Mitigating cyber-risks in outsourcing: Contract strategies for compliance and protection
0
This content is contributed or sourced from third parties but has been subject to Finextra editorial review.
A clear and present danger
In recent years, several prominent UK businesses have faced significant technology and cybersecurity challenges and the consequences of data protection breaches.
For example, in October 2023, the Financial Conduct Authority (FCA) fined Equifax over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime.
As reported by Finextra on 15 May, NatWest's head of cyber security has revealed that the Bank faces 100 million cyber-attacks every month.
That incident brought into sharp focus the risks and vulnerabilities which can arise where a customer outsources the handling of sensitive data, and the serious regulatory consequences faced by UK firms if they fail to ensure the safeguarding of sensitive information.
Rules are rules
Aside from principles of good business sense, obligations in relation to security and data protection are imposed on customers looking to outsource IT services to third parties via a range of regulatory and quasi-regulatory/industry measures.
Regulatory measures in the UK include the requirements in the UK GDPR relating to security and data processor contracts, as well as more financial services-specific rules such as the FCA Operational Resilience regime, the FCA and PRA rules on material outsourcing and use of cloud, and the incoming FCA rules on use of Critical Third Party suppliers.
Businesses operating in the EU (and by extension their relevant suppliers) must now also comply with the requirements of the EU Digital Operational Resilience Act (DORA) and its requirements in relation to critical IT services providers. Regulatory measures carry the added risk of sanctions and penalties from the relevant enforcement agencies if they are breached.
Non-regulatory, but nonetheless important, requirements which impact many financial services business include the Payment Card Industry Data Security Standard (PCIDSS) which impose requirements on the security of card data, and the information security requirements of ISO27001.
Get it in writing
The typical provisions which a customer can try to include into contracts to meet its regulatory obligations, and otherwise to guard against (or at least provide some form of recourse in the event of) cyber and data infringements, can be grouped into two main types: (1) contract standards; and (2) rights and remedies.
Contract standards
Set out the general standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice.
standards to which a supplier must conduct its business and provide their service(s) - for example in compliance with all laws and regulations, with professional skill and care and in accordance with good industry practice. Set out any specific requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example: Detailed security provisions, including compliance with the customer's own information and systems security policies Warranties of compliance with any information provided by the supplier pre-contract as part of the customer's due diligence process. Early warning requirements related to suspected cyber incidents or data breaches. Specific clauses designed to meet the requirements of the UK GDPR including: to exercise sufficient technical and organisational measures to protect data against unauthorised access, to notify data breaches in good time, and controls on the export of data outside of the UK/EEA. Compliance with specific industry standards including PCIDSS and ISO27001 Regular conduct of security testing and the provision of results to the customer (this can be a source of debate - a customer may want the right to conduct its own testing (including penetration tests) but suppliers can be reluctant to give this, especially over systems used for multiple customers, and so a right to see the results of the supplier's own internal or third party testing may be the best which can be achieved). An obligation to rectify any detected weaknesses after testing. Restrictions against use of sub-contractors and/or AI systems without the customer's consent. Requirement to use at least 'industry – standard' cybersecurity measures such as firewalls, malware blockers etc.
requirements which the supplier must meet which are intended to address particular cyber and data concerns, for example:
Rights and remedies
Making sure that the supplier's liability for losses which might be suffered due to a cyber or data breach are not excluded out of hand, or caught by a general exclusion of 'indirect or consequential' liability.
Potentially no or separate/higher liability caps for issues such as breach of confidentiality, security, or data protection requirements. It is now not uncommon to have 'supercaps' for data liability (although suppliers may not accept uncapped liability given the potentially large data protection regulatory fines).
Indemnities for issues such as security or data breach
Audit rights for the customer (and also its regulators) - which would extend to the supplier's sub-contractors.
Definite termination rights in the event of a cyber or data related breach
A right to remove supplier personnel or sub-contractors or the service if there are any concerns.
Prevention is always better than the cure, and the only sure-fire way to avoid cyber and data issues is to make sure that, practically, the appropriate measures and behaviours are put in place by suppliers.
