A report of the Bank of England from 2020, and a recent comment from the Bank of international Settlements point at the fact that many financial institutions rely on common IT systems, cloud providers, data analytics, and other services provided big global tech companies. Big tech interdependencies come with specific risks, which the industry and the regulator should address, but what can individual companies do to lower their vulnerabilities?
Banks and anyone else who intends to place secure systems into the cloud must ensure that the agreements that they strike with suppliers provide for the required high levels of security and resilience across these systems.
This means that contracts should contain, at a minimum:
- Disaster recovery and business continuity terms that set out what will happen if a supplier’s systems are the victims of a cyber-attack or general failure
- Service levels setting out the required standards to be met by suppliers that match a customer’s regulatory requirements
- Obligations to ensure the highest levels of anti-virus and firewall monitoring
- Obligations to ensure information security and data protection requirements are fully met, both physically and logically
- Robust governance and reporting requirements are in the agreement so that customer’s remain aware of issues
- Suitable liability and insurance provisions to deal with any contract breaches; and
- Suitable termination and exit management provisions are included to deal with the transfer of service provision to the customer or a third party provider.
This is the tip of the iceberg when it comes to ensuring that a customer’s sensitive and business critical IT systems and data are protected and further considerations or a customer’s situation and requirements will always be required.