook for regulatory
compliance. Do a careful inventory of the regulations that pertain
to the service(s) that you propose to move to the Cloud, validate
that the Cloud provider can perform the functions and clearly
document your needs in the Cloud agreement. Be sure that you have
contractual and actual capabilities to audit and require corrective
actions and even terminate if necessary so that your company's
obligations to regulators can be satisfied, and the Company's
own internal operational risk management requirements are
met.
Cloud providers that understand the culture of regulatory
compliance will likely be a better fit for a financial services
company. Having a Cloud provider that is learning on the job
isn't a good idea.
2. Cybersecurity and Data Privacy
Two areas of very intense focus by financial services regulators
at present are cybersecurity and data privacy. When thinking about
these issues in the Cloud, the Company really does need to create
an inventory at the data element level to understand the kind,
character, and privacy/cybersecurity implications of the
information the Company will entrust to the Cloud provider. Is it
information that relates to a person that may be sensitive like
social security numbers, financial account identifiers and
balances, or employee health information? Identifying the location
of the servicer of the data (your Cloud provider may have locations
in multiple jurisdictions), where will it be housed, where in the
world it might be sent or reside? Do the involved jurisdictions
have laws and regulations that impact your business, or your
obligations to manage the data? For example, is personal
information coming from a country that has data protection
legislation/regulations that requires notification of the
individual as to how that information is being used? Do you or does
the Cloud provider have the necessary capability to make such
notifications? Which of you will absorb the costs in the event the
data is lost or stolen, if any? Is the information entrusted to the
Cloud proprietary or otherwise valuable intellectual property such
as trading algorithms or a database of corporate client
information? If so, evaluate the information according to its
criticality to your business – will the loss or
corruption or misappropriation of the information create an
operational or legal problem, or perhaps do reputational harm or
cause you direct economic loss or enable a competition?
After the company understands its own position, it can begin to
evaluate the security of the Cloud provider. Often a map or diagram
of the flow of information from the company to the Cloud provider
and back, or to and from other destinations, and can help you to
understand how and where the data moves, and what procedures,
processes and technologies are in place to keep the data safe and
protected at each step.
Bad actors in cyberspace are increasing both in number and
sophistication. The Company should ascertain that your Cloud
provider has a dedicated, highly competent Cybersecurity staff that
has high visibility and respect in its own organization. During
conversations find out whether the Company focuses on dealing with
the continuous evolution of "hacker" incursions into
on-line operations. Some additional things to look for in a Cloud
provider are background checks for employees, qualification and
standards for those employees, and a culture sensitive to security
issues. Important basic questions include: Is the company's
data encrypted during transmission? While it is in storage? Is
their employees' access to data restricted to people assigned
to your account? Do those people also work on your competitors'
accounts? Are there sub-Cloud providers? If so, have the Cloud
– sub-Cloud relationships and interactions been subject
to the same scrutiny as you are applying to your contract with the
Cloud provider? What is the Cloud provider's process for
removing data ("scrubbing" the disks and the memory) when
equipment is replaced or upgraded? What happens to your
company's data when the contract expires? Are transition
services back to the company or to another Cloud provider carefully
considered and documented? What provisions are in place in the
event that the contract with the Cloud provider is
terminated?
If your company is a public company, the Securities and Exchange
Commission, Division of Corporate Finance, CF Disclosure Guidance:
Topic 2 – Cybersecurity, October 13, 2011, requires your
company to disclose risks specifically associated with outsourcing
transactions. Will your contract with a Cloud provider support you
in documenting the existence of risks (and the approaches in place
to mitigate them)?
Cloud services agreements, like any other outsourcing arrangement,
need to fit into the company's overarching rubric for risk
management. The company needs to assure itself, and to be able to
assure its Board, its shareholders and its clients if called upon
to do so, that the Cloud provider is secure, safe, and well
managed, before contract execution. Furthermore, the company needs
to be in a position contractually to ensure that the Cloud provider
stays that way for the life of the contract. Think through what
your contingency plan will be if there is a degradation in the
service provided during the contract term, or there is a problem in
the region where the services are provided.
3. Disaster Recovery Capability
Here again, you should think about what you would expect from your own data center operators, and this will give you a base line to this important consideration when managing operational risks. Be sure you have reviewed and are satisfied with the Cloud provider's approach to disaster recovery.
4. Record Retention (and Retrieval)
Once you have begun to operate in the Cloud, your company is no
longer in direct command of its data. Record Retention and the
ability to preserve and retrieve records comprehensively and
quickly for company business, investigations, examinations and
litigation is important. Make sure that the company's contract
with the Cloud provider is consistent with the regulations and the
required procedures in the event of a litigation (e.g., can the
Cloud provider perform the steps necessary for a litigation hold on
the records or email in their custody?) Jurisdiction in the Cloud
is not necessarily intuitive. A useful step is to designate a
jurisdiction in your contracts.
Be careful that arrangements for Record Retention, which often
involve third parties, are modified to give you control of your
data during and after the contract.
5. Other Issues
While we have addressed many questions here. The list is
comprehensive, but not exhaustive. Your business will have its own
related considerations. Another area that will be of concern to
most companies pertains to tax issues depending on the location(s)
of the service provider and the company, and related factors
implicating permanent establishment or transfer pricing.
Moving to the Cloud, which sounds easy, is anything but easy from a
legal point of view. Nevertheless, the level of care suggested here
is needed. At the end of the day, the Company will want to actually
realize its anticipated savings, and not be unhappily surprised
months or years into the relationship
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.