However, a well-drafted contract will make it clear what a supplier is required to do, meet any regulatory requirements for terms which must be included, provide the customer with various rights and remedies (ideally to try and catch and avoid problems before they escalate), and otherwise provide the customer with a potential claim for damages for breach of contract, or indemnity rights should the supplier fail to comply with the relevant terms and the customer suffers loss or liability as a result.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Sun
an hour ago
- The Sun
Ninja's summer sale buy with £70 off ‘keeps food cold for five days' – ideal for camping, festivals and BBQs
Planning to explore the great outdoors this summer? Ninja has slashed the price of a popular solution for keeping food cold. The Ninja FrostVault cooler has been reduced from £199.99 to £129.99, saving £70 off. 1 Ninja FrostVault 28L Hard Cooler £129.99 (was £199.99) With the current heatwave and the school holidays approaching, many of us are planning day trips and staycations within the UK. Summer is the time to make the most of exploring new places, but having the right kit can make days out much more enjoyable. Investing in a good cooler keeps food costs down and saves you time queuing, and the Ninja FrostVault is worth considering while it's on sale. The FrostVault is designed to keep food cold for an exceptionally long time - with ice remaining frozen for up to five days. Thanks to it's large size, the Ninja cooler can be filled with cans, bottles and food, and the 28L size fits up to 48 cans, so it's enough to cater for a large family or group of friends. It's ideal for festival-goers, as the events are notoriously expensive for food and drinks, while some campsites have no refreshment options at all. Picnics and beach days are made easier too, or if you fancy a day sunbathing in the garden, you can avoid trips back and forward to the kitchen. For food that's not meant to be ice-cold, there's a handy Dry Zone drawer on the outside, which can be used to store sandwiches, fruit and anything else you want to grab easily. The built-in handles also mean you can just grab the cooler and go. Shoppers are praising the highly-rated cooler, with one saying: ''I'm so happy I had my Ninja FrostVault at a recent festival, it kept my drinks and snacks cool from Wednesday to Sunday (five days!!) and having a cool drink was just so needed when it had been a hot day walking round fields!'' ''I would highly recommend for regular campers or festival-goers.'' Another shopper commented: ''Excellent, does what it says it does.'' ''Great for keeping drinks nice and cool and great when having BBQs.'' It is worth keeping in mind that you will need a large amount of ice prepped when packing the cooler, as one shopper vouched: ''Good size compartment and tray - need a lot of ice for a few days which I have not yet tested.''
The Sun
an hour ago
- The Sun
Major provider offering FREE smartwatch with Samsung Galaxy S24 FE – plans from £18p/m
Sky Mobile has unveiled an exciting deal that's caught my eye. You can now get the Samsung Galaxy S24 FE with plans starting from just £18 per month, complete with a free Galaxy Watch7 worth £289. Samsung Galaxy S24 FE, 50GB, £28/month (Claim free Galaxy Watch7 worth £289) BUY FROM SKY If you're in the market for a new phone, this is a seriously good way to get more for your money. Sky Mobile is no stranger to cutting prices on its handset plans, but this offer throws in some free tech too. The standout comes on the Samsung Galaxy S24 FE, with prices starting from just £18 a month (was £23), and no upfront cost. There's also half-price data on selected plans, and my top pick gets you a solid 50GB for £10 a month instead of £20. On top of that, Sky's throwing in a free Galaxy Watch7 worth £289, which makes this one of the best value deals we've seen from the provider in a while. It's not just about the price either, Sky runs on O2's network, so you're getting decent coverage and reliability. The Galaxy S24 FE itself is a great all-rounder if you want something that doesn't break the bank but still delivers on features. I haven't had hands-on time with it yet, but on paper, it's a strong Android handset for years to come. You get a large 6.4-inch Super AMOLED display with a smooth 120Hz refresh rate, perfect for watching videos or gaming on the go. There's the same Exynos 2400 chip you'll find in Samsung's pricier models, paired with 8GB of RAM, so it'll easily handle day-to-day tasks and multitasking. You're also getting a triple camera setup on the back, something any photography lover will appreciate. It includes a 50MP main lens, 12MP ultrawide, and 8MP telephoto with 3x optical zoom, ideal for everything from quick snaps to holiday pics. Battery life is decent too, with a 4,500mAh battery that's larger than the latest handset coming off the Apple production line. If your contract's nearly up or you're thinking of switching, this one's definitely worth a look. Best Sky Mobile deals Sky Mobile has plenty of top-brand handsets up for grabs right now. If you're happy with your current phone and want something low-fuss, check out the best SIM-only deals we've found from all major providers. We've also rounded up the best Sky deals out there right now to make life a bit easier.
