Legally binding contracts have always been a mainstay of the agreements through which firms acquire the software they need to run their businesses successfully. But new requirements governing how federally regulated financial institutions should disclose technology incidents – reaching far beyond cybersecurity issues – are likely to affect how parties negotiate and enforce these contracts.
“There’s always a contract involved in these third-party service contracts that deal with how data is stored, how personal information is processed, how incidents are responded to,” says Robert Tremblay, counsel at Blake, Cassels and Graydon LLP. And the list of what is covered is growing as companies increasingly use the cloud for storing and accessing information.
“What’s interesting now, however, is that these contracts now involve more elements of regulation and compliance,” says Tremblay. Purchasers of technology software must now deal with tightening rules and regulations, and fitting their compliance needs into their contract negotiations with third-party vendors has become an essential part of the process.
Imran Ahmad, a partner with Norton Rose Fulbright LLP, who heads the firm’s technology practice, says purchasers and suppliers of such technology in the financial sector, whether off-the-shelf or bespoke, have been most affected by tightening regulations. However, he adds that “there’s been a huge volume of tech contracting in all sectors,” which has surged, especially during the latter part of the pandemic.
Last summer, the Office of the Superintendent of Financial Institutions (OSFI) released the updated requirements affecting federally regulated banks, insurance companies, and credit unions. The 2021 cyber security incident reporting advisory, combined with OSFI’s updated cyber security self-assessment, tightens requirements.
While cybersecurity is still a significant focus, the new advisory also includes risks associated with technology failures, expanding the types of incidents that parties must report.
The advisory also changes the threshold and timing for reporting security incidents to OSFI. The prior advisory required parties to report incidents they assessed at “a high or critical severity level.” Under the updated advisory, FRFIs must report any technology or cyber security incident to OSFI with a reporting mandate of “within 24 hours, or sooner if possible.” That contrasts with the prior advisory to report an incident “as promptly as possible, but no later than 72 hours” after determining an incident is reportable.
The new advisory requires incident reporting even before the FRFI is aware of the incident or has had an opportunity to confirm or classify its severity level. It also contains a new potential sanction for FRFIs who don’t report incidents as expected. The advisory states: “Failure to report incidents ... may result in increased supervisory oversight including but not limited to enhanced monitoring activities, watch-listing or staging of the FRFI.”
Nathan Schissel, a partner in the technology practice at MLT Aikins in Regina, says what makes these new rules different is the obligation to report on incidents that “include the integrity or availability” of the systems, not just on those related to cyber security and personal information.
“I think the new rules come from OFSI wanting to understand issues that are potentially impacting the industry and taking steps to proactively prevent those kinds of incidents and improve the resiliency of those systems,” Schissel says. “At the end of the day, these financial institutions are providing services for customers and clients that are pretty critical – like payment systems – and they want to make sure the systems behind these services are robust.”
Joel Ramsey at Torys LLP agrees, saying, “I think it’s the regulator OFSI looking at just how reliant the industry is on technology provided by third parties – and [concluding] that reportable incidents can’t just be about cyber breaches.” They must also cover “major outages, or system problems that impact customers – things that affect the stability and integrity of our financial institutions.”
A good example, Ramsey says, is debit, credit, and other electronic payments systems going down, and their impact on financial institutions and their customers. “Most people don’t have a lot of cash in their pockets these days, and it can really have an impact, even though it may not necessarily be a cybersecurity or privacy breach.”
Almost all federally regulated financial institutions in Canada rely on third parties to provide them with outsourcing, software as a service (SAAS), payment processing, and cloud storage services. However, for software and service contracts, the FRFI that purchases these third-party systems is expected to contract for services commensurate with meeting the “reasonable” standards of OFSI and any other regulator. So contracts with these vendors may need to be updated to meet these new requirements.
Tremblay agrees, adding that vendors of such services want to make sure that they meet high industry standards and provide what their customers need, including regulatory compliance. At the same time, the new service levels required by regulations may require a different level of service and pricing reflected within the contract. He adds, “So you want to encourage an efficient negotiating process,” reflecting required service levels and costs.
