At the end of 2019, the UK Prudential Regulation Authority (PRA) released its consultation paper (link here) setting out its proposals on a regulatory framework to modernise outsourcing and third-party risk management. The original deadline for responding to the proposals was 3 April 2020, but this has now been extended to 1 October 2020, which was announced as part of the Bank of England’s and the PRA’s measures to respond to the economic shock caused by COVID-19.

Background

In response to the growing dependency on third-party technology solutions (e.g. cloud outsourcing), the PRA wants to highlight the new risks associated with such an increasingly complex and constantly evolving area. As firms find themselves increasingly dependent on such services, any major disruption or outage could result in adverse consequences for financial stability. The consultation seeks to modernise the PRA’s expectations and sets out how firms should comply with existing requirements on such risks.

Continue Reading PRA extends deadline for responses to consultation on outsourcing and third-party risk management

R. Raphael & Sons plc (Raphaels) has received fines totalling £1,887,252 from the FCA and PRA for repeated failings in relation to inadequate systems and controls supporting the oversight and governance of its outsourcing arrangements.

Raphaels outsourced certain functions that supported payment services for its prepaid and charge card programmes in the UK

An international cybersecurity advisory panel formed by the Monetary Authority of Singapore (MAS) has recommended that all financial institutions in Singapore ensure that data stored on the public cloud is kept secure, and that they perform cybersecurity risk assessments on their third-party providers.

These proposals were raised at the panel’s second annual meeting, after its members had met with representatives from the Standing Committee on Cyber Security from the Association of Banks in Singapore, Life Insurance Association Singapore and General Insurance Association of Singapore.

The panel also noted that there had been an increase in use by financial institutions of application programming interfaces (APIs) to build software and applications. As use of such APIs could pose a greater risk of cyber threats, the panel suggested specific ways in which the institutions should combat such risk; for instance:

  • conducting “red-teaming” cyberattack simulations
  • securing network connections with any third party providers
  • monitoring for any suspicious cyber activity.


Continue Reading Monetary Authority of Singapore panel urges financial institutions to adopt cybersecurity measures

Your business may license many different types of software and technology in the ordinary course. These licenses range from software installed on your internal network to use-rights in software-as-a-services (SaaS) models, where the programs reside on the vendor’s host systems and are accessed via the Internet (or in some other manner).

In each case, you are granted use-rights that define how the licensed materials can be used (for example, there may be a limit on the type of business for which the materials can be used), where they can be used (i.e., a territory or facility restriction), and who can use them.

Ensuring that the technology can be used by the appropriate people is one of the most overlooked items in a technology license.
Continue Reading Don’t Forget About Your Affiliates and Customers as Technology License End Users

Many organizations in different markets and industries are outsourcing parts (or all) of their IT functions (including support, development, help desk, data storage and others). Why are they outsourcing? What are the potential benefits of outsourcing?

  1. Helps the company bottom line – saves money. Many companies find lots of savings in outsourcing. The savings may be from better efficiencies pursuant to economies of scale, lower labor costs and other factors.
  2. Improved security. Strong security (for example, around the protection of consumer or health data) is the lifeblood of an outsourcing vendor’s business – and often, this level of security is higher than a customer could realistically achieve when keeping the functions in-house.
    Continue Reading Why Are My Competitors Outsourcing IT? Should I?

In December 2012, the Spanish Data Protection Authority (SPDA) published a new set of Model Clauses prepared purely for use by service providers that subcontract to companies located in countries outside the EEA.

These new Model Clauses (based on the 2010 controller-to-processor clauses) will allow for an international transfer of personal data between a data