The Sun
2 hours ago
- The Sun
Lidl's £30 Middle Aisle garden gadget bargain is £20 cheaper than a B&Q one
LIDL is bringing back a sell-out garden gadget in days and it's cheaper than B&Qs alternative. The budget-friendly supermarket will soon be restocking the Grillmeister Barbecue Pizza Oven, a hot weather favourite amongst shoppers. Available for the bargain price of £29.99, it'll hit your local store's Middle Aisle from Sunday, July 6. The oven can be used on charcoal or gas barbecues and the Lidl claims its perfect for creating pizzas with a delicious crispy base. The design features a removable pizza stone and integrated thermostat. For comparison, B&Q stocks a George Foreman alternative priced at £49.99, making Lidl's gadget a fantastic £20 cheaper. Lidl's dupe will be available for a limited time only. This garden gadget is part of Lidl's exclusive Middle of Lidl outdoor event, which will also feature a wide range of items, including garden lights, outdoor tables, and even gazebos. If something catches your eye be sure to get to your local store quickly on July as shops will only receive limited stock and when it's gone, it's gone. You can find your closest Lidl supermarket by visiting When shopping Lidl's special deals, it's always a good idea to compare prices with other retailers to ensure you're getting the best value. You can use online tools like or Google Shopping to help with this. I tested all the high street pizza ovens - this one at over half the price of Lakeland's is the best Prices can vary depending on the model, size, and retailer, so comparing options is essential before making a decision. For example, Ooni is a leading brand for pizza ovens, but their models range from £299.99 to £799.99, making them a significant investment. Lastly, remember that a deal is only worthwhile if you genuinely need the product. Buying something just because it's on offer doesn't necessarily mean you're saving money. How to compare prices to get the best deal JUST because something is on offer, or is part of a sale, it doesn't mean it's always a good deal. There are plenty of comparison websites out there that'll check prices for you - so don't be left paying more than you have to. Most of them work by comparing the prices across hundreds of retailers. Here are some that we recommend: Google Shopping is a tool that lets users search for and compare prices for products across the web. Simply type in keywords, or a product number, to bring up search results. Price Spy logs the history of how much something costs from over 3,000 different retailers, including Argos, Amazon, eBay and the supermarkets. Once you select an individual product you can quickly compare which stores have the best price and which have it in stock. Idealo is another website that lets you compare prices between retailers. All shoppers need to do is search for the item they need and the website will rank them from the cheapest to the most expensive one. CamelCamelCamel only works on goods being sold on Amazon. To use it, type in the URL of the product you want to check the price of. How can I save money when shopping at Lidl? Lidl reduces items at the start of the day, and the best deals can be found between 7am and 8am, when most stores open. Shoppers can often find cooked meats, salmon fillets and breads reduced by 30% or more. Not only does Lidl have its own range of reasonably priced alcohol, it also has its own knock-offs of branded favourites – so say cheers to its bargain booze. Everyone knows about the "Middle of Lidl" – it's here where you'll find a load of random stuff you didn't realise you needed, at decent prices. But if you are hoping to avoid spending more than you planned, you can check what will be in the "Middle of Lidl" on the supermarket's website in advance. The Middle of Lidl is refreshed every Thursday and Sunday. How to bag a bargain SUN Savers Editor Lana Clements explains how to find a cut-price item and bag a bargain… Sign up to loyalty schemes of the brands that you regularly shop with. Big names regularly offer discounts or special lower prices for members, among other perks. Sales are when you can pick up a real steal. Retailers usually have periodic promotions that tie into payday at the end of the month or Bank Holiday weekends, so keep a lookout and shop when these deals are on. Sign up to mailing lists and you'll also be first to know of special offers. It can be worth following retailers on social media too. When buying online, always do a search for money off codes or vouchers that you can use and are just two sites that round up promotions by retailer. Scanner apps are useful to have on your phone. app has a scanner that you can use to compare prices on branded items when out shopping. Bargain hunters can also use B&M's scanner in the app to find discounts in-store before staff have marked them out. And always check if you can get cashback before paying which in effect means you'll get some of your money back or a discount on the item.