The new, tighter time element in the OFSI rules – the 24 hours for reporting an incident – might mean the parties must negotiate new terms. This change could lead to additional costs for suppliers to meet those service standards, which they may have to pass on to the financial institution purchaser.
Says Schissel: “That increased level of transparency might come with some additional costs for the service provider, and from the service provider’s perspective, they may need to build that cost into their service, particularly when it comes to regulated compliance mandates.”
Ramsey thinks that one way to negotiate these contracts is to determine what levels of service and response parties need for distinct system aspects and then build in the service packages to reflect different situations.
One good thing about the Canadian regulatory environment, Ramsey says, is that it encourages a “risked-based approach to assessing and implementing guidelines” that accommodates different service levels.
Ahmad adds that many third-party vendors have multiple service-level packages ranging from basic to deluxe. “As a responsible organization purchasing these services, you must know your needs and negotiate the contract accordingly.”
The bottom line, says Schiessel, is that contracts are no longer simply about a business arrangement and whether the agreement is legally binding.
“I think that for a long time, these contracts with third-party vendors were looked at through a business operations lens. However, now it is also about meeting regulatory compliance standards. It will require a bit of a shift in thinking for both customers and service providers when they’re working on their contracts.”
Customers must do their due diligence about what they need from a provider, says Schissel. However, it is also essential that service providers develop a clear and transparent process for helping the customer meet its regulatory requirements.
Beatrice Bozinovski, corporate legal counsel at Healthcare of Ontario Pension Plan (HOOP), who also looks after governance issues, says that third-party technology customers need in-house counsel to be aware of regulatory changes such as the ones in the OFSI advisory. An in-house counsel like her needs to ask “the right questions” and work with outside counsel, such as Blakes, to ensure the highest possible compliance standards are reflected in service contracts and include the necessary protections.
She adds that when they ask vendors about tight turnaround timelines, vendors will sometime say, “Well, we can’t operationalize that.” But tighter rules, as cited in the OFSI advisory, “really change the game” in negotiating these provisions into contracts.
Tremblay at Blakes also suggests that advisories on regulatory compliance could also provide a chance for dealing with potential new vendors. “It provides a good starting point for asking, ‘What about this?’ or ‘How does your software handle this situation?’ and making some determination on whether we want to trust this vendor with very sensitive information.”
He adds firms might also want to engage outside counsel with expertise in these types of contracts because “we do it every day, and we’ve seen contracts go wrong, and what clients should be looking for.” It’s particularly valuable when implementing a new system.
“It’s important to make sure that you’ve covered yourself contractually and that parties have engaged in enough discussion to understand how that implementation is going to work, how it will come online, how data will migrate to the new system.”
For providers of these technology services to financial institutions, making sure they understand the new compliance expectations and have ready solutions could improve competitiveness. Schissel at MLT Aikins suggests that savvy vendors “are telling their clients up front that they are very aware of these requirements and have modelled them into our contract and business processes.”
As cybersecurity, privacy, and the overall robustness of technology and software systems become a focal point for regulators, and regulated companies, Ahmad at Norton Rose says the language of the negotiated contracts becomes “much more granular.” Insurance may also play a more prominent role in cybersecurity issues. Customers are now frequently asking vendors if they have a certain level of coverage related to those areas, perhaps even named on the insurance certificate.
Says Ahmad, “The purchaser may be looking at how a potential supplier can help it meet regulatory clients, but for the vendor, there is more risk analysis, and the desire to sell a service is weighed against the cost of servicing the contract and the profit potential.”
OSFI advisory for federally regulated financial institutions
Institutions must report incidents if they:
- have potential consequences for other FRFIs or the Canadian financial system;
- could have an impact on FRFI systems relating to financial market settlements, confirmations, or payments, or affect payment services;
- affect FRFI operations, infrastructure, data, or systems related but not limited to confidentiality, integrity, or availability of customer information;
- disrupt business systems or operations related to utility or data centre outages or loss or degradation of connectivity;
- have an operational impact on critical systems, infrastructure, or data;
- activate disaster recovery teams or plans, or if a disaster declaration has been made by a third-party vendor that affects the FRFI;
- have an impact on internal users and could affect external customers or business operations;
- cause a negative reputational impact (public or media disclosure).